coso internal control integrated framework

Enterprise Risk ServicesDecember 2011

COSOInternal Control–Integrated FrameworkExposure Draft

December 2011

What is COSO?

The COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a private sector initiative, jointly sponsored and funded by:

• American Accounting Association (AAA)

• American Institute of Certified Public

Accountants (AICPA)

• Financial Executives International (FEI)

• Institute of Management Accountants (IMA)

• The Institute of Internal Auditors (IIA)

2

Internal Control-Integrated Framework

• First published in 1992

• Gained wide acceptance following financial control failures of early 2000’s

• Most widely used framework in the US

• Also widely used around the world

3

Original COSO Cube

Methodology

• Background

‒ Project announced in November 2010

‒ To make the existing Framework and related evaluation tools more relevant in the increasingly complex business environment

‒ PricewaterhouseCoopers as the original author conducted this project.

‒ not intended to change how internal control is defined, assessed, or managed, but rather provide greater clarity and a more comprehensive and relevant conceptual guidance

• Project Structure‒ Advisory Council comprising

representatives from industries, academia, government agencies, and non-profit organizations updated Framework is being exposed to the public to capture additional input

• Approach‒ Assess and Envision‒ Build and Design‒ Preparation for Public Exposure‒ Finalization

• Applies a principles-based approach

• Clarifies the role of objective-setting in internal control

• Reflects the increased relevance of technology

• Enhances governance concepts

• Expands the reporting category of objectives

• Enhances consideration of anti-fraud expectations

• Considers different business models and organizational

structures

Summary of Changes to the 1992 Version

5

Internal Control is a _______ effected by an entity’s _______ ____________________________________ designed to provide _________ assurance regarding the achievements of ________ in the following categories:

• Effectiveness & efficiency of operations.• Reliability of financial reporting.• Compliance with applicable laws and regulations.

board of directors, management and other personnel, process reasonable

What is internal control?

6

objectives

Categories of Objectives

7

Operations

Reporting

Compliance

• Improving Quality• Reducing Costs• Reducing

Production Time • Improving

Innovation• Improving Customer

Satisfaction• Improving Employee

Satisfaction• etc

• External Financial Reporting Objectives

• External Non-Financial Reporting Objectives

• Internal Financial Reporting Objectives

• Internal Non-Financial Reporting Objectives

• Identifying Applicable Laws and Regulations

• Ensuring Compliance with Applicable Laws and Regulation

Components of Internal Control

8

Monitoring

Control Environment

Risk Assessment

Control Activities

Info

rmat

ion a

nd C

omm

unica

tion Inform

ation and Comm

unication

A Principal Based Approach

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities

Five Components

5 principles

4 principles

3 principles

3 principles

2 principles

17 principles

21 Attributes

19 Attributes

16 Attributes

14 Attributes

11 Attributes

81 Attributes

A Principal Based Approach

10

Operations

Objectives

Reporting Objectives

Compliance

Objectives

Apply to17 Principals

Principles and Attributes Relating to Components of Internal Control

Principles Relating to Control Environment

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

12

Attributes Relating to Control Environment

1. Sets the Tone at the Top

2. Establishes Standards of Conduct

3. Evaluates Adherence to Standards of Conduct

4. Addresses Deviations in a Timely Manner

13

1. Demonstrates Commitment to Integrity and Ethical Values


1. Establishes Board of Directors Oversight Responsibilities

2. Retains or Delegates Oversight Responsibilities

3. Applies Relevant Expertise

4. Operates Independently

5. Provides Oversight

14

2. Exercises Oversight Responsibility


1. Considers All Structures of the Entity

2. Establishes Reporting Lines

3. Defines, Assigns, and Limits Authorities and Responsibilities

15

3. Establishes Structure, Authority, and Responsibility


1. Establishes Policies and Practices

2. Attracts, Develops, and Retains Individuals

3. Evaluates Competence and Addresses Shortcomings

4. Plans and Prepares for Succession

16

4. Demonstrates Commitment to Competence


1. Enforces Accountability through Structures, Authorities, and Responsibilities

2. Establishes Performance Measures, Incentives, and Rewards

3. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance

4. Considers Excessive Pressures

5. Evaluates Performance and Rewards or Disciplines Individuals

17

5. Enforces Accountability

Principles Relating to Risk Assessment

1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

4. The organization identifies and assesses changes that could significantly impact the system of internal control.

18

Attributes Relating to Risk Assessment

1. Considers Tolerance for Risk / Required Level of Precision / Materiality

2. Complies with Externally Established Standards, and Frameworks / Complies with Applicable Accounting Standards / Reflects External Laws and Regulations

3. Reflects Management’s Choices

4. Reflects Entity Activities

5. Includes Operations and Financial Performance Goals

6. Forms Basis for Committing of Resources

19

6. Specifies Relevant Objectives


Attributes Relating to Operations Objectives

• Considers Tolerances for Risk

• Reflects Management’s Choices

• Includes Operations and Financial Performance Goals

• Forms Basis for Committing of Resources

20



Attributes Relating to Reporting Objectives

External Financial Reporting

• Considers Materiality

• Complies with Applicable Accounting Standards

• Reflects Entity Activities

21




External Non-financial Reporting Objectives

• Complies with Externally Established Standards and Frameworks


• Considers the Required Level of Precision

22




Internal Reporting Objectives (financial and/or non-financial)

• Considers the Required Level of Precision

• Reflects Management’s Choices


23



Attributes Relating to Compliance Objectives

• Considers Tolerances for Risk

• Reflects External Laws and Regulations

24



1. Involves Appropriate Levels of Management

2. Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels

3. Analyzes Internal and External Factors

4. Estimates Significance of Risks Identified

5. Determines How to Respond to Risks

25

7. Identifies and Analyzes Risks


1. Considers Various Ways That Fraud Can Occur

2. Considers Risk Factors

3. Assesses Incentive and Pressures

4. Assesses Opportunities

5. Assesses Attitudes and Rationalizations

26

8. Assesses Fraud Risk


1. Assesses Changes in the External Environment

2. Assesses Changes in the Business Model

3. Assesses Changes in Leadership

27

9. Identifies and Analyzes Significant Change

Principles Relating to Control Activities

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

11.The organization selects and develops general control activities over technology to support the achievement of objectives.

12.The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies.

28

Attributes Relating to Control Activities

1. Integrates with Risk Assessment

2. Determines Relevant Business Processes

3. Considers Entity-Specific Factors

4. Evaluates a Mix of Control Activity Types

5. Considers at What Level Activities Are Applied

6. Addresses Segregation of Duties

29

10. Selects and Develops Control Activities


1. Determines Dependency between the Use of Technology in Business Processes and Technology General Controls

2. Establishes Relevant Technology Infrastructure Control Activities

3. Establishes Relevant Security Management Process Control Activities

4. Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities

30

11. Selects and Develops General Controls over Technology


1. Establishes Policies and Procedures to Support Deployment of Management’s Directives

2. Establishes Responsibility and Accountability for Executing Policies and Procedures

3. Performs Using Competent Personnel

4. Performs in a Timely Manner

5. Takes Corrective Action

6. Reassesses Policies and Procedures

31

12. Deploys through Policies and Procedures

Principles Relating to Information and Communication13. The organization obtains or generates and uses relevant, quality

information to support the functioning of other components of internal control.

14.The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.

15.The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.

32

Attributes Relating to Information and Communication

1. Identifies Information Requirements

2. Captures Internal and External Sources of Data

3. Processes Relevant Data into Information

4. Maintains Quality Throughout Processing

5. Considers Costs and Benefits

33

13. Uses Relevant Information


1. Communicates Internal Control Information with Personnel

2. Communicates with the Board of Directors

3. Provides Separate Communication Lines

4. Selects Relevant Method of Communication

34

14. Communicates Internally


1. Communicates to External Parties

2. Enables Inbound Communications

3. Provides Separate Communication Lines

4. Selects Relevant Method of Communication

5. Communicates with the Board of Directors

35

15. Communicates Externally

Principles Relating to Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

36

Attributes Relating to Monitoring Activities

1. Considers a Mix of Ongoing and Separate Evaluations

2. Establishes Baseline Understanding

3. Uses Knowledgeable Personnel

4. Integrates with Business Processes

5. Objectively Evaluates

6. Adjusts Scope and Frequency

7. Considers Rate of Change

37

16. Conducts Ongoing and/or Separate Evaluations

Attributes Relating to Monitoring Activities

1. Assesses Results

2. Communicates Deficiencies to Management

3. Reports Deficiencies to Senior Management and the Board of Directors

4. Monitors Corrective Actions

38

17. Evaluates and Communicates Deficiencies

Roles and Responsibilities

Roles - Three Lines of Defense

• Management and other personnel on the front line provide the first line of defense as they are responsible for maintaining effective internal control day to day; they are compensated based on performance in relation to all applicable objectives

• Business-enabling functions such as risk, control, legal, and compliance provide the second line of defense as they clarify internal control requirements and evaluate adherence to defined standards. While they are functionally aligned to the business, their compensation is not directly tied to performance of the area to which they render expert advice.

40

Roles - Three Lines of Defense

• Internal auditors provide the third line of defense as they assess and report on internal control and recommend corrective actions or enhancements for management consideration and implementation; their position and compensation are separate and distinct from the business areas they review.

41

Responsible Parties - The Board of Directors and its CommitteesThe Board:

• has a key role in defining expectations on integrity and ethical values and internal control responsibilities.

• have a working knowledge of the entity’s activities and environment, and they commit the time necessary to fulfill their governance responsibilities.

• utilize resources as needed to investigate any issues, and have an open and unrestricted communications channel with all entity personnel, the internal auditors, independent auditors, external reviewers, and legal counsel.

42

Responsible Parties - The Board of Directors and its CommitteesBoard-level committees include :

• Audit Committee

• Compensation Committee

• Nomination/Governance Committee

• Other Committees

43

Responsible Parties - Chief Executive Officer

Chief Executive Officer (CEO) :

• is ultimately responsible for the effectiveness of the entity’s internal control system

• sets the tone at the top that affects control environment factors and all other components of internal control.

44


The CEO fulfills this duty by:

• Providing leadership and direction to senior management. With the support of management, the CEO shapes the values, principles, and major operating policies that form the foundation of the entity’s internal control system.

• Meeting periodically with senior management from each of the operating units (e.g., research and development, production, marketing, sales) and major business enabling functions (e.g., finance, human resources, legal, compliance, risk management).

45



• Defining metrics, targets, or other measurable expectations with which to gauge the ongoing and long-term effectiveness of the system of internal control. The methods of designing, implementing, and assessing internal control are delegated to management at different levels.

46



• Directing all management and other personnel to proactively identify threats to the system of internal control. Given the ever-increasing pace of change and networked interactions of business partners, customers, and employees, the sources of threat to an ongoing effective internal control system are constantly changing. The CEO expects senior management in particular to beware of making assumptions based on the traditional sources of threats to an effective internal control system.

47

Responsible Parties - Chief Financial Officer

The Chief Financial Officer (CFO):

• supports the CEO in front-line responsibilities, including internal control over financial reporting.

• is integrally involved when the entity’s strategies are decided, objectives are established, risks are analyzed, and decisions are made on how changes will be managed.

• provides valuable input and direction and is positioned to focus on evaluating and following up on the actions decided by management.

• is an equal partner with the other functional heads.

48

Responsible Parties - Other Members of Senior ManagementSenior management comprises:

• Chief operating officer

• Chief administrative officer

• Chief risk officer

• Chief compliance officer

• Chief information officer

• Other senior leadership roles, depending on the nature of the business

49

Responsible Parties - Other Members of Senior ManagementSenior management:

• guides the development and implementation of internal control policies and procedures that address the objectives of their functional or operating unit and verify that they are consistent with the entity-wide objectives.

• assigns responsibility for establishing even more specific internal control procedures to those personnel responsible for the unit’s functions or departments

50

Responsible Parties - Business-Enabling Functions

• support the business through their specialized skills.

• provide guidance and assessment of internal control related to their areas of expertise.

• keep the organization informed of relevant requirements as they evolve over time.

• Their efforts are coordinated and integrated as appropriate.

51

Responsible Parties - Risk and Control Personnel

• provide specialized skills and guidance to front-line management and other personnel and evaluating internal control.

• identify known and emerging risks.

• help management develop processes to manage relevant risks.

• communicate and provide education on these processes across the organization.

• evaluate and report on the effectiveness of such processes.

• not responsible for executing controls but support

52

Responsible Parties - Internal Auditors

The Internal Auditor:

• provide assurance and advisory services over internal control

• evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s oversight, operations, and information systems regarding:‒ Reliability and integrity of financial and operational information.‒ Effectiveness and efficiency of operations and programs.‒ Safeguarding of assets.‒ Compliance with laws, regulations, policies, procedures, and

contracts.

53

Responsible Parties - External Parties

External Parties includes:

• Outsourced Service Providers

• Business Partners and Other Parties Interacting with the Entity

• Independent Auditors

• External Reviewers

• Legislators and Regulators

• Financial Analysts, Bond Rating Agencies, and the News Media

54

Assessing Effectiveness


When controls are effective; the organization:

• Understands the extent to which operations are managed effectively and efficiently.

• Prepares reliable reports.

• Complies with applicable laws and regulations

56


• Each of the five components must be present and operate together.

• Effectiveness of internal control is assessed relative to the five components of internal Control.

• Effectiveness of internal control can also be assessed relative to a specific part of the organizational structure.

57


Determining whether a principle is present and functioning implies that the organization:

• Understands the intent of the principle and how it is being applied.

• Applies the principle consistently across the entity.

• Works to help personnel understand and apply the principle across the entity.

• Views omission of or non-conformity with a principle as an exception (i.e., not applying the wording, intent, and spirit of the principle is the exception rather than the norm).

58

Limitations of Internal Control

• Quality and suitability of objectives

• Judgment

• Breakdowns

• Management Override

• Collusion

59

What is not of internal control?

• Many decisions reached by the board are not part of internal control

• Appropriateness of particular objectives selected

• Setting the overall level of acceptable risk and associated risk appetite

• setting risk tolerance levels in relation to specific objectives

• Choosing which risk response is preferred to address specific risks

60

Q & A Session

Thank You

coso internal control integrated framework

Economy & Finance