internal controls myths and best practices

COSO Final Changes

May 2013

Consideration of changes in business and operating environments

Expanded operations and reporting objectives

Fundamental concepts of the five components now known as principles

Added additional approaches and examples concerning operations, compliance and non-financial

reporting

Internal Controls – Myths and “Best Practices”

2


Updated matrix

3

Objectives

Components

Organ

ization

al structu

re


4

Best Practices?

Internal Control Myths Internal Controls – Myths and “Best Practices”

5

Internal Control Myths

Internal control means different

things to different people

Not a “cure-all” in the prevention and

detection of possible fraudulent activities


6

Internal Control Myths

• Judgment

• Breakdowns

• Management override

• Collusion

• Materiality

• Point-in-time evaluation

• Cost/Benefit considerations


7

Focus Points – Control

Environment

Is there “Tone at the Top”?

Are there standards of conduct concerning integrity and ethical values?

Is there an evaluation of individual and/or team performance against the standards of conduct?


8


Environment

Are deviations from the expected standards of conduct identified and remediated both consistently and timely?

Does the board of directors or an appropriate level of oversight operate independently from management

Are there established lines of authority and reporting?


9


Environment

Have performance measures, incentives and rewards been established?

Is there an evaluation process to evaluate competence and address short-comings?

Does the board of directors and management evaluate and adjust for excessive pressures?


10

Examples– Control

Environment

Organization has a policy on the importance of integrity and ethics throughout the company.

The BOD and senior management have formulated a set of policies on integrity and ethics.

These policies are regularly flashed on the firm’s internal portal, newsletters and incorporated into contracts with outsourced service providers.


11

Examples– Control

Environment

There is a formal training program to make employees aware of the importance of complying to the standards of conduct.

Management has a formal process to evaluate individuals against the policies and standards of conduct.

Management proactively identifies and addresses deviations against the company’s integrity and ethic policies.


12

Examples– Control

Environment

The BOD has a charter that is comprehensive and outlines the board’s oversight responsibilities.

The board consists of members with significant experience, with some members coming from outside organizations.

The board delegates certain responsibilities to its committees, with each committee having a well-defined charter.


13

Focus Points – Risk

Assessment

Has management designed and evaluated lines of reporting? (Complex lines of authority are best.)

Does the board of directors retain oversight responsibility for management’s development and performance of internal

controls?

Do the operations objectives reflect management’s choices about structure, industry considerations, and performance?


14


Assessment

Is there a process in place to determine how to respond to risks and are the responses appropriate?

Does management ensure compliance with applicable accounting standards, regulations, laws, etc.?

What are the acceptable levels of variation relative to operational objectives and financial performance?


15


Assessment

Does the risk identification process include changes in the external environment, the business model and/or changes in

leadership?

Does management’s fraud risk assessment also assess incentives, pressures, opportunities, attitudes and

rationalizations?

Does management ‘s risk assessment consider various types of fraud?


16

Examples – Risk

Assessment

Operational personnel possess the necessary skills to identify risks associated with new technology.

Risks are identified and reviewed at the appropriate level.

Objectives within the company are clearly defined.


17

Examples – Risk

Assessment

Policies, procedures and controls support the fraud identification and remediation processes.

Risks are identified by senior management and reviewed by the head of quality assurance.

Risk assessments are reviewed by the BOD at least annually.


18


Activities

Do control activities address and mitigate risks?

Do relevant business processes have and maintain

current control activities?

Do control activities include a range and variety of controls,

including both manual and automated controls, as well as preventive and detective

controls?


19


Activities

Do control activities address segregation of

duties?

Do the control activities include technology

general controls, including technology

infrastructure?

Do control activities include controls that

are designed and implemented to restrict

technology access?


20


Activities

Do control activities address responsibility and accountability and take correction action

timely?

Are policies and procedures developed

timely?

Are control policies and procedures re-assessed

to determine their continued use or

relevance?


21

Examples – Control

Activities

The company has developed control

activities that link to the risks identified in the risk

assessment process.

The company has controls over technology, including access controls,

changes and infrastructure.

The company maintains policies and procedures

that clearly outline expectations.


22

Examples – Control

Activities

Staff is formally trained on policies and

procedures.

Consistency of remedial action taken in

response to departures from approved policies

and procedures.

Oversight of the BOD in determining

compensation of executive officers.


23

Focus Points – Information

and Communication

Is a process in place to identify all information required to support internal control functions?

Does the information system process capture internal and external data and transform relevant data into information?

Does management consider the costs and benefits with the nature, quantity and precision of information that supports the company’s operational objectives?


24

Best Practices – Information

and Communication

Is internal control information communicated with personnel?

Are there separate communication lines used to enable anonymous or confidential communication?

Are the selections of communications relevant?


25

Best Practices – Information

and Communication Is there a process in place to communicate timely information to external parties?

Are there open channels of communication to allow input from external sources?

Do the methods of communication consider the timing, audience and the nature of the communication?


26

Examples – Information and

Communication Information policies are well developed, relevant, and quality information is generated to support all aspects of internal control.

Objectives and internal control responsibilities are clearly communicated, at least quarterly.

External communications in place such as a robust customer feedback and supplier partner programs.


27

Examples – Information and

Communication Committee appointed for development or revision of information systems based upon strategic plans and overall strategy of the company.

Establishment of channels of communications for people to report suspected improprieties and/or suggestions for improvements.

Commitment of appropriate resources for the development of necessary information.


28

Focus Points – Monitoring

Activities

Is there a mix of ongoing and

separate evaluations?

Is there a baseline

understanding for ongoing and

separate valuations?

Do the evaluators have

sufficient knowledge and

training?


29


Activities

Do the ongoing evaluations adjust

to changing conditions?

Does manage adjust the scope and frequency of

separate evaluations

depending on risk?

Do the evaluations provide objective

feedback?


30


Activities

How does management and

the board of directors assess

results of ongoing and separate evaluations?

How are deficiencies

communicated to parties?

How does management track

whether deficiencies are

remediated timely?


31

Examples – Monitoring

Activities

Quality assurance conducts internal

operational reviews with input

and oversight of internal audit.

Personnel performing

reviews receive formal training on new technology and processes.

Experienced senior

management review internal

operational reports.


32

Examples – Monitoring

Activities

Deficiencies are evaluated as to

severity, responsibility and communicated to

senior management.

Development of a tracking system for

deficiencies and that they are

remediated timely.

Deficiencies are also reported to

the Board of directors or the

appropriate level of oversight.


33


34

internal controls myths and best practices

Business