1 / 50

Frameworks For Evaluating Internal Controls

Frameworks For Evaluating Internal Controls. COCO. WESTINGHOUSE. MALCOLM BALDRIGE. Deming. Cadbury . COSO. Twelve Attributes. ISO 9000. Peter Senge’s Deep Learning Framework. COSO COCO Cadbury Report Deming Award TQM 12 Attributes. Deep Learning Framework Baldrige Award

Albert_Lan
Download Presentation

Frameworks For Evaluating Internal Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Frameworks For Evaluating Internal Controls

  2. COCO WESTINGHOUSE MALCOLM BALDRIGE Deming Cadbury COSO Twelve Attributes ISO 9000 Peter Senge’s Deep Learning Framework

  3. COSO COCO Cadbury Report Deming Award TQM 12 Attributes Deep Learning Framework Baldrige Award ISO 9000 Westinghouse Award Northrop Award Many Models To Chose Among

  4. Who Developed Models? • COSO: The major accounting and audit professional organizations issued COSO in 1992. • 12 Criteria: The Canadian Comprehensive Auditing Foundation published Effectiveness Reporting and Auditing in the Public Sector in 1987. • COCO: In November 1995, The Canadian Institute of Chartered Accountants (CICA) published Guidance on Control.

  5. Who Developed Models? (Continued) • ISO 9000 developed by the International Organization for Standardization (ISO) • Deep Learning Framework: In 1990, Peter Senge published the now classic The Fifth Discipline and then in 1995 published The Fifth Discipline Fieldbook.

  6. Different Frameworks: Same Goals • Frameworks provide a way of understanding our organizations. • By having different groupings, each highlights some aspects of control more than others. • The criteria in the frameworks provide a basis for understanding control in an organization and for making judgment about the effectiveness of control.

  7. Different Frameworks: Same Goals • Frameworks provide a systematic step by step method of evaluating and addressing the adequacy of controls in multiple dimensions of a business. • Frameworks provide a standard review process. • Frameworks provide a tool that helps management and audtiors evaluate the adequacy of controls in multiple dimensions of the business. It helps give a picture of how well all of the controls in all of the dimensions are working.

  8. Using These Frameworks • Paints a picture that focuses on what is important to users, that keeps things in perspective, and that is sensitive to ‘shades of gray’. • Flexibility is allowed and creativity is required. • Nothing magical about them--but they can allow you to have seemingly magical insights.

  9. One More Tool in the Tool box • CSA • Questionnaires • Unobtrusive Measures • Structure Interviews • Document Reviews • Regression Analysis • Integrated Control Frameworks • And many more!

  10. COSO

  11. Coso ERM Framework OH 3-19

  12. COSO Control Environment Risk Assessment Control Activities Information and Communication Monitoring Cadbury Control Environment Identification of Risks, Control Priorities and Objectives Control Activities Monitoring and Corrective Action COSO - Cadbury

  13. Control Environment • Provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It serves as the foundation for the other components (COSO) • Management must send a clear message to all personnel that control responsibilities are to be taken seriously, that each personal has a particular role in the control system and that each role relates to the role of others. (Cadbury)

  14. Risk Assessment • Management must assess risks to the achievement of specified objectives. (COSO) • Is the process by which executive management identifies the risks arising from the organization’s business and, since resources are always limited, establishes the priorities for control and particular control objectives. (Cadbury)

  15. Control Activities • Are implemented to help ensure that management directives to address the risks are carried out. (COSO) • Are the detailed polices and procedures designed to achieve the company’s control objectives and to provide management with reasonable assurance that their priorities for internal control are being addressed. They operate throughout the organization, potentially covering all levels. (Cadbury)

  16. Information and Communication • Relevant information is captured and communicated throughout the organization.

  17. Monitoring • The entire process is monitored and modified as conditions warrant. (COSO) • Monitoring and corrective action should produce sufficient evidence that the financial control system for which they are responsible is effective in practice. Monitoring is performed at a higher level than the routine checks built into the day-to-day routine and involves a greater degree of independence from those who operate the procedures. (Cadbury)

  18. CRIME • Control Activity • Risks • Information • Monitoring • Environment

  19. COSO Matrix

  20. COCO

  21. COCO Criteria: Purpose • Objectives should be established and communicated. • The significant internal and external risks faced by an organization in the achievement of its objectives should be identified and assessed. • Policies designed to support the achievement of an organization’s objectives and the management of its risks should be established, communicated and practiced so that people understand what is expected of them and the scope of their freedom to act. • Plans to guide efforts in achieving the organization’s objectives should be established and communicated. • Objectives and related plans should include measurable performance targets and indicators.

  22. COCO Criteria: Commitment • Shared ethical values, including integrity, should be established, communicated and practiced throughout the organization. • Human resource policies and practices should be consistent with an organization’s ethical values and with the achievement of its objectives. • Authority, responsibility, and accountability should be clearly defined and consistent with an organization’s objectives so that decisions and actions are taken by the appropriate people. • An atmosphere of mutual trust should be fostered to support the flow of information between people and their effective performance toward achieving the organization’s objectives.

  23. COCO Criteria: Capability • People should have the necessary knowledge, skills and tools to support the achievement of the organization’s objectives. • Communication processes should support the organization’s values and the achievement of its objectives. • Sufficient and relevant information should be identified and communicated in a timely manner to enable people to perform their assigned responsibilities. • The decisions and actions of different parts of the organization should be coordinated. • Control activities should be designed as an integral part of the organization, taking into consideration its objectives, the risks to their achievement, the inter-relatedness of control elements.

  24. COCO Criteria: Monitoring and Learning • Environment should be monitored to obtain information that may signal a need to re-evaluate the organization’s objectives or controls • Performance should be monitored against the targets and indicators identified in the organization’s objectives and plans. • The assumptions behind an organization’s objectives should be periodically challenged. • Information needs and related information systems should be reassessed as objectives change or as reporting deficiencies are identified. • Follow-up procedures should be established and performed to ensure appropriate change or action occurs. • Management should periodically assess the effectiveness of control in its organization and communicate the results to those to whom it is accountable.

  25. COCO: Sample Assessment Questions Purpose • Do we understand our objectives? • Are our plans responsive and adequate to change? Commitment • Are critical decisions made by people with the necessary expertise, knowledge and authority? Capability • Is there adequate information to allow us to perform our tasks? Monitoring and Learning • Do we challenge the assumptions behind our objectives?

  26. COSO and COCO’s Definition of Internal Control Per COSO, Internal Control is: • a process, • effected by an entity’s board of directors, management, and other personnel, • designed to provide reasonable assurance regarding the achievement of objectives. Per COCO, Internal Control is • those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the objectives.

  27. Objectives of Internal Controls Per COSO, organization’s • effectiveness and efficiency of operations; • reliability of financial reporting; and • compliance with applicable laws and regulations. Per COCO • effectiveness and efficiency of operations • reliability of internal and externalreporting; and • compliance with applicable laws and regulations and internal policies.

  28. Key COSO and COCO Concepts • Internal Control is a process. • Internal Control is effected by people. • Internal Control can be expected to provide only reasonable assurance. • Internal Control is geared to the achievement of objectives.

  29. Policy and Procedures Organizational Structure Bureaucracy Restrictive formal processes Competence Trust Shared Values Leadership Expectations Commitment Hard Controls - Soft Controls

  30. What’s More Important? • Segregation of duties or ethical employees? • Well written and thorough policy and procedures manuals or competent employees? • Clear delineation of roles and responsibilities or a group of employees dedicated to accomplishing the organization’s mission?

  31. Soft Controls In the past, auditors have focused exclusively on the hard controls. As the Savings and Loan crises demonstrated, this has meant that auditors have often missed the really important issues that will dictate whether an organization succeeds and is operating at the most efficient and effective manner. COSO, COCO, Cadbury, the Baldrige Award and the other control models highlight the need to examine soft controls and provide the analytical tools to do so.

  32. Framework

  33. Major Emphasis Note: COCO defines control as those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives. COSO defines control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding internal controls

  34. Used By:

  35. Customer Focus

  36. Monitoring

  37. Review of Freeway Park Garage Using COSO Model (1) CONTROL ENVIRONMENT Management: Management is aware of the importance of accountability controls, communicates this importance to employees at all levels, and displays a supportive attitude toward management controls. Management did not adequately communicate the purpose and importance of implementing management control procedures to employees at all levels. For example, most of the control weaknesses which the State Auditor identified in a 1993 management letter to the City were not corrected.

  38. Review of Freeway Park Garage Using COSO Model (2) Employees: Employees understand the importance of implementing control procedures. Garage employees did not always implement existing management control procedures. Although the old Freeway Park Garage manual instructed employees to enter all cash transactions into the cash register as they occurred, we found that parking attendants were not always implementing this policy. For instance, the revenue report for the evening shift on May 2, 1994 reported $372.00 more in sales than what was entered into the cash register. We also found that parking attendants did not always give customers a cash register receipt. For example, an auditor posing as a daily parking customer requested a receipt and received one that was retrieved from a garbage can.

  39. Review of Freeway Park Garage Using COSO Model (3) Employees do not circumvent or ignore existing controls. The Garage is a “pay as you enter” operation. Cashiers give each daily parking customer a validated, dated and time-stamped parking ticket which also shows the amount paid; $4 for daily parking. To exit the Garage, daily parking customers must enter the validated ticket into a card reader system, which sends a signal to open the gate. Although required to retain records for a minimum of six years, according to the retention schedule of the State of Washington, used daily parking tickets were thrown away. In addition, we found no evidence to support that the Garage supervisor or an independent party reviewed the daily tickets before they tossed them away. On March 10, 1995, auditors instructed staff to retain the daily tickets. We later reviewed the used tickets to ensure that they were all validated and stamped with a $4 sales price. As a result of our review, we found one daily ticket dated March 8, 1995 with a stamped sales price of $80, instead of $4.

  40. Review of Freeway Park Garage Using COSO Model (4) Employees do not circumvent or ignore existing controls. Employees were not clear about their job responsibilities. For example, the Garage supervisor did not understand that reviewing attendant’s work included reconciling totals on cash register tapes to revenue reports, deposit slips, refund report sheets, and documents recording sales of monthly parking permits. Also, job descriptions were not periodically reviewed or updated. (1) Employees at the Garage do not receive written performance evaluations on a regular basis. Parking attendants could not remember when they last received a written performance evaluation. (2) Garage staff received no formal training on how to use the Garage’s computer system and, although requested, employees have not attended any City sponsored computer training courses. (3) Although the Department of Finance required Finance’s cash handling training course for certification as a cash handler with the City, as of June 1995, only one of the three permanent parking attendants had taken this course.

  41. Arguing with a COSO auditor is like wrestling with a pig in mud . . .

  42. Sooner or later you realize the pig enjoys it!

More Related