340 likes | 356 Views
PART I - III. coso. INTERNAL CONTROL. INTEGRATED FRAMEWORK. INTERNAL CONTROL OBJECTIVES. EFFECTIVENESS AND EFFICIENCY OF OPERATIONS. RELIABILITY OF OPERATIONAL AND FINANCIAL REPORTING. COMPLIANCE WITH APPLICABLE LAWS AND REGULATIONS. SAFEGUARDING OF ASSETS AND INFORMATION.
E N D
PART I - III coso INTERNAL CONTROL INTEGRATED FRAMEWORK
INTERNAL CONTROL OBJECTIVES • EFFECTIVENESS AND EFFICIENCY OF OPERATIONS. • RELIABILITY OF OPERATIONAL AND FINANCIAL REPORTING. • COMPLIANCE WITH APPLICABLE LAWS AND REGULATIONS. • SAFEGUARDING OF ASSETS AND INFORMATION
Internal Control Components • CONTROL ENVIRONMENT • RISK ASSESSMENT
Internal Control Components • CONTROL ACTIVITIES • INFORMATION AND COMMUNICATION • MONITORING
THE CONTROL ENVIRONMENT The control environment sets the tone of an organization by influencing the control consciousness of people. The attitude and actions of the board and management regarding the significance of control within the organization. It is the foundation for all other components of internal control, providing discipline and structure for the achievement of the primary objectives of the system of internal control.
THE CONTROL ENVIRONMENT FACTORS • Integrity and Ethical Values • Commitment to Competence • Board of Directors or Audit Committee • The “tone at the top” Management Philosophy and Operating Style • Organizational Structure • Assignment of Authority and Responsibility • Human Resource Policies and Practices
RISK ASSESSMENT Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
RISK ASSESSMENT • It implies; • Risk identification • - related to the objectives of the organization • - comprehensive • - includes risks due to external and internal • factors • Risk evaluation • - estimating the significance of the risk • - assessing the likelihood of the risk occurrence
RISK ASSESSMENT • It implies; • Assessment of the risk appetite of the organization • 4. Development of responses • - Four types of responses to risk must be considered; transfer, tolerance, treatment or termination; of these, risk treatment is the most relevant because effective internal control is the major mechanism to treat risk; • - the appropriate controls involved can be either detective or preventive.
RISK ASSESSMENT As governmental, economic, industry, regulatory and operating conditions are in constant change, risk assessment should be an ongoing iterative process. It implies identifying and analyzing altered conditions and opportunities and risks (risk assessment cycle) and modifying internal control to address changing risk.
Factors indicative of increased reporting risk for an organization: • Changes in the organization’s regulatory or operating • environment • Changes in personnel • Implementation of new or modified information system • Rapid growth of the organization • Changes in the technology affecting production processes or information system • Organizational restructurings
CONTROL ACTIVITIES Control activities are policies and procedures that help ensure that management’s directives are carried out. These policies and procedures promote actions that address the risks that face the organization.
CONTROL ACTIVITIES To be effective, control activities must be appropriate, function consistently according to plan throughout the period, and be cost effective, comprehensive, reasonable and directly relate to the control objectives. Control activities occur throughout the organization, at all levels and in all functions.
CONTROL ACTIVITIES Examples of Types of Control Activities: • Authorization and approval procedures; • Segregation of duties (authorizing, processing, • recording, reviewing; • Control over access to resources and records; • Verifications; • Reconciliations; • Reviews of operating performance; • Reviews of operations, processes and activities; • Supervision (assigning, reviewing and approving, guidance and training).
CONTROL ACTIVITIES Information Technology Control Activities: Information systems imply specific types of control activities. General Controls General controls are the structure, policies and procedures that apply to all or a large segment of an entity’s information systems and help ensure their proper operation They create the environment in which application systems and controls operate.
CONTROL ACTIVITIES Major Categories of General Controls: Entity-wide security program planning and management; 2. Access controls; 3. Controls on the development, maintenance and change of the application software; 4. System software controls; 5. Segregation of duties; and 6. Service continuity.
CONTROL ACTIVITIES Information Technology Control Activities: Information systems imply specific types of control activities. 2. Application Controls Application controls are the structure, policies and procedures that apply to separate, individual application systems, and are directly related to individual computerized applications. These controls are generally designed to prevent, detect, and correct errors and irregularities as information flows through information systems.
CONTROL ACTIVITIES Information Technology Control Activities: General and application controls are interrelated and both are needed to help ensure complete and accurate information processing. Because information technology changes rapidly, the associated controls must evolve constantly to remain effective.
INFORMATION AND COMMUNICATION Information is needed at all levels of an organization to assist management in meeting the organization’s objectives. Of major concern to the internal auditors is the information system, and the way in which responsibilities for internal control over operational and financial reporting are communicated throughout the organization.
INFORMATION AND COMMUNICATION A precondition for reliable and relevant information is the prompt recording and proper classification of transactions and events. Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities (timely communication to the right people). Therefore, the internal control system as such and all transactions and significant events should be fully documented.
INFORMATION AND COMMUNICATION Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the organization. They deal not only with internally generated data, but also information about external events activities and conditions to informed business decision-making and reporting. Management’s ability to make appropriate decisions is affected by the quality of information which implies that the information should be appropriate, timely, current, accurate and accessible.
INFORMATION AND COMMUNICATION Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. There also needs to be effective communication with external parties.
MONITORING Monitoring, the last component of internal control, is a process that assesses the quality of internal control over time. It is important to monitor internal control to determine whether it is operating as intended and whether modifications are necessary. Monitoring can be achieved by performing ongoing activities or by separate evaluations or a combination of the two.
MONITORING Ongoing monitoring of internal control is built into the normal recurring activities of an entity. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. Ongoing monitoring activities cover each of the internal control components and involve action against irregular, unethical, uneconomical, inefficient and ineffective control systems.
MONITORING The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Specific separate evaluations covers the evaluation of the effectiveness of the internal control system and ensure that the internal control achieves the desired results based on predefined methods and procedures. Separate evaluations are monitoring activities that are performed on a nonroutine basis, such as periodic audits by internal auditors.
INTERNAL CONTROL COMPONENTS PYRAMID
COSO – Internal Control Framework Internal Control Components
RELATIONSHIP OF OBJECTIVES AND COMPONENTS THERE IS A DIRECT RELATIONSHIP BETWEEN OBJECTIVES , WHICH ARE WHAT THE ENTITY STRIVES TO ACHIEVE, AND COMPONENTS, WHICH REPRESENT WHAT IS NEEDED TO ACHIEVE THE OBJECTIVES INTERNAL CONTROL IS RELEVANT TO AN ENTIRE ENTERPRISE, OR TO ANY OF ITS UNITS OR ACTIVITIES
RELATIONSHIP OF OBJECTIVES AND COMPONENTS INFORMATION IS NEEDED FOR ALL THREE OBJECTIVES CATEGORIES - TO EFFECTIVELY MANAGE BUSINESS OPERATIONS, PREPARE FINANCIAL STATEMENTS RELIABLY AND DETERMINE COMPLIANCE ALL FIVE COMPONENTS ARE APPLICABLE AND IMPORTANT TO ACHIEVEMENT OF BUSINESS OBJECTIVES
EFFECTIVENESS OF INTERNAL CONTROL INTERNAL CONTROL CAN BE JUDGED EFFECTIVE IN EACH OF THE OBJECTIVES CATEGORIES, RESPECTIVELY, IF THE BOARD OF DIRECTORS AND MANAGEMENT HAVE REASONABLE ASSURANCE THAT: • THEY UNDERSTAND THE EXTENT TO WHICH THE ENTITY’S OPERATIONS OBJECTIVES ARE BEING ACHIEVED. • PUBLISHED OPERATIONAL REPORTS AND FINANCIAL STATEMENTS ARE BEING PREPARED RELIABLY. • APPLICABLE LAWS AND REGULATIONS ARE BEING COMPLIED WITH. • ASSETS AND INFORMATION ARE SAFEGUARDED.
EFFECTIVENESS OF INTERNAL CONTROL DETERMINING WHETHER A PARTICULAR INTERNAL CONTROL SYSTEM IS “EFFECTIVE” IS A SUBJECTIVE JUDGEMENT RESULTING FROM AN ASSESSMENT OF WHETHER THE FIVE COMPONENTS ARE PRESENT AND FUNCTIONING EFFECTIVELY. THEIR EFFECTIVE FUNCTIONING PROVIDES THE REASONABLE ASSURANCE REGARDING THE ACHIEVEMENT OF ONE OR MORE OF THE STATED CATEGORIES OF OBJECTIVES. THUS, THESE COMPONENTS ARE ALSO THE CRITERIA FOR EFFECTIVE INTERNAL CONTROL.
LIMITATIONS OF INTERNAL CONTROL INTERNAL CONTROL CAN DO MUCH TO PROTECT AGAINST BOTH ERRORS AND IRREGULARITIES AND ENSURE THE RELIABILITY OF ACCOUNTING DATA. STILL IT IS IMPORTANT TO RECOGNIZE THE EXISTENCE OF INHERENT LIMITATIONS OF INTERNAL CONTROL. MISTAKES MAY BE MADE IN THE PERFORMANCE OF CONTROLS AS A RESULT OF MISUNDERSTANDING OF INSTRUCTIONS, MISTAKES OF JUDGMENT, CARELESSNESS, DISTRACTION, OR FATIGUE.
LIMITATIONS OF INTERNAL CONTROL IN ADDITION, WITHOUT ACTIVE PARTICIPATION BY THE BOARD OF DIRECTORS AND AN EFFECTIVE INTERNAL AUDIT DEPARTMENT, TOP MANAGEMENT CAN EASILY OVERRIDE INTERNAL CONTROL. FINALLY, CONTROL ACTIVITIES DEPENDENT UPON SEPARATION OF DUTIES MAY BE CIRCUMVENTED BY COLLUSION AMONG EMPLOYEES.
LIMITATIONS OF INTERNAL CONTROL THE EXTENT OF THE CONTROLS ADOPTED BY AN ENTITY ALSO IS LIMITED BY COST CONSIDERATIONS. IT IS NOT FEASIBLE FROM A COST STANDPOINT TO ESTABLISH CONTROLS THAT PROVIDE ABSOLUTE PROTECTION FROM FRAUD AND WASTE; REASONABLE ASSURANCE IN THIS REGARD IS THE BEST THAT GENERALLY CAN BE ACHIEVED.