1 / 0

Internal Controls and the New COSO

Internal Controls and the New COSO. 2013 Fall State Controller’s Conference With County Auditors – State of California October 22, 2013. What is the COSO?. Committee of Sponsoring Organizations of the Treadway Commission (COSO) Five Sponsoring Organizations. Goals of COSO.

hope
Download Presentation

Internal Controls and the New COSO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internal Controls and the New COSO

    2013 Fall State Controller’s Conference With County Auditors – State of California October 22, 2013
  2. What is the COSO? Committee of Sponsoring Organizations of the Treadway Commission (COSO) Five Sponsoring Organizations
  3. Goals of COSO Provide thought leadership through Development of comprehensive frameworks Guidance on enterprise risk management, Internal control and fraud deterrence Improve organizational performance and governance Reduce the extent of fraud in organizations
  4. COSO Overview – Internal Control Publications 1992 2006 2009 2013
  5. Why updatewhat works – The Framework has become the most widely adopted control framework worldwide. COSO’s Internal Control–Integrated Framework (1992 Edition) Original Framework Articulate principles to facilitate effective internal control Reflect changes in business & operating environments Expand operations and reporting objectives Refresh Objectives Broadens Application Clarifies Requirements Updates Context Enhancements Updated Framework COSO’s Internal Control–Integrated Framework (2013 Edition)
  6. Who Was Involved in the Project? COSO Board of Directors PwC Author & Project Leader Stakeholders Over 700 stakeholders in Framework responded to global survey during 2011 Over 200 stakeholders publically commented on proposed updates to Framework during first quarter of 2012 Over 50 stakeholders publically commented on proposed updates in last quarter of 2012 COSO Advisory Council AICPA AAA FEI IIA IMA Public Accounting Firms Regulatory observers (SEC, GAO, FDIC, PCAOB) Others (IFAC, ISACA, others)
  7. Two Parts in COSO Update- Part #1 – Internal Control-Integrated Framework (2013 Edition) Consists of three volumes: Executive Summary Framework and Appendices Illustrative Tools for Assessing Effectiveness of a System of Internal Control Sets out: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness
  8. Part #2 – Internal Control over External Financial Reporting: A Compendium of Approaches and Examples Illustrates approaches and examples of how principles are applied in preparing financial statements Considers changes in business and operating environments during past two decades Provides examples from a variety of entities – public, private, not-for-profit, and government Alignswith the updated Framework
  9. Internal Control–Integrated Framework
  10. Update Expected to Increase Ease of Use and Broaden Application
  11. Update Considers Changes in Business and Operating Environments COSO Cube (2013 Edition)
  12. Update Articulates Principles of Effective Internal Control Control Environment Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability Risk Assessment Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change Control Activities Selects and develops control activities 11. Selects and develops general controls over technology Deploys through policies and procedures Information & Communication Uses relevant information Communicates internally Communicates externally Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies Monitoring Activities
  13. Update Articulates Principles of Effective Internal Control (cont.) Control Environment The organization demonstrates a commitment to integrity and ethical values. Those charged with governance demonstrate independence from management and exercises oversight of the development and performance of internal control. Management establishes, with governing board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
  14. Update Articulates Principles of Effective Internal Control (cont.) Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control.
  15. Update Articulates Principles of Effective Internal Control (cont.) 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place. Control Activities
  16. Update Articulates Principles of Effective Internal Control (cont.) Information & Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. The organization communicates with external parties regarding matters affecting the functioning of internal control.
  17. Update Articulates Principles of Effective Internal Control (cont.) Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and those charged with governance, as appropriate.
  18. How Update Clarifies Requirements for Effective Internal Control Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that: Each component and each relevant principle is present and functioning The five components are operating together in an integrated manner Each principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e.g., governance, technology) Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives
  19. Update Describes Important Characteristics of Principles, e.g., The organization demonstrates a commitment to integrity and ethical values. Control Environment Points of Focus: Sets the Tone at the Top Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner Points of focus may not be suitable or relevant, and others may be identified Points of focus may facilitate designing, implementing, and conducting internal control There is no requirement to separately assess whether points of focus are in place
  20. Update Describes How Various Controls Effect Principles, e.g., Component Principle Controls embedded in other components may effect this principle Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. Information Technology Group tests for data breaches of personally identifiable information continuously Control Environment Management obtains and reviews data and information underlying potential deviations captured in reports generated immediately upon occurrence Information & Communication Internal Audit separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon Monitoring Activities
  21. Transition & Impact
  22. Transition & Impact Users are encouraged to transition applications and related documentation to the updated Framework as soon as feasible Updated Framework will supersede original Framework at the end of the transition period (i.e., December 15, 2014) During the transition period, external reporting should disclose whether the original or updated version of the Framework was used Impact of adopting the updated Framework will vary by organization Does your system of internal control need to address changes? Does your system of internal control need to be updated to address all principles? Does your organization apply and interpret the original framework in the same manner as COSO?
  23. Transition & Impact (cont.) The principles-based approach provides flexibility in applying the Framework to multiple, overlapping objectives across the entity Easier to see what is covered and what is missing Focus on principles may reduce likelihood of considering something that’s irrelevant Understanding the importance of specifying suitable objectives focuses on those risks and controls most important to achieving these objectives. Focusing on areas of risk that exceed acceptance levels or need to be managed across the entity may reduce efforts spent mitigating risks in areas of lesser significance. Coordinating efforts for identifying and assessing risks across multiple, overlapping objectives may reduce the number of discrete risks assessed and mitigated.
  24. Recommended Actions Read COSO’s updated Framework and illustrative documents Educate the audit committee / those charged with governance, upper management, employees and line management Establish a process for identifying, assessing, and implementing necessary changes in controls and related documentation Develop and implement a transition plan timely to meet key objectives – e.g., apply updated Framework by December 31, 2014 for external reporting

  25. Examples in Implementing the New COSO

    We will pick a number of these to go over and review
  26. Principle 1 Example – Commitment to Integrity and Ethical Values County Board of Supervisors has created, maintains, and distributes a code of conduct and ethical standards Distributed to all employees and external parties acting on behalf of the County, and has posted it on the County website. Code of conduct is available in all relevant languages for ease of access and understanding by Citizens. County requires all employees to complete periodic interactive web-based training sessions on various aspects of the code and ethical standards. The County provides a supplier code of conduct to its vendors as part of its contracting process, which provide a basis for evaluation alongside product / service delivery evaluation.   How is this effective?
  27. Principle 2 Example – Government Agency Independent Audit Committee Roles A governmental agency is subject to oversight by various bodies, representing knowledgeable and independent officials. Key roles in internal controls include the following: The organization’s deputy head Responsible for assuming overall stewardship for the integrity of the agency’s financial management capabilities Signing off on all key external financial management representations and disclosures An audit committee – Chairman’s responsibilities: Ensuring that the committee acts as an independent and objective advisor to the deputy head Provides guidance on the adequacy of the agency’s system of internal control, financial reporting and disclosures.
  28. Principle 2 Example – Government Agency Independent Audit Committee Roles A governmental agency is subject to oversight by various bodies, representing knowledgeable and independent officials. Key roles in internal controls include the following: The comptroller ‘s responsibilities: Providing government-wide functional direction Assurance for financial management Stewardship over public resources, as assigned by the Treasury Board, in collaboration with other central agencies. Provides oversight of government-wide financial information systems and quarterly financial reporting. Monitors the qualifications and competence of the financial management community across government for all aspects of financial management and Reports periodically to the Treasury Board on the state of financial management across government agencies.
  29. Principle 2 Example – Government Agency Independent Audit Committee Roles Strengthening theProcedures for Meetings with Audit Committee and Management in Accordance with New COSO Include: Appropriate forum to ask probing questions of management without reprisal Calendar establishes timing and frequency of meetings with management in advance and given public notice where required Board members are informed of proposed and adopted GASB, AICPA, GAO standards and their impact on the agency well in advance of implementation Review takes place over management development and performance of internal control over external financial reporting Experts may be engaged by Audit Committee as needed and oversight to ensure that management appropriately resolves matters raised by the Committee Procedures established in advance for special / urgent meetings Time allotted regularly for discussions with external auditors, regulators, internal auditors, legal counsel without management present OTHERS?
  30. Principle 3 Example - Management Establishes, with Oversight, Structures, Reporting Lines, and Appropriate Authorities and Responsibilities A government maintains policies that detail contracting level and transaction approval authorities of its managers on a per occurrence basis. Managers who exceed their individual transactions authority must obtain approval from the appropriate higher-level management, which in some cases includes the Audit Committee. Authority and responsibility policies exist for a broad range of the government’s business functions, including Contracting / Purchasing Labor negotiation Capital expenditures including IT Leases Policies are updated when necessary to reflect changes in the business, and any revisions require the approval of the Auditor/ Controller Is this Effective and Why?
  31. Principle 4 Example – Government Demonstrates a Commitment to Attract, Develop, and Retain Competent Individuals Audit committee reviews and approves the competency requirements of all individuals serving in key financial reporting and internal audit roles and for all members of the audit committee. Based on applicable laws and regulations (federal, state, etc.) Expertise needed for applying the entity’s existing policies and practices related to external financial reporting and compliance HR / Auditor / Controller Management develops policies and procedures to implement Job descriptions updated for knowledge, skills, expertise, credentials HR monitors hiring, training, mentoring, evaluations, retaining personnel What else is needed?
  32. Principle 5 Example – Government Holds Individuals Accountable for their Internal Control Responsibilities A department administers an annual goal setting and performance evaluation process to help employees awareness of risks in day-to-day operations. These include: Presenting transparent information to Citizens Saying no to bribes and kickbacks Delivering timely information and services Department management tracks this with surveys and IT dashboard information on incidents Goals are set at the beginning of the year and may be revisited as conditions change Any issue with this?
  33. Principle 6 Example – Government Specifies Objectives with Sufficient Clarity to Enable the Identification and Assessment of Risks The Government’s auditor / controller presents a newsletter with new GASB / AICPA standards to the Audit Committee at least annually Auditor / controller is invited to participate in legislative process for new laws The Auditor / controller’s job description holds them accountable for assessing risk and working to mitigate risk government wide Any issue with this?
  34. Principle 7 Example – Government Identifies Risks to the Achievement of its Objectives Across the Entity and Analyzes Risks as a Basis for Determining How the Risks Should be Managed In planning for engagements that will occur during the next year, the Auditor / Controller reviews the prior year financial statements, changes in the government during the current year and how they relate to the assertions of Existence (E), Completeness (C), Valuation / Allocation (V/A), Rights and Obligations (R/O) and Presentation and Disclosure (P/D) In doing so, the Auditor / Controller presents the following:
  35. Principle 7 Example – Government Identifies Risks to the Achievement of its Objectives Across the Entity and Analyzes Risks as a Basis for Determining How the Risks Should be Managed If all meet assertions – any issue with this?
  36. Principle 8 Example – Government Considers the Risk of Fraud in Assessing Risks to the Achievement of Objectives The Audit Committee of a government wants to take the issue of fraud very seriously, but doesn’t know what to do about the increasing level of management override of controls. They want to: Maintain an appropriate level of skepticism Discuss management’s assessment of fraud Use a code of conduct Establish a whistleblower program Develop a broad information & feedback network What would you do?
  37. Principle 9 Example – Government Identifies and Assesses Changes that Could Significantly Impact the System of Internal Control Last year, a county nearby the government suffered a major flood. It caused significant loss of property, data, records and tax base. The government established an internal working team to assess the risks of such a disruption to its operations, and the risks of its own facilities. All significant vendors and departments were contacted and asked to assess the impact a flood might have on their abilities. A detailed list of issues was created, and then alternatives were identified. Where no alternatives could be found, management identified a prioritization list of which departments should receive services as they became available. What are the issues to this?
  38. Principle 10 Example – Government Selects and Develops Control Activities that Contribute to the Mitigation of Risks to Acceptable Levels A government auditor / controller meets with applicable line department fiscal and operations officers on a quarterly basis to select and develop appropriate control activities for each identified risk relating to financial statement assertions for expenditure recognition. The meetings include a list of activities that are linked to risks of expenditures not being recognized properly. Any issues with this?
  39. Principle 11 Example – Government Selects and Develops General Control Activities over Technology A government auditor / controller recently evaluated the use of spreadsheets in its financial close process. In doing so, it identified that the spreadsheets supporting the calculation of the fair values of investments, those supporting capital assets, and debt were of high risk, based on their susceptibility to error and significance to the financial statements. The A/C also classified the spreadsheets as high in complexity because they included the use of macros and multiple supporting spreadsheets to which cells and values were interlinked. The spreadsheets were used either as the basis for journal entries into the general ledger or as financial statement disclosures. How would you solve this?
  40. Principle 12 Example – Government Deploys Control Activities through Policies that Establish What is Expected and Procedures that Put Policies into Action A government auditor / controller is reviewing costs of constructing a building that is running over budget. She evaluates the process and control activities for assessing cost overruns. She determines that the project manager, George, is critical to the process because he is skilled in understanding needs and project requirements and in analyzing the effects of the alternatives on the project costs and schedule, and, ultimately, the spending in the project. However, he has many other duties including approving costs incurred for the long-term project, ensuring they are accurate, that indirect costs are appropriately allocated, and that change orders and potential cost overruns do not exceed the authorized funding. He doesn’t have time to investigate variances, reasonableness testing, or visit the site. She also finds out that George has given notice. How would you solve this?
  41. Principle 13 Example – Government Obtains or Generates and Uses Relevant, Quality Information to Support the Functioning of Internal Control The Auditor / Controller receives a daily update at 8 AM on her desk compiled by staff. The update consists of newspaper clips, other publications, event press releases, and other information from external parties (including social media) to gather information relevant to performing her responsibilities. Do you have an issue with this?
  42. Principle 14 Example – Government Internally Communicates Information, Including Objectives and Responsibilities for Internal Control Necessary to Support the Functioning of Internal Control The Auditor / Controller use regular broadcast emails and personal visits to departments to communicate with finance, accounting, and other personnel who impact internal control over external financial reporting. He uses these mechanisms to reinforce expectations for adherence to internal control over external financial reporting, laws, and regulations; the importance of the internal audit function; and actions taken in response to audit findings and internal control recommendations from the government’s external auditors. Most department personnel find the broadcast emails an ineffective means of sharing information. The Auditor / Controller doesn’t know why. Why do you think?
  43. Principle 15 Example – Government Communicates with External Parties Regarding Matters Affecting the Functioning of Internal Control A government agency is responsible for managing and overseeing the distribution of approved funds to not-for-profit organizations that provide community outreach programs for underprivileged children. In connection with its oversight responsibilities, the agency requests information from each community organization about its program’s controls over the allocation and use of funds received. Management of each community organization summarizes their control activities over the allocation and use of funds and provides a statement that control activities were designed, implemented, and operating for the quarter. Any changes to or deterioration in the controls, such as changes in ability to segregate duties due to loss of personnel, are communicated along with management’s actions to mitigate risks. This summary is provided quarterly to the agency. Is this effective?
  44. Principle 16 Example – Government Selects, Develops, and Performs Ongoing and / or Separate Evaluations to Ascertain Whether the Components of Internal Control are Present and Functioning A government’s chief information officer (IT) reviews a system generated report twice a day that identifies employees who have access to sensitive financial data and information. For these employees, the CIO evaluates the suitability of assigned restricted access and their adherence to the standard operating policies and procedures. Based on the assessment, the CIO recommends modifications to existing restricted access, standard operating policies and procedures, and control activities relating to identifying and protecting sensitive financial data and information to the IT Governance Board. The IT Governance Board meets annually. Is this effective?
  45. Principle 17 Example – Government Evaluates and Communicates Internal Control Deficiencies in a Timely Manner to those Parties Responsible for Taking Corrective Action, Including Senior Management and the Board of Directors, as Appropriate Department management receive a report from the Auditor / Controller of deficiencies on an annual basis. An internal auditor performed this function in the past but was laid off by the Board of Supervisors. Last June 30th’s findings included complaints of overbilling, reconciliation effectiveness and variances of 10% between contracts and payments routinely being approved by a clerk and paid. An investigation by the prosecutor found that the clerk was receiving a kickback for years from several vendors. This report was received in April of the next year. The external auditors arrive in May for interim testing for the next June 30th year end. How would you address the communication aspects of these issues?
  46. Eric S. Berman, MSA, CPA, CGMA EideBailly, LLP Partner 700 East Union Street, Pasadena, CA, 91101 Phone 208.383.4770 Cell 626.375.3600 Email : eberman@eidebailly.com
More Related