COSO - An Internal Control Framework

1
COSO - An Internal Control Framework
CONTROLLING RISKS - REACHING GOALS
Prepared by Michael Paul, CGFM
2
COSO - An Internal Control Framework

• landmark report commissioned by the Committee on
  Sponsoring Organizations of the Treadway
  Commission (COSO).
• Basis of State Comptrollers guidance for chapter
  647.

3
Why Internal Control?

• Managers need to meet objectives of their unit
• Risks exist to meeting those objectives
• Controls minimize those risks
• Managers, not accountants, are ultimately
  responsible for this.

4
OBJECTIVES, RISKS, CONTROLS

• Compliance with laws, regulations, policy and
  procedures
• Accomplishment of mission
• Reliability of information
• Efficient and effective use of resources
• Safeguarding of assets

5
OBJECTIVES, RISKS, CONTROLS

• Compliance
• Reliability
• Accomplishment of mission
• Efficiency and effectiveness
• Safeguarding of assets

• COSO combines into
• Effectiveness and efficiency of operations

6
OBJECTIVES, RISKS, CONTROLS

• Define the risks
• Evaluate each risk
• likelihood
• cost of loss
• duration and its side effects
• Prioritize

7
OBJECTIVES, RISKS, CONTROLS

• We have risk
• We have identified it
• Measured it
• Prioritized it
• How to diminish it? ACTION

8
Control worksheet(example)
9
COSO 5 Control Elements
INTERNAL

• 1. C ontrol Activities
• 2. R isk Assessment
• 3. I nformation communication
• 4. M onitoring
• 5. Control E nvironment

• INTERNAL CONTROLS

CONTROLS
10
To create ICs

• PPR Objectives CARES- Compliance with rules,
  Accomplishment of mission, Reliability of
  information, Efficiency, Safeguarding assets
• Risk Define, Evaluate, Prioritize, Diminish
• Controls CRIMES- Control activities, Risk
  Assessment, Information Communication,
  Monitoring, Control Environment
• Across each function and units

11
The COSO NET
12
ENVIRONMENT

• Integrity Ethical values
• Commitment to Competence
• Board participation
• Management style

• Organizational structure
• Assignment of authority and responsibility
• Human resources practices

13
RISK

• Changes in operating environment
• New personnel
• New Information systems
• Rapid growth

• New technology,
• New services, activities
• Restructurings
• New accounting procedures or rules

14
RISK
RISK OF PROBLEM GOING UNDETECTED
15
Control Risk Events

• Management and auditors thoroughly brainstorm
  scenarios of what could go wrong in each process.
  (fraud, waste, abuse, errors, etc.)
• Do these before you create controls
• or try to assess if they are effective

16
ACTIVITIESHard controls

• Periodic counts and reconciliation of records to
  assets action on variances
• Physical controls over access to assets and
  records
• Reports of budget or prior period vs. actual
• EDP requires checks of accuracy, completeness and
  authorization of transaction
• Activities not the whole picture

• Transactions only as authorized by management
• All transactions are recorded for reporting
  accountability
• Segregation of
• Authorization
• Asset Custody
• Record keeping

17
MONITORING

• 3 ways
• Normal routine actions
• Internal auditors
• External audits and reviews

18
INFORMATION COMMUNICATION

• Enable us to capture exchange info to conduct,
  manage and control operations
• Accounting system GL and sub-ledgers
• Training supervision
• Procedure manuals
• Feedback Fraud Hot lines

19
Benefits of COSO

• Big Picture - organization wide, efficiency, etc.
• Soft Controls as well - trust, management style,
  understanding of procedures, etc.
• Better Quality
• Controls integrated with the rest of the business
• Balance of cost vs. benefit

20
CAVEATS...

• Dont go wild. COSO is one way to approach IC.
• Use it as new controls are added or as questions
  arise
• COSO is a mind-set. Keep these ideas in mind as
  controls are addressed
• COSO is used wholesale mostly in large corporate
  settings with internal audit departments, able to
  do a business-wide Control Self-Assessment.

21
So

• Dont worry, be happy?....
• Or
• an ounce of prevention is worth a pound of cure

22
COSO

• AICPA This landmark report was commissioned by
  the Committee on Sponsoring Organizations of the
  Treadway Commission (COSO). It establishes a
  common definition of internal control that
  services the needs of different parties for
  assessing and improving their control systems.
• COSO's groundbreaking report includes
• Executive Summary
• Framework
• Reporting to External Parties
• Evaluation Tools
• The Addendum to Reporting to External Parties is
  also included. It
• "encourages management that reports to external
  parties on controls over financial reporting to
  also cover controls over safeguarding of assets
  against unauthorized acquisition, use, or
  disposition."
• It defines such controls and provides a suggested
  form of report.
• Five Evaluation Tools are now available on disk,
  one for each of the internal control components
  identified in Integrated Framework for Internal
  Control. Columnar MS Word templates contain
  internal control risks, objectives, components
  and elements with spaces and columns for
  management or other evaluators to record their
  assessments, observations and conclusions.
• Everyone in your firm or company who works with
  internal controls should have his or her own
  copy.
• https//www.cpa2biz.com/CS2000/Products/CPA2BIZ/Pu
  blications/Sub1/InternalControl-IntegratedFra
  mework.htm