changes to the internal control integrated framework cliff flood
TRANSCRIPT
Changes to the Internal Control Integrated Framework
Cliff Flood
Discussion Items• Historical Analysis • Overview of the 2013 Integrated Framework• Changes to the 2015 AICFR
Historical Analysis• In the mid 70’s, the SEC investigates
questionable or illegal payments by U.S. companies to foreign government officials, politicians, and political parties– Results in The Foreign Corrupt Practices Act of
1977
Historical Analysis • In the spring of 1985, Congress conducts
hearings regarding fraudulent financial reporting as a result of company failures in the early 80’s– The accounting and auditing professions were
under the spotlight
Historical Analysis • As a result, accounting and auditing professional
associations came together in June 1985 to sponsor a National Commission on Fraudulent Financial Reporting – Treadway Commission– Committee of Sponsoring Organizations
• American Accounting Association• American Institute of Certified Public Accountants• Institute of Management Accountants• The Institute of Internal Auditors• Financial Executives International
Historical Analysis • In Oct 1987, COSO releases The Report of the
National Commission on Fraudulent Financial Reporting– Recommendations• For the Public Company• For the Independent Public Accountant• For the Oversight, Regulatory and Legal Environment• For Education
Historical Analysis Recommendations for the Public Company– Establish a Good Control Environment and Tone at
the Top – Assess Risk and Establish Internal Controls– Improve Accounting and Internal Audit Functions– Establish Independent Audit Committees– Report Management ResponsibilitiesCOSO to Provide Guidance on Internal Control
Historical Analysis Detail Recommendations for the Independent Public Accountant– Recognize responsibility– Improve detection capabilities– Improve audit quality– Communicate the auditor’s roleIs complimentary of the exposure drafts on the AICPA expectation GAP auditing standards
Historical Analysis Detail Recommendations for Oversight, Regulatory and Legal Environment– Improve SEC Enforcement Remedies– Increase Criminal Prosecution– Improve Regulation of the Public Accounting
Profession– Enhance Enforcement by the State Boards of
Accountancy
Historical Analysis • Detail Recommendations for Education– Business and Accounting Curricula– Professional Certification Examinations and
Continuing Education
Historical Analysis • In Apr 1988, the AICPA issues its Expectation Gap
Standards– SAS 53 The Auditor’s Responsibility to Detect and
Report Errors and Irregularities– SAS 54 Illegal Acts by Clients– SAS 55 Consideration of Internal Control in a Financial
Statement Audit– SAS 56 Analytical Procedures– SAS 57 Auditing Accounting Estimates
Historical Analysis – SAS 58 Reports on Audited Financial Statements – SAS 59 The Auditor’s Consideration of an Entity’s
Ability to Continue as a Going Concern– SAS 60 Communication of Internal Control Related
Matters Noted in an Audit– SAS 61 Communication With Audit Committees
Historical Analysis • In Sep 1992, COSO completes its study and publishes the
Internal Control Integrated Framework– Defines Internal Control,
• Is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives related to operations, reporting and compliance
– Identifies Five Components for Internal Control• Control Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring Activities
Historical Analysis • BANG!!!! In Oct 2001, The Enron failure occurs– Major issues discovered in the accounting and auditing
practices of Enron– Arthur Anderson was found guilty of illegally destroying
documents relevant to the SEC investigation which voided its license to audit public companies
– Was the basis for new regulation and legislation to enhance the accuracy of financial reporting for public companies
Historical Analysis • July 2002 Sarbanes Oxley Act– Title I – Public Company Accounting Oversight Board– Title II – Auditor Independence
• Section 201 – Public accounting firms are prohibited from performing non-audit services to financial statement audit clients
• Section 204 – Public accounting firms must reports to the audit committee
– Title III – Corporate Responsibility• Section 301 – Audit Committee requirements• Section 302 – CEO and CFO certifications
Historical Analysis • Jul 2002 Sarbanes Oxley Act– Title IV – Enhanced Financial Disclosures• Section 404 – Each annual report shall contain an
internal control report (An assessment by management with attestation and reporting by the public accounting firm)• Section 407 – At least one member of the audit
committee must be a “financial expert”
2013 Integrated Framework • The COSO integrated framework is widely
used by companies and organizations to evaluate their internal controls and for the section 404 assessment and audit required by SOX
• Due to the many changes over the past 20 years since the 1992 release of the original guidance, COSO released the 2013 update
2013 Integrated Framework • 17 principles have been added to clarify the
required considerations related to each of the five components of internal control– In addition to the considerations from the 1992
version, consideration of change risk as well as fraud risk have been added
2013 Integrated Framework • Individual assessments are now required for
each component and each relevant principle• In addition, an overall assessment is required
to determine whether the five components and relevant principles are working together
2013 Integrated Framework • The new release provides for considerable guidance,
considerations and examples. The new release includes the following publications:– As Executive Summary– The 2013 Internal Control – Integrated Framework – Illustrative Tools for Assessing Effectiveness of Internal Controls– Internal Control over External Financial Reporting: A
Compendium of Approaches and Examples • The revised guidance is effective for periods ending after
December 31, 2014
2013 Integrated Framework Reporting and Deficiencies in Internal Control– When a major deficiency exists, the integrated framework
indicates that an organization cannot conclude that it has met the requirements for an effective system of internal control
– A major deficiency in one component cannot be mitigated by the presence and functioning of another component.
– A major deficiency in a relevant principle cannot be mitigated by the presence and functioning of other principles
2013 Integrated Framework • Under the Integrated Framework, Each
Relevant Principle and Component is Evaluated Based on the Consideration of Points of Focus. – Points of focus provide attributes, conditions or
control characteristics that are associated with the various relevant principles and components
2013 Integrated Framework • The Control Environment - Principle 1
The organization demonstrates a commitment to integrity and ethical values
Points of Focus– Tone at the Top– Standards of Conduct– Adherence to Standards of Conduct
2013 Integrated Framework • The Control Environment – Principle 2
The board of directors demonstrates independence from management and exercises oversight of the development
and performance of internal controlPoints of Focus
– Has Oversight Responsibilities– Has Relevant Expertise– Is Independent– Exercises Oversight of the System of Internal Control
2013 Integrated Framework • The Control Environment – Principle 3
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectivesPoints of Focus
– Establishes the Organizational Structure– Authorizes Reporting Relationships– Determines Authorities and Responsibilities
2013 Integrated Framework • The Control Environment – Principle 4
The organization demonstrates a commitment to attract, develop, and retain competent individuals in
alignment with objectivesPoints of Focus
– Establishes Human Resource Policies and Practices– Requires Competence and Addresses Shortcomings– Attracts, Develops, and Retains Individuals
2013 Integrated Framework • The Control Environment – Principle 5
The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives
Points of Focus – Has a Performance Management Program– Performance is Evaluated– Performance Measures, Incentives, and Rewards are
Evaluated – As necessary, Individuals are Disciplined
2013 Integrated Framework • The Risk Assessment – Principle 6
The organization specifies objectives with sufficient clarity to enable the identification and assessment of
risks relating to objectivesPoints of Focus (External Financial Reporting)
– Complies with Appropriate Accounting Standards– Considers Risk Tolerance / Materiality– Considers Related Business Processes
2013 Integrated Framework • The Risk Assessment – Principle 7
The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for
determining how the risks should be managedPoints of Focus
– Determines risk at the appropriate levels of the organization– Considers Internal and External Factors– Consults Appropriate Levels of Management– Identifies Risks– Determines Risk Response
2013 Integrated Framework • The Risk Assessment – Principle 8
The organization considers the potential for fraud in assessing risks to the achievement of objectives
Points of Focus – Identifies Instances or Potential for Fraud– Considers Incentive and Pressures– Considers Opportunities– Considers Attitudes and Rationalizations
2013 Integrated Framework • The Risk Assessment – Principle 9
The organization identifies and assesses changes that could significantly impact the system of internal
controlPoints of Focus
– Identifies and Evaluates Changes– Considers Changes in Accounting Requirements,
Technology and Funding– Considers Changes in Leadership
2013 Integrated Framework • Ways that Fraudulent Reporting Can Occur
• Fraud schemes• Unusual or complex transactions• Overrides• Opportunities for inappropriate acts• Attitudes
2013 Integrated Framework • The most common fraud techniques as
reported in the 2010 COSO Fraudulent Financial Reporting Study Report includes – Improper revenue recognition– Overstatement of existing assets or capitalization
of expenses
2013 Integrated Framework • Types of Risk Response– Acceptance – Avoidance– Reduction– Sharing
2013 Integrated Framework • Control Activities – Principle 10
The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of
objectives to acceptable levelsPoints of Focus
– Interacts with the Risk Assessment– Considers Factors that are Specific to the Entity– Considers Relevant Business Processes– Considers Various Control Activity Types– Address Segregation of Duties
2013 Integrated Framework • Control Activities – Principle 11
The organization selects and develops general control activities over technology to support the achievement of objectives
Points of Focus – Considers the Use of Technology in the Organization’s Business
Processes and Technology General Controls– Policies and Procedures Relative to Technology Infrastructure and
General Controls– Policies and Procedures Relative to Technology and Data Security
Management– Policies and Procedures Relative to Oversight and Direction over
Technology Acquisition, Development, and Maintenance Processes
2013 Integrated Framework • Control Activities – Principle 12
The organization deploys control activities through policies that establish what is expected and procedures that put policy into
actionPoints of Focus
– Establishment of Policies and Procedures– Establishment of Responsibility and Accountability to ensure
Policies and Procedures are Adhered to and are Performed Timely
– Control Activities are Assigned and Performed by Competent Personnel
2013 Integrated Framework • Types of Control Activities– Authorizations and Approvals– Verifications and Reviews– Physical Controls– Reconciliations– Supervisory Controls– Segregating Duties
2013 Integrated Framework • Information and Communication – Principle 13
The organization obtains or generates and uses relevant, quality information to support the functioning of internal
controlPoints of Focus
– Identifies Informational Needs and Crosswalk Requirements
– Information is Accessible and Protected– Information is Provided Timely and is Current– Information is Accurate and Verifiable
2013 Integrated Framework • Information and Communication – Principle 14
The organization internally communicates information, including objectives, and responsibilities for internal control,
necessary to support the functioning of internal controlPoints of Focus
– Policies and Procedures are Properly Authorized and Communicated
– Communication Lines Relative to the Oversight and Execution of the Policies and Procedures are Established
– Methods of Communication are Appropriate
2013 Integrated Framework • Information and Communication – Principle 15
The organization communicates with external parties regarding matters affecting the functioning of internal control
Points of Focus – Evaluates and Uses Communication with External Parties
and Inbound Communication– Interacts with Appropriate Senior Management Levels, the
Internal Auditor and Board of Trustees regarding external audit matters and the functioning of internal control
2013 Integrated Framework • Monitoring Activities – Principle 16
The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of
internal control are present and functioningPoints of Focus
– Applies Ongoing and Separate Evaluations– Performs Reconciliations– Performs Validation Procedures– Considers Analytical Review Technics– Requires Reviews by Knowledgeable Personnel– Monitoring is Integrated with the Business Processes
2013 Integrated Framework • Monitoring Activities – Principle 17
The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
Points of Focus– Determines Adherence to Established Controls– Determines and Communicates Deficiencies– Establishes and Monitors Corrective Action
2013 Integrated Framework • What are Ongoing Monitoring Activities– Reconciliations– Analysis and Review of Accounts or Transactions– Scanning of Accounts or Transactions– Controller Monthly Verification of Key Account
Reconciliations– Communication with Functional or Departmental Units
Regarding Accuracy of Activities or Accounts– Review and Approval of Journal Entries– System Test for Duplicate Payments
2013 Integrated Framework • What are Separate Evaluations– Internal Audits– External audits– UNC Monitoring Visits– Functional Compliance Reviews– Comparisons to Peer Institutions / Tier Institutions
UNC System Average– Compliance Checklists
2013 Integrated Framework • What are the Limitations Related to the
Effectiveness of Internal Controls– Human judgment in decision making can be faulty or
subject to bias– Unintentional misstates due to human failures– Management overrides– Circumvention of controls through collusion– Matters or events beyond the organization’s control
Changes to the 2015 AICFR • Change and Fraud risk is already incorporated in the
assessment document but need to evaluate for enhancement• Need to incorporate the 17 principles• As checklist items, the Points of Focus are already part of the
assessment document so expect limited change in this area• The objectives of the assessment need to be articulated, as
well as materiality considerations, risk identification, and risk response
• Changes to the standards and procedural guidance need to be evaluated
Changes to the 2015 AICFR • Need to consider risk related to bond ratings,
continuing disclosures and changes to them• Need to consider adding control activities for debt,
endowment and investment functions• Need to articulate the importance of the Internal Audit
role and communication with the audit committee• Need to evaluate adding the new assessment
statements and identification of deficiencies as it relates to the new COSO requirements
Timeline on the 2015 AICFR • GAP analysis in December• Draft changes in January • Work with Advisory Team in February (Include
Controller, Internal Control Officer and Internal Auditor)
• Finalize by March
Questions?