COSO 2012 INTERNAL CONTROL - INTEGRATED FRAMEWORK POST PUBLIC EXPOSURE VERSION

September 2012

Mark Cousineau CPA, CIA, CFE, CGAP, CGFM, CTIP

Chief Deputy Auditor, San Bernardino County

Chief Deputy Controller, San Bernardino County

Finance & Human Resources Manager, VVWRA

McGladrey & Pullen CPAs

Operations Manager, Hospitality Industry

Bachelor of Science, Business Administration (Accounting), California State University-San Bernardino

DISCLAIMERS

The views expressed in this presentation are those of the author and do not reflect the official policy or position or views of the San Bernardino County Auditor-Controller/Treasurer/Tax Collector, The Office of the San Bernardino County Auditor-Controller/Treasurer/Tax Collector, or the County of San Bernardino.

�  The author is a self described cynic, skeptic, and optimistic-pessimist or pessimistic-optimist.

AGENDA

�  Learning Objectives

�  History

�  Revision Project Overview

�  Key Changes

�  Impacts

�  A Closer Look at the Attributes

�  Recap

�  Question and Discussion

LEARNING OBJECTIVES

A fractal is an object or quantity that displays self-similarity on all scales. The object need not exhibit exactly the same structure at all scales, but the same "type" of structures must appear on all scales. mathworld.wolfram.com

LEARNING OBJECTIVES

1.  When will the updated COSO Internal Control – Framework will be issued?

2.  What are the key changes contemplated that will be useful to internal auditors?

3.  How many principles will be implemented?

4.  Name one anticipated impact on the internal audit profession.

5.  How will the attributes help an entity and its internal audit function?

6.  How are fractals and internal control similar?

7.  How is entropy and internal control similar?

Fractals and Internal Control An entity’s internal control state is likely to be repeated in its lesser organizational units from the entity as a whole, to its departmental groups, departments, divisions, work units, and its employees.

lesson-connect.appspot.com

HISTORY

Those who do not remember the past are condemned to repeat it.

George Santayana

ABOUT COSO

�  Formed in 1985 to examine fraudulent financial reporting

�  A joint initiative of five private sector organizations:

�  American Accounting Association

�  American Institute of Certified Public Accountants

�  Financial Executives International

�  Institute of Management Accountants

�  The Institute of Internal Auditors

INTERNAL CONTROL - INTEGRATED FRAMEWORK

Published in 1992 Gained wide acceptance in

2000’s

Leading standard for

internal control

1992 COSO CUBE

REVISION PROJECT OVERVIEW

PROJECT OBJECTIVES AND DRIVERS

Project Objectives Business Environment Evolution Since 1992

�  “Refresh” the framework

�  No alteration of original Framework’s core concepts

�  Greater focus on operational and compliance control objectives

�  Explicitly identifying principles and attributes of internal control components

�  Expectations for governance oversight

�  Expectations for competencies and accountabilities

�  Demands and complexity of rules, regulations, and standards

�  Expectations for preventing and detecting fraud

�  Context needs updating

PROJECT TIMETABLE

2010 2011 2012 2013

Assess & Survey

Design & Build

Public Exposure Finalize

KEY CHANGES

COSO CUBE: 2012 TO 1992

2012 Revised COSO Cube 1992 COSO Cube

UPDATES SUMMARY

Not Changing Changing

�  Definition of internal control

�  5 internal control components

�  Criteria used to assess effectiveness of internal control

�  Use of judgment in evaluating the effectiveness of internal control systems

�  Codification of principles

�  Expanded reporting objective to address internal and external, financial and non-financial reporting

�  Increased focus on operations, compliance, and non-financial reporting objectives

PRINCIPLES CODIFICATION

•  Demonstrates commitment to integrity and ethical values

•  Exercises oversight responsibility •  Establishes structure, authority, and responsibility •  Demonstrates commitment to competence •  Enforces accountability

Control Environment

•  Specifies suitable objectives •  Identifies and analyzes risk •  Assesses fraud risk •  Identifies and analyzes significant change

Risk Assessment

•  Selects and develops control activities •  Selects and develops general controls over technology •  Deploys through policies and procedures

Control Activities

•  Uses relevant information •  Communicates internally •  Communicates externally

Information & Communication

•  Conducts ongoing and/or separate evaluations •  Evaluates and communicates deficiencies Monitoring Activities

RELATIONSHIPS

Principles

Points of Focus

Criteria

PRINCIPLES & POINTS OF FOCUS

Component Principles Focal Points

Control Environment 5 20

Risk Assessment 4 16

Control Activities 3 16

Information & Communication 3 14

Monitoring Activities 2 10

Total 17 76

ROLES AND RESPONSIBILITIES Internal Control – Integrated Framework Update Project

KEY CHANGES PER COSO

�  Discussion of the responsibility of the chief executive officer and chief financial officer to formerly attest to the effectiveness of internal control in certain jurisdictions.

�  Expansion of the discussion of the types of committees at the board level and their underlying rationale.

�  Adding external reviewers, alongside independent auditors, to reflect the different type of internal control reviews that can occur.

�  Updating the section on legislators and regulators with illustrative discussions.

�  Adding a section on outsourced service providers. �  Aligning roles and responsibilities defined in the section on organization

structure section of the control environment.

OTHER KEY CHANGES

�  Expansion of organizational hierarchy and discussion of role responsibilities. �  Paragraphs 491 - 494 Board of Directors and its Committees

�  Audit Committee

�  Compensation Committee

�  Nomination/Governance Committee

�  Other Committees

�  Paragraphs 495 - 497 Chief Executive Officer

�  Paragraphs 498 - 500 Chief Financial Officer

�  Paragraphs 501 - 505 Other Senior Management: “[…]through a cascading responsibility structure, each executive is a CEO for his or her sphere of responsibility.”

OTHER KEY CHANGES CONTINUED

�  Expansion of organizational hierarchy and discussion of role responsibilities. �  Paragraphs 506 - 511 Business Enabling Functions

�  Risk and Control Personnel

�  Legal and Compliance Personnel

�  Paragraphs 512 - 513 Other Personnel

�  Paragraphs 514 – 519 Internal Auditors

OTHER PERSONNEL

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

• Reading, understanding, and applying the standards of conduct of the organization

• Identifying and evaluating risks to the achievement of objectives.

• Performing reconciliations • Following up on exception reports • Performing physical inspections

• Producing and sharing information used in the internal control system

• Taking other actions needed to effect control

• Support efforts to identify and communicate internal control objectives issues to higher-level management, including illegal actions, waste, and abuse.

LIMITATIONS Preconditions, People, and Assurances

PRECONDITIONS

�  Strong governance processes for selecting, developing, and evaluating board members is necessary to maximize and entity’s ability to provide appropriate oversight of internal control.

�  Effective strategy-setting and objective-setting process facilitates and entity’s ability to achieve well constructed, realistic, or suitable objectives.

PEOPLE

Judgment Breakdowns

Management Override Collusion

Internal Control Failures

PEOPLE

Breakdowns of Well Designed Controls Management Override

�  Misunderstood instructions

�  Errors of judgment

�  Errors of performance 1.  Carelessness

2.  Distraction

3.  Too many tasks

�  Overruling prescribed policies or procedures for illegitimate purposes with the intent of

�  Personal gain or

�  Enhanced presentation of an entity’s reporting or compliance status

MANAGEMENT INTERVENTION VS. OVERRIDE

WHY HOW

Necessary to deal with non-recurring and non-standard transactions or events that would not be handled appropriately by the control system

Personal gain, enhanced reporting and compliance status of organizational unit

INT

ERV

ENT

ION

OV

ERR

IDE

Overt Documented

Disclosed to appropriate personnel

Covert Undocumented

Undisclosed Deliberate misrepresentations

INT

ERV

ENT

ION

OV

ERR

IDE

LIMITATIONS SUMMARY LEVEL OF ASSURANCE

OPERATIONS

REPORTING

COMPLIANCE

REASONABLE NO1

YES2 YES YES

ABSOLUTE NO NO NO

1Internal control cannot provide any assurance for objectives related to the effectiveness and efficiency of an entity’s operations – such as achieving its basic mission, fiscal, and financial goals. 2Internal control can provide reasonable assurance to management of the entity’s progress, or lack of progress, towards its operational objectives.

A CLOSER LOOK

Monitoring Activities: 2 Principles and 10 Points of Focus

Entropy and Internal Control Entropy is a process of degradation or running down or a trend to disorder. Energy or force is required to maintain order.

MONITORING ACTIVITIES

Monitoring

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring

MONITORING ACTIVITIES

CHANGE

Procedures become less effective or obsolete

Procedures may no longer be in place and

functioning Procedures may be insufficient to support achievement of changed objectives

Directional Change

MONITORING ACTIVITIES

Control Activities Monitoring Activities �  Performed by people assigned a

role in an internal control process

�  Regular participants in a preventive or detective control process: �  New vendor approval

�  Reconciliation of asset accounts

�  Management independent of of the control activity

�  Inspection of documentation showing performance

�  Examine for trends

�  Evaluate whether control activity is appropriate

�  Evaluate directional risk

�  Evaluate people’s control activity performance

MONITORING ACTIVITIES

Conducts Ongoing and/or Separate Evaluations – Principle No. 16 Points of Focus

The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. [Principle No. 16]

�  Considers a Mix of Ongoing and Separate Evaluations.

�  Establishes Baseline Understanding.

�  Considers Rate of Change. �  Uses Knowledgeable Personnel. �  Integrates with Business

Processes. �  Objectively Evaluates. �  Adjusts Scope and Frequency.

CONDUCTS EVALUATIONS MANAGEMENT INCLUDES A BALANCE OF ONGOING AND SEPARATE EVALUATIONS.

ONGOING SEPARATE

�  Routine operations

�  Built into business processes

�  Performed on real-time basis

�  Reacts to changing conditions

�  May identify problems more quickly

�  Manual and automated

�  Conducted periodically by

�  Objective parties: �  Management

�  Internal audit

�  External parties

Considers a Mix of Ongoing and Separate Evaluations

CONDUCTS EVALUATIONS THE DESIGN AND CURRENT STATE OF AN INTERNAL CONTROL SYSTEM ARE USED TO ESTABLISH A BASELINE FOR ONGOING AND SEPARATE EVALUATIONS.

Establishes Baseline Understanding �  Includes design and current state of internal control system

�  Used in establishing ONGOING and SEPARATE evaluations

�  Assists in identifying changes

�  Used to re-evaluate internal control components and realign evaluation activity when changes occur

�  Scope and nature of activities

CONDUCTS EVALUATIONS MANAGEMENT CONSIDERS THE RATE OF CHANGE IN BUSINESS AND BUSINESS PROCESSES WHEN SELECTING AND DEVELOPING ONGOING AND SEPARATE EVALUATIONS.

Considers Rate of Change �  External environment

�  Programmatic changes – federal and state

�  Organizational initiatives

�  Change in leadership

CONDUCTS EVALUATIONS EVALUATORS PERFORMING ONGOING AND SEPARATE EVALUATIONS HAVE SUFFICIENT KNOWLEDGE TO UNDERSTAND WHAT IS BEING EVALUATED.

ONGOING SEPARATE

�  Operational or functional managers

�  Competent

�  Understand what is being evaluated

�  Escalate or initiate corrective action

�  Internal audit function

�  Other objective evaluations

�  Cross operating unit or function

�  Benchmarking or Peer evaluations

�  Self-Assessments

Uses Knowledgeable Personnel

CONDUCTS EVALUATIONS ONGOING EVALUATIONS ARE BUILT INTO THE BUSINESS PROCESSES AND ADJUST TO CHANGING CONDITIONS.

Integrates with Business Processes �  Manual or automated or combination

�  Monitor the presence and functioning on internal control components in the ordinary course of business

�  Reacts and adjusts to changing conditions, both external and internal

�  Computerized monitoring �  Highly objective

�  Efficient review of large volumes of data

�  Economical

�  Continuous automated monitoring should b considered

CONDUCTS EVALUATIONS SEPARATE EVALUATIONS ARE PERFORMED PERIODICALLY TO PROVIDE OBJECTIVE FEEDBACK.

Objectively Evaluates �  Generally not ingrained with the business

�  Vary in scope and frequency

�  Scope determined by which of the three objective categories is being addressed

�  Risk ranking and responses taken into consideration

�  Single or multiple internal control components can be addressed

�  Against backdrop of management’s established standards for each component of internal control

CONDUCTS EVALUATIONS MANAGEMENT VARIES THE SCOPE AND FREQUENCY OF SEPARATE EVALUATIONS DEPENDING ON RISK.

Adjusts Scope and Frequency �  Matter of management judgment

�  Perceived need for periodic evaluations may indicate opportunity to improve ongoing evaluations

�  Occurs at different entity levels

�  Scope and nature of operations

�  Internal and external changes

�  Changes within the baseline internal control components

MONITORING ACTIVITIES

Evaluates and Communicates Deficiencies – Principle No. 17 Points of Focus

The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

�  Assesses Results

�  Communicates Deficiencies

�  Monitors Corrective Actions

EVALUATES & COMMUNICATES DEFICIENCIES MANAGEMENT AND THE BOARD, AS APPROPRIATE, ASSESS RESULTS OF ONGOING AND SEPARATE EVALUATIONS.

Assesses Results �  Threats to the ability of the entity to achieve its objectives

�  Opportunities to improve the efficiency of internal controls

�  Opportunities to change the internal control system to increase the likelihood that the entity’s objectives will be achieved

�  Material weaknesses, significant deficiencies, others

�  Major non-conformities, minor non-conformities, others

EVALUATES & COMMUNICATES DEFICIENCIES DEFICIENCIES ARE COMMUNICATED TO PARTIES RESPONSIBLE FOR TAKING CORRECTIVE ACTION AND TO SENIOR MANAGEMENT AND THE BOARD OF DIRECTORS, AS APPROPRIATE.

Communicates Deficiencies �  Individual’s authority to deal with circumstances that arise

�  Oversight activities of superiors

�  Management establishes criteria as to what is reported and to whom

�  Crosscutting deficiencies are reported to all relevant parties and at a sufficiently high level to drive appropriate action

�  Communications to those positioned to take timely corrective actions

�  Internal control deficiencies are reported to the parties responsible for taking corrective action and usually one level of management above that person

EVALUATES & COMMUNICATES DEFICIENCIES DEFICIENCIES ARE REPORTED TO SENIOR MANAGEMENT AND TO THE BOARD, AS APPROPRIATE.

Reports Deficiencies to Senior Management and the Board �  Material weaknesses and significant deficiencies

�  Major non-conformities

�  Deficiencies and minor non-conformities that meet a specified threshold

�  Entity established reporting directives

�  Possible external reporting of deficiencies

EVALUATES & COMMUNICATES DEFICIENCIES MANAGEMENT TRACKS WHETHER DEFICIENCIES ARE REMEDIATED ON A TIMELY BASIS.

Monitors Corrective Actions �  Management tracks remediation efforts and whether they are

conducted on a timely basis

�  New management requirement

�  Applies to ONGOING evaluations and SEPARATE evaluations that were not performed by the entity’s internal audit activity

IMPACTS

Things alter for the worse spontaneously, if they be not altered for the better designedly.  ~Francis Bacon quotegarden.com

IMPACT OF CHANGES

�  PRINCIPLES AND POINTS OF FOCUS �  Need to make sure your audit program covers all 17 principles

�  Documentation may need to be enhanced

�  Easier to see everything is covered

�  Easier to see what is missing

�  EMPHASIS �  Control Environment has 5 of 17 principles

�  Risk Assessment has 4 of 17 principles

�  Over 50% of principles in these components

IMPACT OF CHANGES CONTINUED

�  BROADER REPORTING SCOPE �  Internal Financial Reporting

�  Internal Non-Financial Reporting

�  External Non-Financial Reporting

�  OPPORTUNITY TO HIGHLIGHT INTERNAL CONTROL OVER �  Operations

�  Compliance

COSO EXAMPLES

�  The organization selects, develops, and performs ongoing and / or separate evaluations to ascertain whether the components of internal control are present and functioning

�  The organization selects and develops general control activities over technology to support the achievement of objectives

�  The organization considers the potential for fraud relating to material misstatement of reporting, inadequate safeguarding of assets, and corruption during the assessment of risks to the achievement of objectives

IMPACT OF CHANGES ON INTERNAL AUDITS

�  Principles-based approach will allow flexibility to be applied at the entity, operating, and functional levels

�  Changes will require review and potential updates to a number of processes, activities, and documentation

�  Update allows for integration of both the COSO Enterprise Risk Management (ERM) and Internal Control-Integrated Framework (ICIF) models

�  Identifies key attributes for each principle

MONITORING ACTIVITIES INTERNAL AUDIT EVALUATIONS: Objectives and Criteria

OBJECTIVES ASSERTIONS

Determine whether the organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. [Principle No. 16]

16-1 Management includes a balance of ongoing and separate evaluations.

16-2 The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.

16-3 Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.

16-4 Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.

16-5 Ongoing evaluations are built into the business processes and adjust to changing conditions.

16-6 Separate evaluations are performed periodically to provide objective feedback.

16-7 Management varies the scope and frequency of separate evaluations depending on risk.

OBJECTIVES ASSERTIONS

Determine whether the organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. [Principle No. 17]

17-1 Management and the board, as appropriate, assess results of ongoing and separate evaluations.

17-2 Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.

Deficiencies are communicated to parties responsible for taking corrective action and to at least one level of management above.

17-4 Management tracks whether deficiencies are remediated on a timely basis.

AUDIT OBJECTIVES: Based on Principles

Principle

•  The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. [Principle No. 16]

Objective

•  Determine whether the organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Objective

•  Determine whether the organization’s ongoing and/or separate evaluations ascertain whether the components of internal control are present and functioning.

CRITERIA: Based on Points of Focus

Attribute

•  Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated. [Principle No. 16]

Criterion 16-4

•  Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.

AUDIT PROCEDURES: Based on Attributes

Attribute

•  Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.

Criterion 16-4

•  Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.

Procedure 16-4.P1

•  Obtain evaluator’s resume, job history, education, and training history.

Procedure 16-4.P2

•  Obtain [insert org. unit] requirements for [insert subject matter] evaluator. Document if requirements differ between ongoing and separate evaluations. 16-4.P3

AUDIT PROCEDURES: Based on Points of Focus

Procedure 16-4.P3

•  Review job history and evaluate whether the individual has an appropriate level of experience with organizational unit and/or program to understand the [insert subject matter].

Procedure 16-4.P4

•  Compare the evaluator’s experience, knowledge, skills, and abilities to the minimum requirements established by the organizational unit.

Procedure 16-4.P5

•  If evaluator’s experience did not meet organization’s minimum requirements at hire, determine whether the organization anticipated, documented, and took action to mitigate.

DEFICIENCIES

Deficiency

Control Environment

Risk Assessment

Control Activity Information & Communication

Monitoring Activity

RECAP

RECAP

1.  First Quarter 2013

2.  Stated Principles (17)

3.  Points of Focus (76) Formerly 81 Attributes 4.  Criteria Derived from Points of Focus

5.  Internal Audit Activity Impact

6.  Scalability of internal controls

7.  Natural outcome for laissez-faire internal control maintenance.

QUESTION AND DISCUSSION