Helen Y. Painter, CPA Audit Partner

Purvis, Gray & Co., LLP

COSO’s New Internal Control—Integrated

Framework-(Exposure Draft)

1

What is the Status? Exposure Draft Stage

Comments Due November 16, 2012 Written comments will be available on-line March 31, 2013 www.ic.coso.org

Framework and Appendices IC over External Financial Reporting: A Compendium of

Approaches and Examples Illustrative Tools for Assessing Effectiveness of a System of

Internal Control Executive Summary & Feedback Questions

2

Do You Remember COSO?

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

1992 released the original framework Gained Broad Acceptance Leading framework for

Designing Implementing Conducting internal control Assessing the effectiveness of internal Control

3

Twenty Years Latter Business and Organizational Changes

Technology Complex Transactions Global

Stakeholders-Want More Assurance Taxpayers Shareholders Owners

4

Mission of COSO Dedicated to providing thought leadership

through the development of comprehensive frameworks and guidance

on internal control, enterprise risk management, and fraud deterrence designed to improve organizational

performance and oversight and to reduce the extent of fraud in organizations. 5

6

Updated COSO Cube

7

Help For External Stakeholders Greater confidence in the Board’s Oversight of

IC Greater confidence in achieving Entity’s goals Greater confidence to identify risks Greater understanding of the requirement of

effective system of IC Greater understanding that management can

eliminate ineffective or redundant controls 8

COSO’s Structure Private Sector Initiative

Sponsored and Funded by: American Accounting Association American Institute of Certified Public Accountants Financial Executives International Institute of Management Accountants The Institute of Internal Auditors

9

COSO’s Participants Board Members – 8 Principal Contributors (From PwC) – 9 Advisory Council – 5 Members at Large – 9 Regulatory Observers and Other

Observers - 6 10

11

Defining Internal Control Internal control is a process, effected by

an entity’s board of directors, management, and other personnel,

designed to provide reasonable assurance regarding the achievement of objectives

relating to operations, reporting, and compliance

12

13

Core of Original Framework Remains

5 Components of Internal Control (C ) Control Activities (R) Risk Assessment (I) Information & Communication (M) Monitoring Activities (E) Control Environment

Management’s Judgment Designing, implement and conduct IC AND assessing

effectiveness of a system of IC 14

Quick Course on CRIME (C) Control Activities-actions established

through policies and procedures. Preventive or Detective Manual or automated Examples

Authorizations and approvals Reconciliations

Segregation of Duties is built into the selection and development of control activities

15

(R)Risk Assessment Definition-possibility that an event will

occur and adversely affect the achievement of objectives

Precondition to Risk Assessment is the establishment of Objectives

Consideration of the impact of possible changes externally that may effect IC

16

(I) Information and Communication Information-necessary to carry out IC

responsibilities Communication-continual process of

providing, sharing, and obtaining necessary information

17

(M) Monitoring Activities Ongoing evaluations to ensure IC are

present and functioning Findings are evaluated Deficiencies are communicated to

management and Board

18

(E) Control Environment Set of standards, processes and structures

–basis for carrying out IC Tone at the top regarding importance Integrity and ethical values of organization Governance oversight responsibilities Provides for a pervasive impact on the overall

system of IC 19

What This Framework Provides Means to apply IC to any type of entity

New Departments, Blended Component Units Principals-based approach (not RULES)

Allows for Judgment Requirements for an Effective System Means to identify and analyze risk

Responses to risks within acceptable levels Greater focus on anti-fraud measures

Opportunity to Expand application of IC Opportunity to eliminate redundant or inefficient controls

20

IC Definition-Fundamental Concepts

Geared to the achievement of objectives Operations, reporting, and compliance

A process consisting of ongoing tasks and activities-a means to an end, not an end

Effected by people and the actions they take Able to provide reasonable (not absolute) assurance to senior

management and Boards Adaptable to the entity structure

21

Objectives Framework provides for 3 categories of objectives

Operations Efficiencies Financial performance goals Safeguarding assets against loss

Reporting Internal and external financial and non-financial reporting

Reliability, timeliness, transparency Compliance-adherence to laws and regulations

22

Enhancements Expanding financial Reporting Objectives

Non-financial Internal Reporting

Considerations of changes in doing business Expectations for Governance Oversight Globalization of markets and operations Changes and Greater Complexity in business Demands and complexities in laws, regulations… Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud

23

Wrapping Our Minds Around It! Three Volumes

Executive Summary-high-level overview Boards, CEOs, Senior Management

Framework and Appendices Defines IC Describes Components Provides Direction

Illustrative Tools for Assessing Effectiveness Templates and scenarios useful for application

In addition-Compendium of Approaches and Examples Provide practical approaches and examples how Framework can be applied in preparing

external financial statements

TOO GOOD TO BE TRUE??!

24

EXAMPLE TOOLS!

25

26

The Framework and 17 Principles

Control Environment 1. Commitment to integrity and ethical values 2. BOD is independent from management and exercises

oversight of IC 3. Management (with BOD) establishes structures,

reporting lines and responsibilities 4. Commitment to attract, develop and retain competent

individuals 5. Holds individuals accountable for their IC responsibilities

27

Framework and 17 Principals (cont)

Risk Assessment 6. Organization specifies objectives with sufficient

clarity to enable identify risks. 7. Organization identifies risks and analyzes how risks

should be managed. 8. The organization considers the potential for fraud in

assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes

that could significantly impact the system of internal control.

28

Framework and 17 Principals (cont)

Control Activities 10. The organization selects and develops control

activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the achievement of objectives.

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

29

Framework and 17 Principals (cont)

Information and Communication 13. The organization obtains or generates and uses relevant,

quality information to support the functioning of other components of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control

15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.

30

Framework and 17 Principals (concluded)

Monitoring Activities 16. The organization selects, develops, and performs

ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate

31

Roles and Responsibilities Who should be responsible?

Board of Directors, School Boards, City Council, County Commissioners, Owners Overseeing system of internal control Defines expectations

Integrity and Ethical Values Transparency Accountability

Objective Form Subcommittees

Audit Committee

32

Roles and Responsibilities (cont)

Audit Committees Audit and Risk Committee Audit Committees request corrective and

timely actions to issues Should be independent from management Interacts with external Auditors

Scope of Planned Audit Procedures Results of Audit Procedures 33

Roles and Responsibilities (cont)

Chief Executive Director, President, Superintendent of Schools Sets tone at the top

Control environment Accountable to the Board Responsible for designing , implementing, and

conducting an effective system of internal control

34

Roles and Responsibilities (cont)

Chief Financial Officer Supports the CEO Front-line responsibilities for IC over financial

reporting

35

Roles and Responsibilities (cont) Senior Management

Guides the development and implementation of IC policies and procedures within their operating unit

Assigns responsibilities for establishing more specific IC procedures to those personnel within the departments.

Each manager should be accountable to the next higher level for their portion of the internal control system

36

Roles and Responsibilities (cont)

Other Personnel Internal Control is the responsibility of

everyone in an entity-part of everyone’s job

37

Roles and Responsibilities (cont)

Internal Auditors Provide assurance and advisory support on IC

Required or optional Internal or Outsourced

Evaluates the adequacy and effectiveness of controls

Should provide an impartial review Should be objective 38

Roles and Responsibilities (cont) Outsource Service Providers

Examples Human Resource Companies Payroll Companies Internal Audit Function Grant Administration

Management is STILL responsible for oversight Must assess the effectiveness of the system of IC over these

activities Service Organization Control (SOC) reports

39

Roles and Responsibilities (concluded)

Independent Auditors Provide information useful to management

Audit findings Analytical Information Recommendations Findings regarding deficiencies in IC

40

What About Small Entities? Fewer lines of business and fewer products within lines Concentration of marketing focus by channel or geography Leadership by management with significant ownership interest or

rights Fewer levels of management with wider spans of control Less complex transaction processing systems Fewer personnel, many having a w ider range of duties Limited ability to maintain deep resources in line as well as

support staff positions such as legal, human resources, accounting, and internal auditing

41

Smaller Entities-Meeting Challenges

Sufficient resources to achieve adequate Segregation of Duties

Balancing improper management override of processes to met goals

Recruiting and retaining experienced personnel Running the organization vs. providing sufficient

focus on IC Controlling information technology with limited

resources 42

Solutions-Segregation of Duties “Management” Could Randomly

Review Reports of Detailed Transactions Review Selected Transaction Take Periodic Asset Counts (physical

inventory, equipment) and compare with accounting records

Review random reconciliations (cash, investments, revenues, accounts receivable)

43

Solutions-Mitigating the Risk of Management Override

Maintain a corporate culture where integrity and ethical values are held in high esteem

Implement a whistle-blower program Establish an internal audit function that reports

directly to an audit committee Attract and retain qualified board members

44

45

Component Evaluation Template

46

47

Component Evaluation Template-Example

48

49

Questions?

50