internal control–integrated framework

Category:

Documents


0 download

TRANSCRIPT

  • 7/30/2019 Internal ControlIntegrated Framework

    1/34

    0

    Presented by:Richard F. Chambers CIA, CCSA, CGAP, CRMAGlobal President and CEOThe Institute of Internal Auditors

    May 21, 2013

    Internal Control Integrated Framework

    The ICGFM 27th Annual International Training Conference

  • 7/30/2019 Internal ControlIntegrated Framework

    2/34

    1

    Presentation Overview

    COSO & Project Overview Internal Control-Integrated Framework

    Illustrative Documents Illustrative Tools for Assessing Effectiveness of a System of Internal Control Internal Control over External Financial Reporting: A Compendium of

    Approaches and examples Transition & Impact Recommended Actions Questions & Comments

  • 7/30/2019 Internal ControlIntegrated Framework

    3/34

    2

    COSO & Project Overview

  • 7/30/2019 Internal ControlIntegrated Framework

    4/34

    3

    COSO Overview Internal Control Publications

    1992 2006 2009 2013

  • 7/30/2019 Internal ControlIntegrated Framework

    5/34

    4

    Original Framework

    COSOs In ternal Contro l In tegrated Framewo rk (1992 Edition)

    RefreshObjectives

    Updated

    Framework

    COSOs In ternal Contro l In tegrated Framewo rk (2013 Edition)

    Broadens Application Clarifies Requirements

    Articulate principles to

    facilitate effective

    internal control

    Why update what works The Framework has become themost widely adopted control framework worldwide.

    UpdatesContext

    Enhancements

    Reflect changes in

    business & operating

    environments

    Expand operations and

    reporting objectives

  • 7/30/2019 Internal ControlIntegrated Framework

    6/34

    5

    Project timetable

    Assess & SurveyStakeholders Design & Build

    Public Exposure,Assess & Refine Finalize

    2010 2011 2012 2013

  • 7/30/2019 Internal ControlIntegrated Framework

    7/346

    Project participantsCOSO

    Board of Directors

    COSO Advisory Council

    AICPA AAA FEI IIA IMA Public Accounting Firms Regulatory observers (SEC, GAO, FDIC,

    PCAOB) Others (IFAC, ISACA, others)

    PwC

    Author &Project Leader

    Stakeholders

    Over 700 stakeholders in Framework

    responded to global survey during 2011 Over 200 stakeholders publically commented

    on proposed updates to Framework duringfirst quarter of 2012

    Over 50 stakeholders publically commented onproposed updates in last quarter of 2012

  • 7/30/2019 Internal ControlIntegrated Framework

    8/347

    Project deliverable #1 Internal Control-IntegratedFramework (2013 Edition)

    Consists of three volumes: Executive Summary

    Framework and Appendices Illustrative Tools for

    Assessing Effectiveness of aSystem of Internal Control

    Sets out:

    Definition of internal control Categories of objectives Components of internal

    control Requirements for

    effectiveness

  • 7/30/2019 Internal ControlIntegrated Framework

    9/348

    Project deliverable #2 Internal Control over ExternalFinancial Reporting: A Compendium....

    Approaches and Examplesillustrate how principles areapplied in preparing financialstatements

    Considers changes inbusiness and operatingenvironments during past two

    decades Relevant for variety of entities

    public, private, not-for-profit,and government

    Consistent with updatedFramework

  • 7/30/2019 Internal ControlIntegrated Framework

    10/349

    Internal Control Integrated Framework

  • 7/30/2019 Internal ControlIntegrated Framework

    11/3410

    Defining Internal Control:

    Internal control is a process, effectedby an entitys board of directors,management, and other personnel,designed to provide reasonableassurance regarding theachievement of objectives relating to

    operations, reporting andcompliance.

  • 7/30/2019 Internal ControlIntegrated Framework

    12/3411

    The Internal Control DefinitionReflects Fundamental Concepts:

    Geared to the achievement of objectives in one or more categories

    Operations Reporting Compliance

    A process consisting of ongoing tasksand activities: a means not an end.

    Effected by people Able to provide reasonable

    assurance. Adaptable to the entity structure

  • 7/30/2019 Internal ControlIntegrated Framework

    13/3412

    The Components of InternalControl Remain Unchanged:

    Control environment

    Risk assessment Control activities

    Information and communication

    Monitoring activities

  • 7/30/2019 Internal ControlIntegrated Framework

    14/3413

    Relationship of Objectives andComponents:

    Objectives are what an entitystrives to achieve (3 columns)

    Components represent whatare required to achieveobjectives (5 Rows)

    The organizational structure willvary by the nature andcomplexity of the entity (the 3 rd dimension in the cube)

  • 7/30/2019 Internal ControlIntegrated Framework

    15/3414

    Update expected to ease use and application

    What is not changing... What is changing...

    Core definition of internal control

    Three categories of objectives andfive components of internal control

    Each of the five components of internal control are required foreffective internal control

    Important role of judgment indesigning, implementing andconducting internal control, and inassessing its effectiveness

    Changes in business and operating

    environments considered

    Operations and reporting objectivesexpanded

    Fundamental concepts underlyingfive components articulated asprinciples

    Additional approaches andexamples relevant to operations,compliance, and non-financialreporting objectives added

  • 7/30/2019 Internal ControlIntegrated Framework

    16/3415

    Environm ents changes . .. have driven Framework updates

    Expectations for governance oversight

    Globalization of markets and operations

    Changes and greater complexity in business

    Demands and complexities in laws, rules,regulations, and standards

    Expectations for competencies andaccountabilities

    Use of, and reliance on, evolving technologies

    Expectations relating to preventing anddetecting fraud

    COSO Cube (2013Edition)

    Update considers changes in business and operatingenvironments

  • 7/30/2019 Internal ControlIntegrated Framework

    17/3416

    Control Environment

    Risk Assessment

    Control Activities

    Information &Communication

    Monitoring Activities

    Update articulates principles of effective internal control 1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence5. Enforces accountability

    6. Specifies suitable objectives7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change

    10. Selects and develops control activities

    11. Selects and develops general controls over technology 12. Deploys through policies and procedures

    13. Uses relevant information14. Communicates internally 15. Communicates externally

    16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies

  • 7/30/2019 Internal ControlIntegrated Framework

    18/3417

    Control Environment

    Update articulates principles of effective internal control(continued)

    1. The organization demonstrates a commitment tointegrity and ethical values.

    2. The board of directors demonstrates independencefrom management and exercises oversight of thedevelopment and performance of internal control.

    3. Management establishes, with board oversight,structures, reporting lines, and appropriateauthorities and responsibilities in the pursuit of

    objectives.4. The organization demonstrates a commitment to

    attract, develop, and retain competent individualsin alignment with objectives.

    5. The organization holds individuals accountable for their internal control responsibilities in the pursuitof objectives.

  • 7/30/2019 Internal ControlIntegrated Framework

    19/3418

    6. The organization specifies objectives withsufficient clarity to enable the identification and

    assessment of risks relating to objectives.7. The organization identifies risks to the

    achievement of its objectives across the entityand analyzes risks as a basis for determininghow the risks should be managed.

    8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

    9. The organization identifies and assesseschanges that could significantly impact thesystem of internal control.

    Risk Assessment

    Update articulates principles of effective internal control(continued)

  • 7/30/2019 Internal ControlIntegrated Framework

    20/34

  • 7/30/2019 Internal ControlIntegrated Framework

    21/34

    20

    13. The organization obtains or generates and usesrelevant, quality information to support the

    functioning of other components of internalcontrol.

    14. The organization internally communicatesinformation, including objectives andresponsibilities for internal control, necessary tosupport the functioning of other components of internal control.

    15. The organization communicates with externalparties regarding matters affecting thefunctioning of other components of internalcontrol.

    Information &Communication

    Update articulates principles of effective internal control(continued)

  • 7/30/2019 Internal ControlIntegrated Framework

    22/34

    21

    16. The organization selects, develops, andperforms ongoing and/or separate evaluations

    to ascertain whether the components of internalcontrol are present and functioning.

    17. The organization evaluates and communicatesinternal control deficiencies in a timely manner to those parties responsible for taking correctiveaction, including senior management and theboard of directors, as appropriate.

    Monitoring Activities

    Update articulates principles of effective internal control(continued)

  • 7/30/2019 Internal ControlIntegrated Framework

    23/34

    22

    Update clarifies requirements for effective internal control

    Effective internal control provides reasonableassurance regarding the achievement of objectives and requires that:

    Each component and each relevantprinciple is present and functioning

    The five components are operatingtogether in an integrated manner

    Each principle is suitable to all entities; allprinciples are presumed relevant except inrare situations where managementdetermines that a principle is not relevant toa component (e.g., governance, technology)

  • 7/30/2019 Internal ControlIntegrated Framework

    24/34

    23

    Requirements for effective internal control (continued)

    Components operate together when allcomponents are present and functioningand internal control deficiencies aggregated

    across components do not result in one or more major deficiencies

    A major deficiency represents an internalcontrol deficiency or combination thereof that severely reduces the likelihood that anentity can achieve its objectives

  • 7/30/2019 Internal ControlIntegrated Framework

    25/34

    24

    Update goes beyond simply articulating the principles italso describes important characteristics of principles(points of focus)

    Points of focus may not be suitable or relevant, and others may be identified

    Points of focus may facilitate designing, implementing, and conducting internalcontrol

    There is no requirement to separately assess whether points of focus are in

    place

    Control Environment 1. The organization demonstrates a commitment tointegrity and ethical values.

    Points of Focus: Sets the Tone at the Top Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner

  • 7/30/2019 Internal ControlIntegrated Framework

    26/34

    25

    Update describes the role of controls to effect principles

    The Framework does not prescribe controls to be selected, developed, anddeployed for effective internal control

    An organizations selection of controls to effect relevant principles andassociated components is a function of management judgment based onfactors unique to the entity

    A major deficiency in a component or principle cannot be mitigated to anacceptable level by the presence and functioning of other components andprinciples

    However, understanding and considering how controls effect multipleprinciples can provide persuasive evidence supporting managementsassessment of whether components and relevant principles are present andfunctioning

  • 7/30/2019 Internal ControlIntegrated Framework

    27/34

    26

    Update describes the role of controls to effect principles

    Control Environment

    1. The organization demonstrates a commitment to integrity andethical values.

    Component

    Principle

    Controls effectmultiple

    principles

    Human Resourcesreviews allemployees annualconfirmations toassess whether standards of conduct areunderstood andadhered to

    (Principle 1)

    Managementreviews potentialdeviations capturedthrough thewhistleblower hot-line and theunderlying data andinformation

    (Principle 13)

    Internal Auditseparately evaluatesthe controlenvironment,consideringemployee behaviorsand whistleblower hotline results andreports thereon

    (Principles 16 & 17)

  • 7/30/2019 Internal ControlIntegrated Framework

    28/34

    27

    Illustrative Documents:- Illustrative Tools for Assessing Effectiveness of

    a System of Internal Control

    - Internal Control over External Financial

    Reporting: A Compendium of Approaches and

    Examples

  • 7/30/2019 Internal ControlIntegrated Framework

    29/34

    28

    Transition & Impact

  • 7/30/2019 Internal ControlIntegrated Framework

    30/34

    29

    Transition & Impact

    Users are encouraged to transition applications and related documentation tothe updated Framework as soon as feasible

    Updated Framework will supersede original Framework at the end of thetransition period (i.e., December 15, 2014)

    During the transition period, external reporting should disclose whether theoriginal or updated version of the Framework was used

    Impact of adopting the updated Framework will vary by organization

    Does your system(s) of internal control need to address changes in business? Does your system(s) of internal control need to be updated to address all principles? Does your organization apply and interpret the original Framework in the same

    manner as COSO? Is your organization considering new applications to cover new objectives?

  • 7/30/2019 Internal ControlIntegrated Framework

    31/34

    30

    Transition & Impact (continued)

    The principles-based approach provides flexibility in applying theFramework to multiple, overlapping objectives across the entity

    Easier to see what is covered and what is missing Focus on principles may reduce likelihood of considering something thats

    irrelevant Understanding the importance of specifying suitable objectives focuses on

    those risks and controls most important to achieving these objectives.

    Focusing on areas of risk that exceed acceptance levels or need to bemanaged across the entity may reduce efforts spent mitigating risks inareas of lesser significance.

    Coordinating efforts for identifying and assessing risks across multiple,overlapping objectives may reduce the number of discrete risks assessedand mitigated.

  • 7/30/2019 Internal ControlIntegrated Framework

    32/34

    31

    Transition & Impact (continued)

    Selecting, developing, and deploying controls to effect multiple principlesmay also reduce the number of discrete, layered-on controls.

    Applying an integrated approach to internal control - encompassingoperations, reporting, and compliance may lessen complexity.

    In assessing severity of internal control deficiencies, use only the relevantclassification criteria as set out in the Framework or by regulators, standard-setting bodies, and other relevant third parties, as appropriate.

  • 7/30/2019 Internal ControlIntegrated Framework

    33/34

  • 7/30/2019 Internal ControlIntegrated Framework

    34/34

    Questions?

    The Institute of Internal Auditors

    Richard Chambers, CIA, CGAP, CCSA, CRMAPresident & Chief Executive Officer [email protected]

    @RFChambers

    mailto:[email protected]:[email protected]