internal control–integrated framework
TRANSCRIPT
-
7/30/2019 Internal ControlIntegrated Framework
1/34
0
Presented by:Richard F. Chambers CIA, CCSA, CGAP, CRMAGlobal President and CEOThe Institute of Internal Auditors
May 21, 2013
Internal Control Integrated Framework
The ICGFM 27th Annual International Training Conference
-
7/30/2019 Internal ControlIntegrated Framework
2/34
1
Presentation Overview
COSO & Project Overview Internal Control-Integrated Framework
Illustrative Documents Illustrative Tools for Assessing Effectiveness of a System of Internal Control Internal Control over External Financial Reporting: A Compendium of
Approaches and examples Transition & Impact Recommended Actions Questions & Comments
-
7/30/2019 Internal ControlIntegrated Framework
3/34
2
COSO & Project Overview
-
7/30/2019 Internal ControlIntegrated Framework
4/34
3
COSO Overview Internal Control Publications
1992 2006 2009 2013
-
7/30/2019 Internal ControlIntegrated Framework
5/34
4
Original Framework
COSOs In ternal Contro l In tegrated Framewo rk (1992 Edition)
RefreshObjectives
Updated
Framework
COSOs In ternal Contro l In tegrated Framewo rk (2013 Edition)
Broadens Application Clarifies Requirements
Articulate principles to
facilitate effective
internal control
Why update what works The Framework has become themost widely adopted control framework worldwide.
UpdatesContext
Enhancements
Reflect changes in
business & operating
environments
Expand operations and
reporting objectives
-
7/30/2019 Internal ControlIntegrated Framework
6/34
5
Project timetable
Assess & SurveyStakeholders Design & Build
Public Exposure,Assess & Refine Finalize
2010 2011 2012 2013
-
7/30/2019 Internal ControlIntegrated Framework
7/346
Project participantsCOSO
Board of Directors
COSO Advisory Council
AICPA AAA FEI IIA IMA Public Accounting Firms Regulatory observers (SEC, GAO, FDIC,
PCAOB) Others (IFAC, ISACA, others)
PwC
Author &Project Leader
Stakeholders
Over 700 stakeholders in Framework
responded to global survey during 2011 Over 200 stakeholders publically commented
on proposed updates to Framework duringfirst quarter of 2012
Over 50 stakeholders publically commented onproposed updates in last quarter of 2012
-
7/30/2019 Internal ControlIntegrated Framework
8/347
Project deliverable #1 Internal Control-IntegratedFramework (2013 Edition)
Consists of three volumes: Executive Summary
Framework and Appendices Illustrative Tools for
Assessing Effectiveness of aSystem of Internal Control
Sets out:
Definition of internal control Categories of objectives Components of internal
control Requirements for
effectiveness
-
7/30/2019 Internal ControlIntegrated Framework
9/348
Project deliverable #2 Internal Control over ExternalFinancial Reporting: A Compendium....
Approaches and Examplesillustrate how principles areapplied in preparing financialstatements
Considers changes inbusiness and operatingenvironments during past two
decades Relevant for variety of entities
public, private, not-for-profit,and government
Consistent with updatedFramework
-
7/30/2019 Internal ControlIntegrated Framework
10/349
Internal Control Integrated Framework
-
7/30/2019 Internal ControlIntegrated Framework
11/3410
Defining Internal Control:
Internal control is a process, effectedby an entitys board of directors,management, and other personnel,designed to provide reasonableassurance regarding theachievement of objectives relating to
operations, reporting andcompliance.
-
7/30/2019 Internal ControlIntegrated Framework
12/3411
The Internal Control DefinitionReflects Fundamental Concepts:
Geared to the achievement of objectives in one or more categories
Operations Reporting Compliance
A process consisting of ongoing tasksand activities: a means not an end.
Effected by people Able to provide reasonable
assurance. Adaptable to the entity structure
-
7/30/2019 Internal ControlIntegrated Framework
13/3412
The Components of InternalControl Remain Unchanged:
Control environment
Risk assessment Control activities
Information and communication
Monitoring activities
-
7/30/2019 Internal ControlIntegrated Framework
14/3413
Relationship of Objectives andComponents:
Objectives are what an entitystrives to achieve (3 columns)
Components represent whatare required to achieveobjectives (5 Rows)
The organizational structure willvary by the nature andcomplexity of the entity (the 3 rd dimension in the cube)
-
7/30/2019 Internal ControlIntegrated Framework
15/3414
Update expected to ease use and application
What is not changing... What is changing...
Core definition of internal control
Three categories of objectives andfive components of internal control
Each of the five components of internal control are required foreffective internal control
Important role of judgment indesigning, implementing andconducting internal control, and inassessing its effectiveness
Changes in business and operating
environments considered
Operations and reporting objectivesexpanded
Fundamental concepts underlyingfive components articulated asprinciples
Additional approaches andexamples relevant to operations,compliance, and non-financialreporting objectives added
-
7/30/2019 Internal ControlIntegrated Framework
16/3415
Environm ents changes . .. have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules,regulations, and standards
Expectations for competencies andaccountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing anddetecting fraud
COSO Cube (2013Edition)
Update considers changes in business and operatingenvironments
-
7/30/2019 Internal ControlIntegrated Framework
17/3416
Control Environment
Risk Assessment
Control Activities
Information &Communication
Monitoring Activities
Update articulates principles of effective internal control 1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence5. Enforces accountability
6. Specifies suitable objectives7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology 12. Deploys through policies and procedures
13. Uses relevant information14. Communicates internally 15. Communicates externally
16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies
-
7/30/2019 Internal ControlIntegrated Framework
18/3417
Control Environment
Update articulates principles of effective internal control(continued)
1. The organization demonstrates a commitment tointegrity and ethical values.
2. The board of directors demonstrates independencefrom management and exercises oversight of thedevelopment and performance of internal control.
3. Management establishes, with board oversight,structures, reporting lines, and appropriateauthorities and responsibilities in the pursuit of
objectives.4. The organization demonstrates a commitment to
attract, develop, and retain competent individualsin alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuitof objectives.
-
7/30/2019 Internal ControlIntegrated Framework
19/3418
6. The organization specifies objectives withsufficient clarity to enable the identification and
assessment of risks relating to objectives.7. The organization identifies risks to the
achievement of its objectives across the entityand analyzes risks as a basis for determininghow the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesseschanges that could significantly impact thesystem of internal control.
Risk Assessment
Update articulates principles of effective internal control(continued)
-
7/30/2019 Internal ControlIntegrated Framework
20/34
-
7/30/2019 Internal ControlIntegrated Framework
21/34
20
13. The organization obtains or generates and usesrelevant, quality information to support the
functioning of other components of internalcontrol.
14. The organization internally communicatesinformation, including objectives andresponsibilities for internal control, necessary tosupport the functioning of other components of internal control.
15. The organization communicates with externalparties regarding matters affecting thefunctioning of other components of internalcontrol.
Information &Communication
Update articulates principles of effective internal control(continued)
-
7/30/2019 Internal ControlIntegrated Framework
22/34
21
16. The organization selects, develops, andperforms ongoing and/or separate evaluations
to ascertain whether the components of internalcontrol are present and functioning.
17. The organization evaluates and communicatesinternal control deficiencies in a timely manner to those parties responsible for taking correctiveaction, including senior management and theboard of directors, as appropriate.
Monitoring Activities
Update articulates principles of effective internal control(continued)
-
7/30/2019 Internal ControlIntegrated Framework
23/34
22
Update clarifies requirements for effective internal control
Effective internal control provides reasonableassurance regarding the achievement of objectives and requires that:
Each component and each relevantprinciple is present and functioning
The five components are operatingtogether in an integrated manner
Each principle is suitable to all entities; allprinciples are presumed relevant except inrare situations where managementdetermines that a principle is not relevant toa component (e.g., governance, technology)
-
7/30/2019 Internal ControlIntegrated Framework
24/34
23
Requirements for effective internal control (continued)
Components operate together when allcomponents are present and functioningand internal control deficiencies aggregated
across components do not result in one or more major deficiencies
A major deficiency represents an internalcontrol deficiency or combination thereof that severely reduces the likelihood that anentity can achieve its objectives
-
7/30/2019 Internal ControlIntegrated Framework
25/34
24
Update goes beyond simply articulating the principles italso describes important characteristics of principles(points of focus)
Points of focus may not be suitable or relevant, and others may be identified
Points of focus may facilitate designing, implementing, and conducting internalcontrol
There is no requirement to separately assess whether points of focus are in
place
Control Environment 1. The organization demonstrates a commitment tointegrity and ethical values.
Points of Focus: Sets the Tone at the Top Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner
-
7/30/2019 Internal ControlIntegrated Framework
26/34
25
Update describes the role of controls to effect principles
The Framework does not prescribe controls to be selected, developed, anddeployed for effective internal control
An organizations selection of controls to effect relevant principles andassociated components is a function of management judgment based onfactors unique to the entity
A major deficiency in a component or principle cannot be mitigated to anacceptable level by the presence and functioning of other components andprinciples
However, understanding and considering how controls effect multipleprinciples can provide persuasive evidence supporting managementsassessment of whether components and relevant principles are present andfunctioning
-
7/30/2019 Internal ControlIntegrated Framework
27/34
26
Update describes the role of controls to effect principles
Control Environment
1. The organization demonstrates a commitment to integrity andethical values.
Component
Principle
Controls effectmultiple
principles
Human Resourcesreviews allemployees annualconfirmations toassess whether standards of conduct areunderstood andadhered to
(Principle 1)
Managementreviews potentialdeviations capturedthrough thewhistleblower hot-line and theunderlying data andinformation
(Principle 13)
Internal Auditseparately evaluatesthe controlenvironment,consideringemployee behaviorsand whistleblower hotline results andreports thereon
(Principles 16 & 17)
-
7/30/2019 Internal ControlIntegrated Framework
28/34
27
Illustrative Documents:- Illustrative Tools for Assessing Effectiveness of
a System of Internal Control
- Internal Control over External Financial
Reporting: A Compendium of Approaches and
Examples
-
7/30/2019 Internal ControlIntegrated Framework
29/34
28
Transition & Impact
-
7/30/2019 Internal ControlIntegrated Framework
30/34
29
Transition & Impact
Users are encouraged to transition applications and related documentation tothe updated Framework as soon as feasible
Updated Framework will supersede original Framework at the end of thetransition period (i.e., December 15, 2014)
During the transition period, external reporting should disclose whether theoriginal or updated version of the Framework was used
Impact of adopting the updated Framework will vary by organization
Does your system(s) of internal control need to address changes in business? Does your system(s) of internal control need to be updated to address all principles? Does your organization apply and interpret the original Framework in the same
manner as COSO? Is your organization considering new applications to cover new objectives?
-
7/30/2019 Internal ControlIntegrated Framework
31/34
30
Transition & Impact (continued)
The principles-based approach provides flexibility in applying theFramework to multiple, overlapping objectives across the entity
Easier to see what is covered and what is missing Focus on principles may reduce likelihood of considering something thats
irrelevant Understanding the importance of specifying suitable objectives focuses on
those risks and controls most important to achieving these objectives.
Focusing on areas of risk that exceed acceptance levels or need to bemanaged across the entity may reduce efforts spent mitigating risks inareas of lesser significance.
Coordinating efforts for identifying and assessing risks across multiple,overlapping objectives may reduce the number of discrete risks assessedand mitigated.
-
7/30/2019 Internal ControlIntegrated Framework
32/34
31
Transition & Impact (continued)
Selecting, developing, and deploying controls to effect multiple principlesmay also reduce the number of discrete, layered-on controls.
Applying an integrated approach to internal control - encompassingoperations, reporting, and compliance may lessen complexity.
In assessing severity of internal control deficiencies, use only the relevantclassification criteria as set out in the Framework or by regulators, standard-setting bodies, and other relevant third parties, as appropriate.
-
7/30/2019 Internal ControlIntegrated Framework
33/34
-
7/30/2019 Internal ControlIntegrated Framework
34/34
Questions?
The Institute of Internal Auditors
Richard Chambers, CIA, CGAP, CCSA, CRMAPresident & Chief Executive Officer [email protected]
@RFChambers
mailto:[email protected]:[email protected]