COSO Control Framework - The Institute of Internal Auditors
advertisement
A Framework for Control COSO’s five components of internal control and questions too important to ignore www.theiia.org What is COSO? www.theiia.org What is COSO? COSO, the Committee of Sponsoring Organizations of the Treadway Commission, is a private sector initiative established in 1985 by five financial professional associations. www.theiia.org Who? www.theiia.org Who? • The Institute of Internal Auditors www.theiia.org Who? • The Institute of Internal Auditors • American Institute of Certified Public Accountants www.theiia.org Who? • The Institute of Internal Auditors • American Institute of Certified Public Accountants • American Accounting Association www.theiia.org Who? • The Institute of Internal Auditors • American Institute of Certified Public Accountants • American Accounting Association • Institute of Management Accountants www.theiia.org Who? • The Institute of Internal Auditors • American Institute of Certified Public Accountants • American Accounting Association • Institute of Management Accountants • Financial Executives Institute www.theiia.org Why? www.theiia.org Why? COSO’s goal is to improve the quality of financial reporting through a focus on corporate governance, ethical practices, and internal control. www.theiia.org Definition of Internal Control www.theiia.org Definition of Internal Control A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. www.theiia.org Categories of Internal Control www.theiia.org Categories of Internal Control • Effectiveness and efficiency of operations www.theiia.org Categories of Internal Control • Effectiveness and efficiency of operations • Reliability of financial reporting www.theiia.org Categories of Internal Control • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations www.theiia.org Components of Internal Control www.theiia.org Components of Internal Control 1. Control Environment www.theiia.org Components of Internal Control 1. Control Environment 2. Risk Assessment www.theiia.org Components of Internal Control 1. Control Environment 2. Risk Assessment 3. Control Activities www.theiia.org Components of Internal Control 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication www.theiia.org Components of Internal Control 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring www.theiia.org Ask the Right Internal Control Questions about: www.theiia.org ETHICS www.theiia.org ETHICS 1. Do board members and senior executives set a day-in, day-out example of high integrity and ethical behavior? www.theiia.org ETHICS 2. Is there a written code of conduct for employees, and is it reinforced by training, top down communications, and requirements for periodic written statements of compliance from key employees? www.theiia.org ETHICS 3. Are performance and incentive compensation targets reasonable and realistic, or do they create undue pressure on achievement of shortterm results? www.theiia.org ETHICS 4. Is it clear that fraudulent financial reporting at any level and in any form will not be tolerated? www.theiia.org ETHICS 5. Are ethics woven into criteria that are used to evaluate individual and business unit performance? www.theiia.org ETHICS 6. Does management react appropriately when receiving bad news from subordinates and business units? www.theiia.org ETHICS 7. Does a process exist to resolve close ethical calls? www.theiia.org ETHICS 8. Are business risks identified and candidly discussed with the board of directors? www.theiia.org RISK www.theiia.org RISK 1. Is relevant and reliable internal and external information identified, compiled, and communicated in a timely manner to those who are positioned to act? www.theiia.org RISK 2. Are risks identified and analyzed, and actions taken to mitigate them? www.theiia.org RISK 3. Are controls in place to assure that management decisions are properly carried out? www.theiia.org INTERNAL CONTROL www.theiia.org INTERNAL CONTROL 1. Do senior and line management executives demonstrate that they accept control responsibility, not just delegate that responsibility to financial and audit staff? www.theiia.org INTERNAL CONTROL 2. Does management routinely monitor controls in process of running the organization’s operations? www.theiia.org INTERNAL CONTROL 3. Does management clearly assign responsibilities for training and monitoring of internal controls? www.theiia.org INTERNAL CONTROL 4. Are periodic, systematic evaluations of control systems conducted and documented? www.theiia.org INTERNAL CONTROL 5. Are such evaluations conducted by personnel with appropriate responsibilities, business experience, and knowledge of the organization’s affairs? www.theiia.org INTERNAL CONTROL 6. Are appropriate criteria established to evaluate controls? www.theiia.org INTERNAL CONTROL 7. Are control deficiencies reported to higher levels of management and corrected on a timely basis? www.theiia.org INTERNAL CONTROL 8. Are appropriate controls built in as new systems are designed and brought on stream? www.theiia.org AUDIT COMMITTEES www.theiia.org AUDIT COMMITTEES 1. Has the board recently reviewed adequacy of the audit committee’s written charter? www.theiia.org AUDIT COMMITTEES 2. Are audit committee members functioning and, in fact, independent of management? www.theiia.org AUDIT COMMITTEES 3. Do audit committee members possess an appropriate mix of operating and financial control expertise? www.theiia.org AUDIT COMMITTEES 4. Does the audit committee understand and monitor the broad organizational control environment? www.theiia.org AUDIT COMMITTEES 5. Does the audit committee oversee appropriateness, relevance, and reliability of operational and financial reporting to the board, as well as to investors and other external users? www.theiia.org AUDIT COMMITTEES 6. Does the audit committee oversee existence of and compliance with ethical standards? www.theiia.org AUDIT COMMITTEES 7. Does the audit committee or full board have a meaningful but challenging relationship with independent auditors, internal auditors, senior financial control executives, and key corporate and business unit operating executives? www.theiia.org INTERNAL AUDITING www.theiia.org INTERNAL AUDITING 1. Does internal auditing have the support of top management, the audit committee, and the board of directors as a whole? www.theiia.org INTERNAL AUDITING 2. Has the written scope of internal audit responsibilities been reviewed by the audit committee for adequacy? www.theiia.org INTERNAL AUDITING 3. Is the organizational relationship between internal auditing and senior executives appropriate? www.theiia.org INTERNAL AUDITING 4. Does internal auditing have and use open lines of communication and private access to all senior officers and the audit committee? www.theiia.org INTERNAL AUDITING 5. Are audit reports covering the right subjects distributed to the right people and acted upon in a timely manner? www.theiia.org INTERNAL AUDITING 6. Do key audit executives possess an appropriate level of expertise? www.theiia.org To Purchase the Framework: Visit The IIA Bookstore at www.theiia.org www.theiia.org For More about the Framework: www.theiia.org For More about the Framework: Visit www.coso.org www.theiia.org A Framework for Control This presentation was produced by www.theiia.org The IIA is the internal audit profession’s global voice, recognized authority, acknowledged leader, chief advocate and principal educator worldwide. www.theiia.org
