Uploaded by Arild Andreas Holten

Chapter 6 - notes

advertisement
Chapter 6 – Internal Control
-
Few activities within an organization are more important than internal control
o Internal auditing ensures genuine assurance that adequate controls are in place
Frameworks
-
A framework is a body of guiding principles that form a template against which organizations
can evaluate a multitude of business practice.
o The principles are comprised of various concepts, values, assumptions, and practices
intend to provide a benchmark against which an organization can assess or evaluate
a particular structure, process, or environment, or a group of practices or
procedures.
o Frameworks provide a structure within a body of acknowledge and guidance fit
together
-
A few distinctions about ERM frameworks and frameworks specifically for internal control:
o Both deal with risk mitigation and internal control
o However, frameworks specially for internal control are less strategic and are more
narrowly defined
Internal control frameworks
-
Only three globally recognized internal control frameworks
o Internal Control – Integrated Framework (COSO 1992 and updated in 2013)
o Guidance on Control (CICA, 1995, “the CoCo framework”)
o
-
-
-
Guidance on Risk Management, Internal Control and Related financial and Business
Reporting (Financial Reporting Council, 2014)
COSO and CoCo have no substantial differences
o The frameworks agree on internal control being the responsibility of not only the
BoD, senior management and internal auditors, but also on each individual within
the organization.
The frameworks have the same components:
o Control environment
o Risk assessment
o Control activities
o Information and communication
o Monitoring
Legislation in the United States put the responsibility for internal control solely on the senior
management
o Big companies had no problem
o Very difficult for smaller companies, because
 It was expensive
 They didn’t have the resources
 It took the focus of the management away from important aspects of the
business
 Limited technical resources
Definition of Internal Control
-
-
-
COSO definition of Internal Control: a process, effected by an entity’s directors,
management, and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting, and compliance.
Internal control is
o Geared to achievement of objectives in one or more separate or overlapping
categories – operations, reporting and compliance
o A process consisting of ongoing tasks and activities – a means to an end, not an end
in itself
o Effected by people
o Able to provide reasonable assurance, but not absolute assurance, to an entity’s BoD
and senior management
o Adaptability to the entity structure
It’s a broad definition on purpose, because
o It captures important concepts, providing a basis for application
o The definition accommodates subsets of internal control
The objectives, components, and principals of internal control
-
COSO: A direct relationship exists between objectives, which are what an entity strives to
achieve, components (and principles), which represent what is required to achieve the
objectives, and entity structure (the operating units, legal entities, and other structures)
o The COSO Cube can illustrate the relationship
-
5 integrated components, 17 supporting principles representing the fundamentals of internal
control
Objectives (This seems very important – this took a big part of the lecture)
-
The COSO framework sets forth three categories of objectives, which all organizations to
focus on differing aspects of internal control:
o Operations Objectives – pertain effectiveness and efficiency of the entity’s
operations
o Reporting objectives - pertain to internal and external financial and non-financial
reporting
o Compliance objectives – these pertain to adherence to laws and regulations to which
the entity’s is subject
Components:
-
-
-
Control Environment
o Influences how individuals approach internal control, through the whole organization
o A set of standards, processes, and structure for the basis of internal control
Risk Assessment
o All risk, internal and external must be assessed
o Setting objectives is important to be able to identify critical success factors
Control Activities
o The actions taken by the BoD, management and other parties to mitigate risk and
increase the likelihood of achieving goals.
-
-
Information and Communication
o High-quality information must be communicated appropriately
o Communication takes place in many forms: face to face, hard copy etc.
o The culture of organizations play an important role in the communication
Monitoring Activities
o Internal control systems must be monitored to remain reliable
o Monitoring activities: evaluation is key
o Most effective when a layered approach is implemented
o Monitoring activities occurs in all five components of internal control (control
environment, risk assessment, control activities, information and control, monitoring
activities.)
Internal Control Roles and Responsibilities
Everyone in an organization has responsibility for internal control:
-
-
Management
o CEO assumes primary responsibility for the system of internal control
Board of Directors
o Oversees management, provides direction regarding internal control, and has the
responsibility of overseeing the system of internal control
o Forms an effective governance “umbrella”
Internal Auditors
o Verifying the responsibility that the management has met its responsibilities
Other personnel
o Everyone in the organization has responsibility for internal control
Limitation of internal control
-
-
Internal control is implemented to mitigate risks that threaten the achievement of an
organization’s objective or to enable an organization to successfully pursue opportunities.
However, no internal control system can ensure that objectives will be achieved
o It can not prevent bad judgments or decisions, or external events that can cause the
organization to fail.
The system will always have limitations, which mat result from the:
o Sustainability of objectives established as a precondition to internal control
o Reality that human judgement in decision-making can be faulty and subject to bias
o Breakdowns that can occur because of human failures such as simple errors
o Ability of management to override internal control
o Ability of management, other personnel and/or third parties to circumvent controls
through collusions.
o External events beyond the organizations control
Inherent risk, controllable risk, and residual risk:
-
-
-
Inherent risk: combination of internal and external risk
o Essential to identify (at entity and activity level) for effective risk management
o When identified: link to business objectives and related business processes
o Assess them(risk) in terms of impact and likelihood. Assessment usually includes:
 Estimating impact of a risk
 Assessing likelihood (or frequency) of the risk
 Consider how to manage risk
Risk appetite: the types and amounts of risk, on a broad level, an organization is willing to
accept in pursuit of value
Excessive internal control can be too expensive
o Balance is needed
Tolerance: the boundaries of acceptable outcomes related to achieving business objectives
Controllable risk: that portion of inherent risk that management can directly influence and
reduce through day-to-day business activities.
-
Residual risk could exceed the established risk appetite, than it is necessary to reevaluate the
system of internal control
Viewing internal control from different perspectives
-
Everyone in the organization has responsibility for internal control, but then also everyone
has a different view on it (management view is different from employee view)
Types of control
-
-
-
-
Entity wide control activities (Entity-level)
o A control that operates across an entire entity, as such, is not bound by, or
associated with, individual processes.
Business process activities
o An activity that operates within a specific process for the purpose of achieving
process-level objectives
o COSO: + transaction or application control as part of the business process activities
Key control: an activity designed to reduce risk associated with a critical business objective
Secondary control: a activity designed to either reduce risk associated with business
objectives that are not critical to the organization’s survival or success or serve as a backup
to a key control
Compensating control: an activity that, if key controls do not fully operate effectively, may
help to reduce the related risk. A compensating control will not, by itself, reduce risk to an
acceptable level.
-
Preventative and detective controls
Information system controls
-
Specific controls can fit into several categories at the same time
Opportunities to provide insight
Download