Chapter 6 – Internal Control - Few activities within an organization are more important than internal control o Internal auditing ensures genuine assurance that adequate controls are in place Frameworks - A framework is a body of guiding principles that form a template against which organizations can evaluate a multitude of business practice. o The principles are comprised of various concepts, values, assumptions, and practices intend to provide a benchmark against which an organization can assess or evaluate a particular structure, process, or environment, or a group of practices or procedures. o Frameworks provide a structure within a body of acknowledge and guidance fit together - A few distinctions about ERM frameworks and frameworks specifically for internal control: o Both deal with risk mitigation and internal control o However, frameworks specially for internal control are less strategic and are more narrowly defined Internal control frameworks - Only three globally recognized internal control frameworks o Internal Control – Integrated Framework (COSO 1992 and updated in 2013) o Guidance on Control (CICA, 1995, “the CoCo framework”) o - - - Guidance on Risk Management, Internal Control and Related financial and Business Reporting (Financial Reporting Council, 2014) COSO and CoCo have no substantial differences o The frameworks agree on internal control being the responsibility of not only the BoD, senior management and internal auditors, but also on each individual within the organization. The frameworks have the same components: o Control environment o Risk assessment o Control activities o Information and communication o Monitoring Legislation in the United States put the responsibility for internal control solely on the senior management o Big companies had no problem o Very difficult for smaller companies, because It was expensive They didn’t have the resources It took the focus of the management away from important aspects of the business Limited technical resources Definition of Internal Control - - - COSO definition of Internal Control: a process, effected by an entity’s directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Internal control is o Geared to achievement of objectives in one or more separate or overlapping categories – operations, reporting and compliance o A process consisting of ongoing tasks and activities – a means to an end, not an end in itself o Effected by people o Able to provide reasonable assurance, but not absolute assurance, to an entity’s BoD and senior management o Adaptability to the entity structure It’s a broad definition on purpose, because o It captures important concepts, providing a basis for application o The definition accommodates subsets of internal control The objectives, components, and principals of internal control - COSO: A direct relationship exists between objectives, which are what an entity strives to achieve, components (and principles), which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures) o The COSO Cube can illustrate the relationship - 5 integrated components, 17 supporting principles representing the fundamentals of internal control Objectives (This seems very important – this took a big part of the lecture) - The COSO framework sets forth three categories of objectives, which all organizations to focus on differing aspects of internal control: o Operations Objectives – pertain effectiveness and efficiency of the entity’s operations o Reporting objectives - pertain to internal and external financial and non-financial reporting o Compliance objectives – these pertain to adherence to laws and regulations to which the entity’s is subject Components: - - - Control Environment o Influences how individuals approach internal control, through the whole organization o A set of standards, processes, and structure for the basis of internal control Risk Assessment o All risk, internal and external must be assessed o Setting objectives is important to be able to identify critical success factors Control Activities o The actions taken by the BoD, management and other parties to mitigate risk and increase the likelihood of achieving goals. - - Information and Communication o High-quality information must be communicated appropriately o Communication takes place in many forms: face to face, hard copy etc. o The culture of organizations play an important role in the communication Monitoring Activities o Internal control systems must be monitored to remain reliable o Monitoring activities: evaluation is key o Most effective when a layered approach is implemented o Monitoring activities occurs in all five components of internal control (control environment, risk assessment, control activities, information and control, monitoring activities.) Internal Control Roles and Responsibilities Everyone in an organization has responsibility for internal control: - - Management o CEO assumes primary responsibility for the system of internal control Board of Directors o Oversees management, provides direction regarding internal control, and has the responsibility of overseeing the system of internal control o Forms an effective governance “umbrella” Internal Auditors o Verifying the responsibility that the management has met its responsibilities Other personnel o Everyone in the organization has responsibility for internal control Limitation of internal control - - Internal control is implemented to mitigate risks that threaten the achievement of an organization’s objective or to enable an organization to successfully pursue opportunities. However, no internal control system can ensure that objectives will be achieved o It can not prevent bad judgments or decisions, or external events that can cause the organization to fail. The system will always have limitations, which mat result from the: o Sustainability of objectives established as a precondition to internal control o Reality that human judgement in decision-making can be faulty and subject to bias o Breakdowns that can occur because of human failures such as simple errors o Ability of management to override internal control o Ability of management, other personnel and/or third parties to circumvent controls through collusions. o External events beyond the organizations control Inherent risk, controllable risk, and residual risk: - - - Inherent risk: combination of internal and external risk o Essential to identify (at entity and activity level) for effective risk management o When identified: link to business objectives and related business processes o Assess them(risk) in terms of impact and likelihood. Assessment usually includes: Estimating impact of a risk Assessing likelihood (or frequency) of the risk Consider how to manage risk Risk appetite: the types and amounts of risk, on a broad level, an organization is willing to accept in pursuit of value Excessive internal control can be too expensive o Balance is needed Tolerance: the boundaries of acceptable outcomes related to achieving business objectives Controllable risk: that portion of inherent risk that management can directly influence and reduce through day-to-day business activities. - Residual risk could exceed the established risk appetite, than it is necessary to reevaluate the system of internal control Viewing internal control from different perspectives - Everyone in the organization has responsibility for internal control, but then also everyone has a different view on it (management view is different from employee view) Types of control - - - - Entity wide control activities (Entity-level) o A control that operates across an entire entity, as such, is not bound by, or associated with, individual processes. Business process activities o An activity that operates within a specific process for the purpose of achieving process-level objectives o COSO: + transaction or application control as part of the business process activities Key control: an activity designed to reduce risk associated with a critical business objective Secondary control: a activity designed to either reduce risk associated with business objectives that are not critical to the organization’s survival or success or serve as a backup to a key control Compensating control: an activity that, if key controls do not fully operate effectively, may help to reduce the related risk. A compensating control will not, by itself, reduce risk to an acceptable level. - Preventative and detective controls Information system controls - Specific controls can fit into several categories at the same time Opportunities to provide insight