Presentation Materials - University of North Carolina

advertisement
Changes to the Internal Control
Integrated Framework
Cliff Flood
Discussion Items
• Historical Analysis
• Overview of the 2013 Integrated Framework
• Changes to the 2015 AICFR
Historical Analysis
• In the mid 70’s, the SEC investigates
questionable or illegal payments by U.S.
companies to foreign government officials,
politicians, and political parties
– Results in The Foreign Corrupt Practices Act of
1977
Historical Analysis
• In the spring of 1985, Congress conducts
hearings regarding fraudulent financial
reporting as a result of company failures in the
early 80’s
– The accounting and auditing professions were
under the spotlight
Historical Analysis
• As a result, accounting and auditing professional
associations came together in June 1985 to
sponsor a National Commission on Fraudulent
Financial Reporting
– Treadway Commission
– Committee of Sponsoring Organizations
•
•
•
•
•
American Accounting Association
American Institute of Certified Public Accountants
Institute of Management Accountants
The Institute of Internal Auditors
Financial Executives International
Historical Analysis
• In Oct 1987, COSO releases The Report of the
National Commission on Fraudulent Financial
Reporting
– Recommendations
•
•
•
•
For the Public Company
For the Independent Public Accountant
For the Oversight, Regulatory and Legal Environment
For Education
Historical Analysis
Recommendations for the Public Company
– Establish a Good Control Environment and Tone at
the Top
– Assess Risk and Establish Internal Controls
– Improve Accounting and Internal Audit Functions
– Establish Independent Audit Committees
– Report Management Responsibilities
COSO to Provide Guidance on Internal Control
Historical Analysis
Detail Recommendations for the Independent
Public Accountant
– Recognize responsibility
– Improve detection capabilities
– Improve audit quality
– Communicate the auditor’s role
Is complimentary of the exposure drafts on the
AICPA expectation GAP auditing standards
Historical Analysis
Detail Recommendations for Oversight,
Regulatory and Legal Environment
– Improve SEC Enforcement Remedies
– Increase Criminal Prosecution
– Improve Regulation of the Public Accounting
Profession
– Enhance Enforcement by the State Boards of
Accountancy
Historical Analysis
• Detail Recommendations for Education
– Business and Accounting Curricula
– Professional Certification Examinations and
Continuing Education
Historical Analysis
• In Apr 1988, the AICPA issues its Expectation Gap
Standards
– SAS 53 The Auditor’s Responsibility to Detect and
Report Errors and Irregularities
– SAS 54 Illegal Acts by Clients
– SAS 55 Consideration of Internal Control in a Financial
Statement Audit
– SAS 56 Analytical Procedures
– SAS 57 Auditing Accounting Estimates
Historical Analysis
– SAS 58 Reports on Audited Financial Statements
– SAS 59 The Auditor’s Consideration of an Entity’s
Ability to Continue as a Going Concern
– SAS 60 Communication of Internal Control Related
Matters Noted in an Audit
– SAS 61 Communication With Audit Committees
Historical Analysis
• In Sep 1992, COSO completes its study and publishes
the Internal Control Integrated Framework
– Defines Internal Control,
• Is a process, effected by an entity’s board of directors,
management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives
related to operations, reporting and compliance
– Identifies Five Components for Internal Control
•
•
•
•
•
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
Historical Analysis
• BANG!!!! In Oct 2001, The Enron failure occurs
– Major issues discovered in the accounting and
auditing practices of Enron
– Arthur Anderson was found guilty of illegally
destroying documents relevant to the SEC
investigation which voided its license to audit public
companies
– Was the basis for new regulation and legislation to
enhance the accuracy of financial reporting for public
companies
Historical Analysis
• July 2002 Sarbanes Oxley Act
– Title I – Public Company Accounting Oversight Board
– Title II – Auditor Independence
• Section 201 – Public accounting firms are prohibited from
performing non-audit services to financial statement audit
clients
• Section 204 – Public accounting firms must reports to the
audit committee
– Title III – Corporate Responsibility
• Section 301 – Audit Committee requirements
• Section 302 – CEO and CFO certifications
Historical Analysis
• Jul 2002 Sarbanes Oxley Act
– Title IV – Enhanced Financial Disclosures
• Section 404 – Each annual report shall contain an
internal control report (An assessment by management
with attestation and reporting by the public accounting
firm)
• Section 407 – At least one member of the audit
committee must be a “financial expert”
2013 Integrated Framework
• The COSO integrated framework is widely
used by companies and organizations to
evaluate their internal controls and for the
section 404 assessment and audit required by
SOX
• Due to the many changes over the past 20
years since the 1992 release of the original
guidance, COSO released the 2013 update
2013 Integrated Framework
• 17 principles have been added to clarify the
required considerations related to each of the
five components of internal control
– In addition to the considerations from the 1992
version, consideration of change risk as well as
fraud risk have been added
2013 Integrated Framework
• Individual assessments are now required for
each component and each relevant principle
• In addition, an overall assessment is required
to determine whether the five components
and relevant principles are working together
2013 Integrated Framework
• The new release provides for considerable guidance,
considerations and examples. The new release
includes the following publications:
– As Executive Summary
– The 2013 Internal Control – Integrated Framework
– Illustrative Tools for Assessing Effectiveness of Internal
Controls
– Internal Control over External Financial Reporting: A
Compendium of Approaches and Examples
• The revised guidance is effective for periods ending
after December 31, 2014
2013 Integrated Framework
Reporting and Deficiencies in Internal Control
– When a major deficiency exists, the integrated
framework indicates that an organization cannot
conclude that it has met the requirements for an
effective system of internal control
– A major deficiency in one component cannot be
mitigated by the presence and functioning of another
component.
– A major deficiency in a relevant principle cannot be
mitigated by the presence and functioning of other
principles
2013 Integrated Framework
• Under the Integrated Framework, Each
Relevant Principle and Component is
Evaluated Based on the Consideration of
Points of Focus.
– Points of focus provide attributes, conditions or
control characteristics that are associated with the
various relevant principles and components
2013 Integrated Framework
• The Control Environment - Principle 1
The organization demonstrates a commitment to
integrity and ethical values
Points of Focus
– Tone at the Top
– Standards of Conduct
– Adherence to Standards of Conduct
2013 Integrated Framework
• The Control Environment – Principle 2
The board of directors demonstrates independence from
management and exercises oversight of the development
and performance of internal control
Points of Focus
– Has Oversight Responsibilities
– Has Relevant Expertise
– Is Independent
– Exercises Oversight of the System of Internal Control
2013 Integrated Framework
• The Control Environment – Principle 3
Management establishes, with board oversight,
structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of
objectives
Points of Focus
– Establishes the Organizational Structure
– Authorizes Reporting Relationships
– Determines Authorities and Responsibilities
2013 Integrated Framework
• The Control Environment – Principle 4
The organization demonstrates a commitment to
attract, develop, and retain competent individuals in
alignment with objectives
Points of Focus
– Establishes Human Resource Policies and Practices
– Requires Competence and Addresses
Shortcomings
– Attracts, Develops, and Retains Individuals
2013 Integrated Framework
• The Control Environment – Principle 5
The organization holds individuals accountable for their
internal control responsibilities in the pursuit of
objectives
Points of Focus
– Has a Performance Management Program
– Performance is Evaluated
– Performance Measures, Incentives, and Rewards are
Evaluated
– As necessary, Individuals are Disciplined
2013 Integrated Framework
• The Risk Assessment – Principle 6
The organization specifies objectives with sufficient
clarity to enable the identification and assessment of
risks relating to objectives
Points of Focus (External Financial Reporting)
– Complies with Appropriate Accounting Standards
– Considers Risk Tolerance / Materiality
– Considers Related Business Processes
2013 Integrated Framework
• The Risk Assessment – Principle 7
The organization identifies risks to the achievement of its
objectives across the entity and analyzes risks as a basis for
determining how the risks should be managed
Points of Focus
– Determines risk at the appropriate levels of the
organization
– Considers Internal and External Factors
– Consults Appropriate Levels of Management
– Identifies Risks
– Determines Risk Response
2013 Integrated Framework
• The Risk Assessment – Principle 8
The organization considers the potential for fraud in
assessing risks to the achievement of objectives
Points of Focus
– Identifies Instances or Potential for Fraud
– Considers Incentive and Pressures
– Considers Opportunities
– Considers Attitudes and Rationalizations
2013 Integrated Framework
• The Risk Assessment – Principle 9
The organization identifies and assesses changes
that could significantly impact the system of internal
control
Points of Focus
– Identifies and Evaluates Changes
– Considers Changes in Accounting Requirements,
Technology and Funding
– Considers Changes in Leadership
2013 Integrated Framework
• Ways that Fraudulent Reporting Can Occur
•
•
•
•
•
Fraud schemes
Unusual or complex transactions
Overrides
Opportunities for inappropriate acts
Attitudes
2013 Integrated Framework
• The most common fraud techniques as
reported in the 2010 COSO Fraudulent
Financial Reporting Study Report includes
– Improper revenue recognition
– Overstatement of existing assets or capitalization
of expenses
2013 Integrated Framework
• Types of Risk Response
– Acceptance
– Avoidance
– Reduction
– Sharing
2013 Integrated Framework
• Control Activities – Principle 10
The organization selects and develops control activities
that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels
Points of Focus
– Interacts with the Risk Assessment
– Considers Factors that are Specific to the Entity
– Considers Relevant Business Processes
– Considers Various Control Activity Types
– Address Segregation of Duties
2013 Integrated Framework
• Control Activities – Principle 11
The organization selects and develops general control activities
over technology to support the achievement of objectives
Points of Focus
– Considers the Use of Technology in the Organization’s Business
Processes and Technology General Controls
– Policies and Procedures Relative to Technology Infrastructure
and General Controls
– Policies and Procedures Relative to Technology and Data
Security Management
– Policies and Procedures Relative to Oversight and Direction over
Technology Acquisition, Development, and Maintenance
Processes
2013 Integrated Framework
• Control Activities – Principle 12
The organization deploys control activities through policies
that establish what is expected and procedures that put policy
into action
Points of Focus
– Establishment of Policies and Procedures
– Establishment of Responsibility and Accountability to
ensure Policies and Procedures are Adhered to and are
Performed Timely
– Control Activities are Assigned and Performed by
Competent Personnel
2013 Integrated Framework
• Types of Control Activities
– Authorizations and Approvals
– Verifications and Reviews
– Physical Controls
– Reconciliations
– Supervisory Controls
– Segregating Duties
2013 Integrated Framework
• Information and Communication – Principle 13
The organization obtains or generates and uses relevant,
quality information to support the functioning of internal
control
Points of Focus
– Identifies Informational Needs and Crosswalk
Requirements
– Information is Accessible and Protected
– Information is Provided Timely and is Current
– Information is Accurate and Verifiable
2013 Integrated Framework
• Information and Communication – Principle 14
The organization internally communicates information,
including objectives, and responsibilities for internal control,
necessary to support the functioning of internal control
Points of Focus
– Policies and Procedures are Properly Authorized and
Communicated
– Communication Lines Relative to the Oversight and
Execution of the Policies and Procedures are Established
– Methods of Communication are Appropriate
2013 Integrated Framework
• Information and Communication – Principle 15
The organization communicates with external parties
regarding matters affecting the functioning of internal
control
Points of Focus
– Evaluates and Uses Communication with External
Parties and Inbound Communication
– Interacts with Appropriate Senior Management
Levels, the Internal Auditor and Board of Trustees
regarding external audit matters and the functioning
of internal control
2013 Integrated Framework
• Monitoring Activities – Principle 16
The organization selects, develops, and performs ongoing
and/or separate evaluations to ascertain whether the
components of internal control are present and functioning
Points of Focus
– Applies Ongoing and Separate Evaluations
– Performs Reconciliations
– Performs Validation Procedures
– Considers Analytical Review Technics
– Requires Reviews by Knowledgeable Personnel
– Monitoring is Integrated with the Business Processes
2013 Integrated Framework
• Monitoring Activities – Principle 17
The organization evaluates and communicates internal
control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior
management and the board of directors, as appropriate
Points of Focus
– Determines Adherence to Established Controls
– Determines and Communicates Deficiencies
– Establishes and Monitors Corrective Action
2013 Integrated Framework
• What are Ongoing Monitoring Activities
–
–
–
–
Reconciliations
Analysis and Review of Accounts or Transactions
Scanning of Accounts or Transactions
Controller Monthly Verification of Key Account
Reconciliations
– Communication with Functional or Departmental
Units Regarding Accuracy of Activities or Accounts
– Review and Approval of Journal Entries
– System Test for Duplicate Payments
2013 Integrated Framework
• What are Separate Evaluations
– Internal Audits
– External audits
– UNC Monitoring Visits
– Functional Compliance Reviews
– Comparisons to Peer Institutions / Tier Institutions
UNC System Average
– Compliance Checklists
2013 Integrated Framework
• What are the Limitations Related to the
Effectiveness of Internal Controls
– Human judgment in decision making can be faulty or
subject to bias
– Unintentional misstates due to human failures
– Management overrides
– Circumvention of controls through collusion
– Matters or events beyond the organization’s control
Changes to the 2015 AICFR
• Change and Fraud risk is already incorporated in the
assessment document but need to evaluate for
enhancement
• Need to incorporate the 17 principles
• As checklist items, the Points of Focus are already part of
the assessment document so expect limited change in this
area
• The objectives of the assessment need to be articulated, as
well as materiality considerations, risk identification, and
risk response
• Changes to the standards and procedural guidance need to
be evaluated
Changes to the 2015 AICFR
• Need to consider risk related to bond ratings,
continuing disclosures and changes to them
• Need to consider adding control activities for
debt, endowment and investment functions
• Need to articulate the importance of the Internal
Audit role and communication with the audit
committee
• Need to evaluate adding the new assessment
statements and identification of deficiencies as it
relates to the new COSO requirements
Timeline on the 2015 AICFR
• GAP analysis in December
• Draft changes in January
• Work with Advisory Team in February (Include
Controller, Internal Control Officer and
Internal Auditor)
• Finalize by March
Questions?
Download
Related flashcards

Accounting

28 cards

Accounting software

65 cards

Scottish accountants

27 cards

Create Flashcards