Changes to the Internal Control Integrated Framework Cliff Flood Discussion Items • Historical Analysis • Overview of the 2013 Integrated Framework • Changes to the 2015 AICFR Historical Analysis • In the mid 70’s, the SEC investigates questionable or illegal payments by U.S. companies to foreign government officials, politicians, and political parties – Results in The Foreign Corrupt Practices Act of 1977 Historical Analysis • In the spring of 1985, Congress conducts hearings regarding fraudulent financial reporting as a result of company failures in the early 80’s – The accounting and auditing professions were under the spotlight Historical Analysis • As a result, accounting and auditing professional associations came together in June 1985 to sponsor a National Commission on Fraudulent Financial Reporting – Treadway Commission – Committee of Sponsoring Organizations • • • • • American Accounting Association American Institute of Certified Public Accountants Institute of Management Accountants The Institute of Internal Auditors Financial Executives International Historical Analysis • In Oct 1987, COSO releases The Report of the National Commission on Fraudulent Financial Reporting – Recommendations • • • • For the Public Company For the Independent Public Accountant For the Oversight, Regulatory and Legal Environment For Education Historical Analysis Recommendations for the Public Company – Establish a Good Control Environment and Tone at the Top – Assess Risk and Establish Internal Controls – Improve Accounting and Internal Audit Functions – Establish Independent Audit Committees – Report Management Responsibilities COSO to Provide Guidance on Internal Control Historical Analysis Detail Recommendations for the Independent Public Accountant – Recognize responsibility – Improve detection capabilities – Improve audit quality – Communicate the auditor’s role Is complimentary of the exposure drafts on the AICPA expectation GAP auditing standards Historical Analysis Detail Recommendations for Oversight, Regulatory and Legal Environment – Improve SEC Enforcement Remedies – Increase Criminal Prosecution – Improve Regulation of the Public Accounting Profession – Enhance Enforcement by the State Boards of Accountancy Historical Analysis • Detail Recommendations for Education – Business and Accounting Curricula – Professional Certification Examinations and Continuing Education Historical Analysis • In Apr 1988, the AICPA issues its Expectation Gap Standards – SAS 53 The Auditor’s Responsibility to Detect and Report Errors and Irregularities – SAS 54 Illegal Acts by Clients – SAS 55 Consideration of Internal Control in a Financial Statement Audit – SAS 56 Analytical Procedures – SAS 57 Auditing Accounting Estimates Historical Analysis – SAS 58 Reports on Audited Financial Statements – SAS 59 The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern – SAS 60 Communication of Internal Control Related Matters Noted in an Audit – SAS 61 Communication With Audit Committees Historical Analysis • In Sep 1992, COSO completes its study and publishes the Internal Control Integrated Framework – Defines Internal Control, • Is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives related to operations, reporting and compliance – Identifies Five Components for Internal Control • • • • • Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities Historical Analysis • BANG!!!! In Oct 2001, The Enron failure occurs – Major issues discovered in the accounting and auditing practices of Enron – Arthur Anderson was found guilty of illegally destroying documents relevant to the SEC investigation which voided its license to audit public companies – Was the basis for new regulation and legislation to enhance the accuracy of financial reporting for public companies Historical Analysis • July 2002 Sarbanes Oxley Act – Title I – Public Company Accounting Oversight Board – Title II – Auditor Independence • Section 201 – Public accounting firms are prohibited from performing non-audit services to financial statement audit clients • Section 204 – Public accounting firms must reports to the audit committee – Title III – Corporate Responsibility • Section 301 – Audit Committee requirements • Section 302 – CEO and CFO certifications Historical Analysis • Jul 2002 Sarbanes Oxley Act – Title IV – Enhanced Financial Disclosures • Section 404 – Each annual report shall contain an internal control report (An assessment by management with attestation and reporting by the public accounting firm) • Section 407 – At least one member of the audit committee must be a “financial expert” 2013 Integrated Framework • The COSO integrated framework is widely used by companies and organizations to evaluate their internal controls and for the section 404 assessment and audit required by SOX • Due to the many changes over the past 20 years since the 1992 release of the original guidance, COSO released the 2013 update 2013 Integrated Framework • 17 principles have been added to clarify the required considerations related to each of the five components of internal control – In addition to the considerations from the 1992 version, consideration of change risk as well as fraud risk have been added 2013 Integrated Framework • Individual assessments are now required for each component and each relevant principle • In addition, an overall assessment is required to determine whether the five components and relevant principles are working together 2013 Integrated Framework • The new release provides for considerable guidance, considerations and examples. The new release includes the following publications: – As Executive Summary – The 2013 Internal Control – Integrated Framework – Illustrative Tools for Assessing Effectiveness of Internal Controls – Internal Control over External Financial Reporting: A Compendium of Approaches and Examples • The revised guidance is effective for periods ending after December 31, 2014 2013 Integrated Framework Reporting and Deficiencies in Internal Control – When a major deficiency exists, the integrated framework indicates that an organization cannot conclude that it has met the requirements for an effective system of internal control – A major deficiency in one component cannot be mitigated by the presence and functioning of another component. – A major deficiency in a relevant principle cannot be mitigated by the presence and functioning of other principles 2013 Integrated Framework • Under the Integrated Framework, Each Relevant Principle and Component is Evaluated Based on the Consideration of Points of Focus. – Points of focus provide attributes, conditions or control characteristics that are associated with the various relevant principles and components 2013 Integrated Framework • The Control Environment - Principle 1 The organization demonstrates a commitment to integrity and ethical values Points of Focus – Tone at the Top – Standards of Conduct – Adherence to Standards of Conduct 2013 Integrated Framework • The Control Environment – Principle 2 The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control Points of Focus – Has Oversight Responsibilities – Has Relevant Expertise – Is Independent – Exercises Oversight of the System of Internal Control 2013 Integrated Framework • The Control Environment – Principle 3 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives Points of Focus – Establishes the Organizational Structure – Authorizes Reporting Relationships – Determines Authorities and Responsibilities 2013 Integrated Framework • The Control Environment – Principle 4 The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives Points of Focus – Establishes Human Resource Policies and Practices – Requires Competence and Addresses Shortcomings – Attracts, Develops, and Retains Individuals 2013 Integrated Framework • The Control Environment – Principle 5 The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives Points of Focus – Has a Performance Management Program – Performance is Evaluated – Performance Measures, Incentives, and Rewards are Evaluated – As necessary, Individuals are Disciplined 2013 Integrated Framework • The Risk Assessment – Principle 6 The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives Points of Focus (External Financial Reporting) – Complies with Appropriate Accounting Standards – Considers Risk Tolerance / Materiality – Considers Related Business Processes 2013 Integrated Framework • The Risk Assessment – Principle 7 The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed Points of Focus – Determines risk at the appropriate levels of the organization – Considers Internal and External Factors – Consults Appropriate Levels of Management – Identifies Risks – Determines Risk Response 2013 Integrated Framework • The Risk Assessment – Principle 8 The organization considers the potential for fraud in assessing risks to the achievement of objectives Points of Focus – Identifies Instances or Potential for Fraud – Considers Incentive and Pressures – Considers Opportunities – Considers Attitudes and Rationalizations 2013 Integrated Framework • The Risk Assessment – Principle 9 The organization identifies and assesses changes that could significantly impact the system of internal control Points of Focus – Identifies and Evaluates Changes – Considers Changes in Accounting Requirements, Technology and Funding – Considers Changes in Leadership 2013 Integrated Framework • Ways that Fraudulent Reporting Can Occur • • • • • Fraud schemes Unusual or complex transactions Overrides Opportunities for inappropriate acts Attitudes 2013 Integrated Framework • The most common fraud techniques as reported in the 2010 COSO Fraudulent Financial Reporting Study Report includes – Improper revenue recognition – Overstatement of existing assets or capitalization of expenses 2013 Integrated Framework • Types of Risk Response – Acceptance – Avoidance – Reduction – Sharing 2013 Integrated Framework • Control Activities – Principle 10 The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels Points of Focus – Interacts with the Risk Assessment – Considers Factors that are Specific to the Entity – Considers Relevant Business Processes – Considers Various Control Activity Types – Address Segregation of Duties 2013 Integrated Framework • Control Activities – Principle 11 The organization selects and develops general control activities over technology to support the achievement of objectives Points of Focus – Considers the Use of Technology in the Organization’s Business Processes and Technology General Controls – Policies and Procedures Relative to Technology Infrastructure and General Controls – Policies and Procedures Relative to Technology and Data Security Management – Policies and Procedures Relative to Oversight and Direction over Technology Acquisition, Development, and Maintenance Processes 2013 Integrated Framework • Control Activities – Principle 12 The organization deploys control activities through policies that establish what is expected and procedures that put policy into action Points of Focus – Establishment of Policies and Procedures – Establishment of Responsibility and Accountability to ensure Policies and Procedures are Adhered to and are Performed Timely – Control Activities are Assigned and Performed by Competent Personnel 2013 Integrated Framework • Types of Control Activities – Authorizations and Approvals – Verifications and Reviews – Physical Controls – Reconciliations – Supervisory Controls – Segregating Duties 2013 Integrated Framework • Information and Communication – Principle 13 The organization obtains or generates and uses relevant, quality information to support the functioning of internal control Points of Focus – Identifies Informational Needs and Crosswalk Requirements – Information is Accessible and Protected – Information is Provided Timely and is Current – Information is Accurate and Verifiable 2013 Integrated Framework • Information and Communication – Principle 14 The organization internally communicates information, including objectives, and responsibilities for internal control, necessary to support the functioning of internal control Points of Focus – Policies and Procedures are Properly Authorized and Communicated – Communication Lines Relative to the Oversight and Execution of the Policies and Procedures are Established – Methods of Communication are Appropriate 2013 Integrated Framework • Information and Communication – Principle 15 The organization communicates with external parties regarding matters affecting the functioning of internal control Points of Focus – Evaluates and Uses Communication with External Parties and Inbound Communication – Interacts with Appropriate Senior Management Levels, the Internal Auditor and Board of Trustees regarding external audit matters and the functioning of internal control 2013 Integrated Framework • Monitoring Activities – Principle 16 The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning Points of Focus – Applies Ongoing and Separate Evaluations – Performs Reconciliations – Performs Validation Procedures – Considers Analytical Review Technics – Requires Reviews by Knowledgeable Personnel – Monitoring is Integrated with the Business Processes 2013 Integrated Framework • Monitoring Activities – Principle 17 The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate Points of Focus – Determines Adherence to Established Controls – Determines and Communicates Deficiencies – Establishes and Monitors Corrective Action 2013 Integrated Framework • What are Ongoing Monitoring Activities – – – – Reconciliations Analysis and Review of Accounts or Transactions Scanning of Accounts or Transactions Controller Monthly Verification of Key Account Reconciliations – Communication with Functional or Departmental Units Regarding Accuracy of Activities or Accounts – Review and Approval of Journal Entries – System Test for Duplicate Payments 2013 Integrated Framework • What are Separate Evaluations – Internal Audits – External audits – UNC Monitoring Visits – Functional Compliance Reviews – Comparisons to Peer Institutions / Tier Institutions UNC System Average – Compliance Checklists 2013 Integrated Framework • What are the Limitations Related to the Effectiveness of Internal Controls – Human judgment in decision making can be faulty or subject to bias – Unintentional misstates due to human failures – Management overrides – Circumvention of controls through collusion – Matters or events beyond the organization’s control Changes to the 2015 AICFR • Change and Fraud risk is already incorporated in the assessment document but need to evaluate for enhancement • Need to incorporate the 17 principles • As checklist items, the Points of Focus are already part of the assessment document so expect limited change in this area • The objectives of the assessment need to be articulated, as well as materiality considerations, risk identification, and risk response • Changes to the standards and procedural guidance need to be evaluated Changes to the 2015 AICFR • Need to consider risk related to bond ratings, continuing disclosures and changes to them • Need to consider adding control activities for debt, endowment and investment functions • Need to articulate the importance of the Internal Audit role and communication with the audit committee • Need to evaluate adding the new assessment statements and identification of deficiencies as it relates to the new COSO requirements Timeline on the 2015 AICFR • GAP analysis in December • Draft changes in January • Work with Advisory Team in February (Include Controller, Internal Control Officer and Internal Auditor) • Finalize by March Questions?