Internal Control COSO’s Framework Committee of Sponsoring Organizations • 1992 issued a white paper on internal control • Since this time, this framework has been incorporated into US auditing standards Internal control that provides reasonable assurance regarding achievement of objectives in the following categories. • Effective and efficient operations • Reliable financial reporting • Compliance with applicable laws and regulations Components of Internal Control • • • • • Control Environment Risk Assessment Control Activities Information and Communication Monitoring Control Environment • Integrity and ethical values • Commitment to competence • Participation of board of directors or audit committee • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibilities • Human resource policies and practices Risk Assessment • Changes may occur in the operating environment • New personnel may become involved • Information systems may change • Rapid growth • New technologies • New products or services • Restructuring • Foreign operations • New accounting pronouncements Control Activities • • • • • • Segregation of duties Proper authorization Assets safeguarded Compare actual to books Employees of integrity Record properly and on a timely basis Information and Communication • Identify and record all valid transactions • Provide timely description of transactions • Properly measure transactions • Record transactions in a timely manner Monitoring Assess controls on a timely basis and make modifications when appropriate. Use internal auditors to review Test controls Other factors to consider • • • • Size of organization Ownership characteristics Nature of business Diversity and complexity of activities • Data processing methods • Legal and regulatory environment of the business Under Sarbanes Oxley Act • CEO and CFO certification • Internal control report • Document system so others can review • SEC will review every 3 years CEO, CFO Certification • Explicitly must evaluate and report on effectiveness of internal control • Disclose to audit committee any material deficiencies in financial controls • Report any changes in IC • Report any corrective actions CEO, CFO Report • Assess effectiveness within 90 days of filing dates • Design disclosure controls and procedures “ ..are intended to cover a broader range of information than is covered by internal controls related to financial reporting.. They are intended to ensure that an issuer maintains commensurate procedures for gathering, analyzing and disclosing all information that is required to be disclosed…” Internal Control Report • A part of annual report • Management responsible for internal control • States a conclusion on the effectiveness of IC • External auditor has to attest to company’s internal control under PCAOB rules