COSO - An Internal Control Framework

1. COSO - An Internal Control Framework CONTROLLING RISKS - REACHING GOALS Prepared by Michael Paul, CGFM

2. COSO - An Internal Control Framework • landmark report commissioned by the Committee on Sponsoring Organizations of the Treadway Commission (COSO). • Basis of State Comptroller’s guidance for chapter 647.

3. Why Internal Control? Managers need to meet objectives of their unit Risks exist to meeting those objectives Controls minimize those risks Managers, not accountants, are ultimately responsible for this.

4. OBJECTIVES, RISKS, CONTROLS: • Compliance with laws, regulations, policy and procedures • Accomplishment of mission • Reliability of information • Efficient and effective use of resources • Safeguarding of assets

5. OBJECTIVES, RISKS, CONTROLS • Compliance • Reliability • Accomplishment of mission • Efficiency and effectiveness • Safeguarding of assets • COSO combines into • Effectiveness and efficiency of operations

6. OBJECTIVES, RISKS, CONTROLS • Define the risks • Evaluate each risk • likelihood • cost of loss • duration and its side effects • Prioritize

7. OBJECTIVES, RISKS, CONTROLS • We have risk • We have identified it • Measured it • Prioritized it • How to diminish it? ACTION

8. Control worksheet(example)

9. COSO: 5 Control Elements INTERNAL • 1. C ontrol Activities* • 2. R isk Assessment • 3. I nformation & communication • 4. M onitoring • 5. Control E nvironment • INTERNAL CONTROLS CONTROLS * what most people think IC means

10. To create IC’s… • PPR Objectives: “CARES”- Compliance with rules, Accomplishment of mission, Reliability of information, Efficiency, Safeguarding assets • Risk: Define, Evaluate, Prioritize, Diminish • Controls: “CRIMES”- Control activities, Risk Assessment, Information & Communication, Monitoring, Control Environment • Across each function and units

11. The COSO NET apply to each function in each unit

12. ENVIRONMENT • Integrity & Ethical values • Commitment to Competence • Board participation • Management style • Organizational structure • Assignment of authority and responsibility • Human resources practices

13. Changes in operating environment New personnel New Information systems Rapid growth New technology, New services, activities Restructurings New accounting procedures or rules RISK

14. The item itself Controls malfunction Detection missed by auditors INHERENT + CONTROL + DETECTION = RISK RISK OF PROBLEM GOING UNDETECTED

15. Control Risk “Events” • Management and auditors thoroughly brainstorm scenarios of what could go wrong in each process. (fraud, waste, abuse, errors, etc.) • Do these before you create controls … or try to assess if they are effective

16. ACTIVITIES*“Hard controls” • Transactions only as authorized by management • All transactions are recorded for reporting & accountability • Segregation of • Authorization • Asset Custody • Record keeping • Periodic counts and reconciliation of records to assets; action on variances • Physical controls over access to assets and records • Reports of budget or prior period vs. actual • EDP requires checks of accuracy, completeness and authorization of transaction • Activities not the whole picture… * what most people think IC means

17. MONITORING 3 ways: • Normal routine actions • Internal auditors • External audits and reviews

18. INFORMATION & COMMUNICATION • Enable us to capture & exchange info to conduct, manage and control operations • Accounting system: GL and sub-ledgers • Training & supervision • Procedure manuals • Feedback… Fraud Hot lines

19. Benefits of COSO • Big Picture - organization wide, efficiency, etc. • Soft Controls as well - trust, management style, understanding of procedures, etc. • Better Quality • Controls integrated with the rest of the business • Balance of cost vs. benefit

20. CAVEATS... • Don’t go wild. COSO is one way to approach IC. • Use it as new controls are added or as questions arise • COSO is a mind-set. Keep these ideas in mind as controls are addressed • COSO is used wholesale mostly in large corporate settings with internal audit departments, able to do a business-wide Control Self-Assessment.

21. So… • Don’t worry, be happy?.... Or • an ounce of prevention is worth a pound of cure

22. COSO AICPA: “This landmark report was commissioned by the Committee on Sponsoring Organizations of the Treadway Commission (COSO). It establishes a common definition of internal control that services the needs of different parties for assessing and improving their control systems. COSO's groundbreaking report includes: Executive Summary Framework Reporting to External Parties Evaluation Tools The Addendum to Reporting to External Partiesis also included. It: "encourages management that reports to external parties on controls over financial reporting to also cover controls over safeguarding of assets against unauthorized acquisition, use, or disposition." It defines such controls and provides a suggested form of report. Five Evaluation Tools are now available on disk, one for each of the internal control components identified in Integrated Framework for Internal Control. Columnar MS Word templates contain internal control risks, objectives, components and elements with spaces and columns for management or other evaluators to record their assessments, observations and conclusions. “Everyone in your firm or company who works with internal controls should have his or her own copy.” https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/Sub+1/Internal+Control+-+Integrated+Framework.htm