Changes to the Internal Control Integrated Framework Cliff Flood

Changes to the Internal Control Integrated Framework

Cliff Flood

Discussion Items• Historical Analysis • Overview of the 2013 Integrated Framework• Changes to the 2015 AICFR

Historical Analysis• In the mid 70’s, the SEC investigates

questionable or illegal payments by U.S. companies to foreign government officials, politicians, and political parties– Results in The Foreign Corrupt Practices Act of

1977

Historical Analysis • In the spring of 1985, Congress conducts

hearings regarding fraudulent financial reporting as a result of company failures in the early 80’s– The accounting and auditing professions were

under the spotlight

Historical Analysis • As a result, accounting and auditing professional

associations came together in June 1985 to sponsor a National Commission on Fraudulent Financial Reporting – Treadway Commission– Committee of Sponsoring Organizations

• American Accounting Association• American Institute of Certified Public Accountants• Institute of Management Accountants• The Institute of Internal Auditors• Financial Executives International

Historical Analysis • In Oct 1987, COSO releases The Report of the

National Commission on Fraudulent Financial Reporting– Recommendations• For the Public Company• For the Independent Public Accountant• For the Oversight, Regulatory and Legal Environment• For Education

Historical Analysis Recommendations for the Public Company– Establish a Good Control Environment and Tone at

the Top – Assess Risk and Establish Internal Controls– Improve Accounting and Internal Audit Functions– Establish Independent Audit Committees– Report Management ResponsibilitiesCOSO to Provide Guidance on Internal Control

Historical Analysis Detail Recommendations for the Independent Public Accountant– Recognize responsibility– Improve detection capabilities– Improve audit quality– Communicate the auditor’s roleIs complimentary of the exposure drafts on the AICPA expectation GAP auditing standards

Historical Analysis Detail Recommendations for Oversight, Regulatory and Legal Environment– Improve SEC Enforcement Remedies– Increase Criminal Prosecution– Improve Regulation of the Public Accounting

Profession– Enhance Enforcement by the State Boards of

Accountancy

Historical Analysis • Detail Recommendations for Education– Business and Accounting Curricula– Professional Certification Examinations and

Continuing Education

Historical Analysis • In Apr 1988, the AICPA issues its Expectation Gap

Standards– SAS 53 The Auditor’s Responsibility to Detect and

Report Errors and Irregularities– SAS 54 Illegal Acts by Clients– SAS 55 Consideration of Internal Control in a Financial

Statement Audit– SAS 56 Analytical Procedures– SAS 57 Auditing Accounting Estimates

Historical Analysis – SAS 58 Reports on Audited Financial Statements – SAS 59 The Auditor’s Consideration of an Entity’s

Ability to Continue as a Going Concern– SAS 60 Communication of Internal Control Related

Matters Noted in an Audit– SAS 61 Communication With Audit Committees

Historical Analysis • In Sep 1992, COSO completes its study and publishes the

Internal Control Integrated Framework– Defines Internal Control,

• Is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives related to operations, reporting and compliance

– Identifies Five Components for Internal Control• Control Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring Activities

Historical Analysis • BANG!!!! In Oct 2001, The Enron failure occurs– Major issues discovered in the accounting and auditing

practices of Enron– Arthur Anderson was found guilty of illegally destroying

documents relevant to the SEC investigation which voided its license to audit public companies

– Was the basis for new regulation and legislation to enhance the accuracy of financial reporting for public companies

Historical Analysis • July 2002 Sarbanes Oxley Act– Title I – Public Company Accounting Oversight Board– Title II – Auditor Independence

• Section 201 – Public accounting firms are prohibited from performing non-audit services to financial statement audit clients

• Section 204 – Public accounting firms must reports to the audit committee

– Title III – Corporate Responsibility• Section 301 – Audit Committee requirements• Section 302 – CEO and CFO certifications

Historical Analysis • Jul 2002 Sarbanes Oxley Act– Title IV – Enhanced Financial Disclosures• Section 404 – Each annual report shall contain an

internal control report (An assessment by management with attestation and reporting by the public accounting firm)• Section 407 – At least one member of the audit

committee must be a “financial expert”

2013 Integrated Framework • The COSO integrated framework is widely

used by companies and organizations to evaluate their internal controls and for the section 404 assessment and audit required by SOX

• Due to the many changes over the past 20 years since the 1992 release of the original guidance, COSO released the 2013 update

2013 Integrated Framework • 17 principles have been added to clarify the

required considerations related to each of the five components of internal control– In addition to the considerations from the 1992

version, consideration of change risk as well as fraud risk have been added

2013 Integrated Framework • Individual assessments are now required for

each component and each relevant principle• In addition, an overall assessment is required

to determine whether the five components and relevant principles are working together

2013 Integrated Framework • The new release provides for considerable guidance,

considerations and examples. The new release includes the following publications:– As Executive Summary– The 2013 Internal Control – Integrated Framework – Illustrative Tools for Assessing Effectiveness of Internal Controls– Internal Control over External Financial Reporting: A

Compendium of Approaches and Examples • The revised guidance is effective for periods ending after

December 31, 2014

2013 Integrated Framework Reporting and Deficiencies in Internal Control– When a major deficiency exists, the integrated framework

indicates that an organization cannot conclude that it has met the requirements for an effective system of internal control

– A major deficiency in one component cannot be mitigated by the presence and functioning of another component.

– A major deficiency in a relevant principle cannot be mitigated by the presence and functioning of other principles

2013 Integrated Framework • Under the Integrated Framework, Each

Relevant Principle and Component is Evaluated Based on the Consideration of Points of Focus. – Points of focus provide attributes, conditions or

control characteristics that are associated with the various relevant principles and components

2013 Integrated Framework • The Control Environment - Principle 1

The organization demonstrates a commitment to integrity and ethical values

Points of Focus– Tone at the Top– Standards of Conduct– Adherence to Standards of Conduct

2013 Integrated Framework • The Control Environment – Principle 2

The board of directors demonstrates independence from management and exercises oversight of the development

and performance of internal controlPoints of Focus

– Has Oversight Responsibilities– Has Relevant Expertise– Is Independent– Exercises Oversight of the System of Internal Control


Management establishes, with board oversight, structures, reporting lines, and appropriate authorities

and responsibilities in the pursuit of objectivesPoints of Focus

– Establishes the Organizational Structure– Authorizes Reporting Relationships– Determines Authorities and Responsibilities


The organization demonstrates a commitment to attract, develop, and retain competent individuals in

alignment with objectivesPoints of Focus

– Establishes Human Resource Policies and Practices– Requires Competence and Addresses Shortcomings– Attracts, Develops, and Retains Individuals


The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives

Points of Focus – Has a Performance Management Program– Performance is Evaluated– Performance Measures, Incentives, and Rewards are

Evaluated – As necessary, Individuals are Disciplined

2013 Integrated Framework • The Risk Assessment – Principle 6

The organization specifies objectives with sufficient clarity to enable the identification and assessment of

risks relating to objectivesPoints of Focus (External Financial Reporting)

– Complies with Appropriate Accounting Standards– Considers Risk Tolerance / Materiality– Considers Related Business Processes


The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for

determining how the risks should be managedPoints of Focus

– Determines risk at the appropriate levels of the organization– Considers Internal and External Factors– Consults Appropriate Levels of Management– Identifies Risks– Determines Risk Response


The organization considers the potential for fraud in assessing risks to the achievement of objectives

Points of Focus – Identifies Instances or Potential for Fraud– Considers Incentive and Pressures– Considers Opportunities– Considers Attitudes and Rationalizations


The organization identifies and assesses changes that could significantly impact the system of internal

controlPoints of Focus

– Identifies and Evaluates Changes– Considers Changes in Accounting Requirements,

Technology and Funding– Considers Changes in Leadership

2013 Integrated Framework • Ways that Fraudulent Reporting Can Occur

• Fraud schemes• Unusual or complex transactions• Overrides• Opportunities for inappropriate acts• Attitudes

2013 Integrated Framework • The most common fraud techniques as

reported in the 2010 COSO Fraudulent Financial Reporting Study Report includes – Improper revenue recognition– Overstatement of existing assets or capitalization

of expenses

2013 Integrated Framework • Types of Risk Response– Acceptance – Avoidance– Reduction– Sharing

2013 Integrated Framework • Control Activities – Principle 10

The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of

objectives to acceptable levelsPoints of Focus

– Interacts with the Risk Assessment– Considers Factors that are Specific to the Entity– Considers Relevant Business Processes– Considers Various Control Activity Types– Address Segregation of Duties


The organization selects and develops general control activities over technology to support the achievement of objectives

Points of Focus – Considers the Use of Technology in the Organization’s Business

Processes and Technology General Controls– Policies and Procedures Relative to Technology Infrastructure and

General Controls– Policies and Procedures Relative to Technology and Data Security

Management– Policies and Procedures Relative to Oversight and Direction over

Technology Acquisition, Development, and Maintenance Processes


The organization deploys control activities through policies that establish what is expected and procedures that put policy into

actionPoints of Focus

– Establishment of Policies and Procedures– Establishment of Responsibility and Accountability to ensure

Policies and Procedures are Adhered to and are Performed Timely

– Control Activities are Assigned and Performed by Competent Personnel

2013 Integrated Framework • Types of Control Activities– Authorizations and Approvals– Verifications and Reviews– Physical Controls– Reconciliations– Supervisory Controls– Segregating Duties

2013 Integrated Framework • Information and Communication – Principle 13

The organization obtains or generates and uses relevant, quality information to support the functioning of internal

controlPoints of Focus

– Identifies Informational Needs and Crosswalk Requirements

– Information is Accessible and Protected– Information is Provided Timely and is Current– Information is Accurate and Verifiable


The organization internally communicates information, including objectives, and responsibilities for internal control,

necessary to support the functioning of internal controlPoints of Focus

– Policies and Procedures are Properly Authorized and Communicated

– Communication Lines Relative to the Oversight and Execution of the Policies and Procedures are Established

– Methods of Communication are Appropriate


The organization communicates with external parties regarding matters affecting the functioning of internal control

Points of Focus – Evaluates and Uses Communication with External Parties

and Inbound Communication– Interacts with Appropriate Senior Management Levels, the

Internal Auditor and Board of Trustees regarding external audit matters and the functioning of internal control

2013 Integrated Framework • Monitoring Activities – Principle 16

The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of

internal control are present and functioningPoints of Focus

– Applies Ongoing and Separate Evaluations– Performs Reconciliations– Performs Validation Procedures– Considers Analytical Review Technics– Requires Reviews by Knowledgeable Personnel– Monitoring is Integrated with the Business Processes

2013 Integrated Framework • Monitoring Activities – Principle 17

The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate

Points of Focus– Determines Adherence to Established Controls– Determines and Communicates Deficiencies– Establishes and Monitors Corrective Action

2013 Integrated Framework • What are Ongoing Monitoring Activities– Reconciliations– Analysis and Review of Accounts or Transactions– Scanning of Accounts or Transactions– Controller Monthly Verification of Key Account

Reconciliations– Communication with Functional or Departmental Units

Regarding Accuracy of Activities or Accounts– Review and Approval of Journal Entries– System Test for Duplicate Payments

2013 Integrated Framework • What are Separate Evaluations– Internal Audits– External audits– UNC Monitoring Visits– Functional Compliance Reviews– Comparisons to Peer Institutions / Tier Institutions

UNC System Average– Compliance Checklists

2013 Integrated Framework • What are the Limitations Related to the

Effectiveness of Internal Controls– Human judgment in decision making can be faulty or

subject to bias– Unintentional misstates due to human failures– Management overrides– Circumvention of controls through collusion– Matters or events beyond the organization’s control

Changes to the 2015 AICFR • Change and Fraud risk is already incorporated in the

assessment document but need to evaluate for enhancement• Need to incorporate the 17 principles• As checklist items, the Points of Focus are already part of the

assessment document so expect limited change in this area• The objectives of the assessment need to be articulated, as

well as materiality considerations, risk identification, and risk response

• Changes to the standards and procedural guidance need to be evaluated

Changes to the 2015 AICFR • Need to consider risk related to bond ratings,

continuing disclosures and changes to them• Need to consider adding control activities for debt,

endowment and investment functions• Need to articulate the importance of the Internal Audit

role and communication with the audit committee• Need to evaluate adding the new assessment

statements and identification of deficiencies as it relates to the new COSO requirements

Timeline on the 2015 AICFR • GAP analysis in December• Draft changes in January • Work with Advisory Team in February (Include

Controller, Internal Control Officer and Internal Auditor)

• Finalize by March

Questions?

Documents

Changes to the Internal Control Integrated Framework Cliff Flood