COSO - An Internal COSO - An Internal Control FrameworkControl Framework

Prepared by Michael Paul, CGFM

CONTROLLINGRISKS -

REACHINGGOALS

COSO - An Internal Control COSO - An Internal Control FrameworkFramework

• landmark report commissioned by the Committee on Sponsoring Organizations of the Treadway Commission (COSO).

• Basis of State Comptroller’s guidance for chapter 647.

Why Internal Control?Why Internal Control?

Managers need to meet objectivesobjectives of their unit

RisksRisks exist to meeting those objectives

ControlsControls minimize those risks

Managers, not accountants, are Managers, not accountants, are ultimately responsible for this.ultimately responsible for this.

OBJECTIVESOBJECTIVES, , RISKS, CONTROLS:

• CCompliance with laws, regulations, policy and procedures

• AAccomplishment of mission

• RReliability of information

• EEfficient and effective use of resources

• SSafeguarding of assets

• Compliance

• Reliability

• Accomplishment of mission

• Efficiency and effectiveness

• Safeguarding of assets

COSO COSO combines intocombines into

•Effectiveness and efficiency of operations

OBJECTIVESOBJECTIVES, , RISKS, CONTROLS

• Define the risksDefine the risks

• Evaluate each riskEvaluate each risk– likelihoodlikelihood

– cost of losscost of loss

– duration and its side effectsduration and its side effects

• PrioritizePrioritize

OBJECTIVES, , RISKSRISKS, CONTROLS

• We have riskWe have risk

• We have identified itWe have identified it

• Measured itMeasured it

• Prioritized itPrioritized it

• How to How to diminishdiminish it? it? ACTIONACTION

OBJECTIVES, , RISKS, CONTROLSCONTROLS

Control worksheetControl worksheet(example)(example)

Objectives Risks Controls

Collect all your A/R Lazy staff mightwrite off testyclients' accounts

Separateadjustment entryaccess fromcollection duty

Assure thatreceipts all go intostate treasury

Receipts staffmight steal andcash checks

A/R staff follow upon openreceivables

* what most people think IC means

COSO: COSO: 55 Control Control ElementsElements

• 1.1. C C ontrol Activities*

• 2.2. R R isk Assessment

• 3.3. I I nformation & communication

• 4.4. M M onitoring

• 5. Control E E nvironment

•INTERNAL CONTROLS

To create IC’s…To create IC’s…

• PPR Objectives: “CARES”- Compliance with PPR Objectives: “CARES”- Compliance with rules, Accomplishment of mission, Reliability rules, Accomplishment of mission, Reliability of information, Efficiency, Safeguarding of information, Efficiency, Safeguarding assetsassets

• Risk: Define, Evaluate, Prioritize, DiminishRisk: Define, Evaluate, Prioritize, Diminish

• Controls: “CRIMES”- Control activities, Risk Controls: “CRIMES”- Control activities, Risk Assessment, Information & Communication, Assessment, Information & Communication, Monitoring, Control EnvironmentMonitoring, Control Environment

• Across each function and unitsAcross each function and units

apply to each function in each unit

The COSO NETThe COSO NET

ControlActivities

RiskAssessment

Information &Communication

Monitoring Environmentof Control

Economy &Efficiency

Reliability ofreports

Compliancewith laws &regs.

ENVIRONMENTENVIRONMENT

• Integrity & Ethical Integrity & Ethical valuesvalues

• Commitment to Commitment to CompetenceCompetence

• Board participationBoard participation

• Management styleManagement style

• Organizational Organizational structurestructure

• Assignment of Assignment of authority and authority and responsibilityresponsibility

• Human resources Human resources practicespractices

RISKRISK

• Changes in Changes in operating operating environmentenvironment

• New personnelNew personnel

• New Information New Information systemssystems

• Rapid growthRapid growth

• New technology, New technology,

• New services, New services, activitiesactivities

• RestructuringsRestructurings

• New accounting New accounting procedures or rulesprocedures or rules

RISKRISK

The item itself

Controls malfunction

Detection missed by auditors

+ DETECTION =

INHERENT

+ CONTROLRISK OF PROBLEM GOING UNDETECTED

Control Risk “Events”Control Risk “Events”

• Management and auditors thoroughly Management and auditors thoroughly brainstorm scenarios of what could go brainstorm scenarios of what could go wrong in each process. (fraud, waste, wrong in each process. (fraud, waste, abuse, errors, etc.)abuse, errors, etc.)

• Do these Do these beforebefore you create controls you create controls

… … or try to assess if they are effectiveor try to assess if they are effective

* what most people think IC means

ACTIVITIES*ACTIVITIES*“Hard controls”“Hard controls”

• Periodic counts and reconciliation of records to assets; action on variances

• Physical controls over access to assets and records

• Reports of budget or prior period vs. actual

• EDP requires checks of accuracy, completeness and authorization of transaction

• Activities not the whole picture…

• Transactions only as authorized by management

• All transactions are recorded for reporting & accountability

• Segregation of– Authorization– Asset Custody– Record

keeping

MONITORINGMONITORING3 ways:3 ways:

• Normal routine actionsNormal routine actions

• Internal auditorsInternal auditors

• External audits and reviewsExternal audits and reviews

INFORMATION & INFORMATION & COMMUNICATIONCOMMUNICATION

• Enable us to capture & exchange info to Enable us to capture & exchange info to conduct, manage and control operationsconduct, manage and control operations

• Accounting system: GL and sub-ledgersAccounting system: GL and sub-ledgers• Training & supervisionTraining & supervision• Procedure manualsProcedure manuals• Feedback… Fraud Hot linesFeedback… Fraud Hot lines

Benefits of COSOBenefits of COSO• BigBig Picture - Picture - organization wide, efficiency, etc.organization wide, efficiency, etc.

• SoftSoft Controls as well - Controls as well - trust, management style, trust, management style, understanding of procedures, etc.understanding of procedures, etc.

• Better Better QualityQuality

• Controls Controls integratedintegrated with the rest of the with the rest of the businessbusiness

• BalanceBalance of cost vs. benefit of cost vs. benefit

CAVEATSCAVEATS......

• Don’t go wild. COSO is Don’t go wild. COSO is oneone way to approach IC. way to approach IC.

• Use it as new controls are added or as questions Use it as new controls are added or as questions arisearise

• COSO is a mind-set. Keep these ideas in mind as COSO is a mind-set. Keep these ideas in mind as controls are addressedcontrols are addressed

• COSO is used wholesale mostly in large corporate COSO is used wholesale mostly in large corporate settings with internal audit departments, able to settings with internal audit departments, able to do a business-wide do a business-wide Control Self-AssessmentControl Self-Assessment..

SoSo……

• Don’t worry, be happy?....Don’t worry, be happy?....

Or Or

• an ounce of prevention is worth a pound of curean ounce of prevention is worth a pound of cure

COSOCOSO

AICPA: “This landmark report was commissioned by the Committee on Sponsoring Organizations of the Treadway Commission (COSO). It establishes a common definition of internal control that services the needs of different parties for assessing and improving their control systems.

COSO's groundbreaking report includes: Executive Summary

Framework

Reporting to External Parties

Evaluation Tools

The Addendum to Reporting to External Parties is also included. It:

"encourages management that reports to external parties on controls over financial reporting to also cover controls over safeguarding of assets against unauthorized acquisition, use, or

disposition."

It defines such controls and provides a suggested form of report.

Five Evaluation Tools are now available on disk, one for each of the internal control components identified in Integrated Framework for Internal Control. Columnar MS Word templates contain internal control risks, objectives, components and elements with spaces and columns for management or other evaluators to record their assessments, observations and conclusions.

“Everyone in your firm or company who works with internal controls should have his or her own copy.”

https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/Sub+1/Internal+Control+-+Integrated+Framework.htm