Internal Controls and Fraud

COSO’s New Internal
Control—Integrated
Framework-(Exposure
Draft)
Helen Y. Painter, CPA
Audit Partner
Purvis, Gray & Co., LLP
1

What is the Status?
• Exposure Draft Stage
• Comments Due November 16, 2012
• Written comments will be available on-line March 31, 2013
• www.ic.coso.org
• Framework and Appendices
• IC over External Financial Reporting: A Compendium of
Approaches and Examples
• Illustrative Tools for Assessing Effectiveness of a System of
Internal Control
• Executive Summary & Feedback Questions
2

Do You Remember COSO?
• Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
• 1992 released the original framework
• Gained Broad Acceptance
• Leading framework for
• Designing
• Implementing
• Conducting internal control
• Assessing the effectiveness of internal Control
3

Twenty Years Latter
• Business and Organizational Changes
• Technology
• Complex Transactions
• Global
• Stakeholders-Want More Assurance
• Taxpayers
• Shareholders
• Owners
4

Mission of COSO
Dedicated to providing thought leadership
through the development of
comprehensive frameworks and guidance
on internal control, enterprise risk
management, and fraud deterrence
designed to improve organizational
performance and oversight and to reduce
the extent of fraud in organizations.
5

Updated COSO Cube
7

Help For External Stakeholders
• Greater confidence in the Board’s Oversight of
IC
• Greater confidence in achieving Entity’s goals
• Greater confidence to identify risks
• Greater understanding of the requirement of
effective system of IC
• Greater understanding that management can
eliminate ineffective or redundant controls
8

COSO’s Structure
• Private Sector Initiative
• Sponsored and Funded by:
• American Accounting Association
• American Institute of Certified Public Accountants
• Financial Executives International
• Institute of Management Accountants
• The Institute of Internal Auditors
9

COSO’s Participants
• Board Members – 8
• Principal Contributors (From PwC) – 9
• Advisory Council – 5
• Members at Large – 9
• Regulatory Observers and Other
Observers - 6
10

Defining Internal Control
• Internal control is a process, effected by
an entity’s board of directors,
management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives
relating to operations, reporting, and
compliance
12

Core of Original Framework
Remains
• 5 Components of Internal Control
• (C ) Control Activities
• (R) Risk Assessment
• (I) Information & Communication
• (M) Monitoring Activities
• (E) Control Environment
• Management’s Judgment
• Designing, implement and conduct IC AND assessing
effectiveness of a system of IC
14

Quick Course on CRIME
• (C) Control Activities-actions established
through policies and procedures.
• Preventive or Detective
• Manual or automated
• Examples
• Authorizations and approvals
• Reconciliations
• Segregation of Duties is built into the
selection and development of control activities
15

(R)Risk Assessment
• Definition-possibility that an event will
occur and adversely affect the
achievement of objectives
• Precondition to Risk Assessment is the
establishment of Objectives
• Consideration of the impact of possible
changes externally that may effect IC
16

(I) Information and Communication
• Information-necessary to carry out IC
responsibilities
• Communication-continual process of
providing, sharing, and obtaining
necessary information
17

(M) Monitoring Activities
• Ongoing evaluations to ensure IC are
present and functioning
• Findings are evaluated
• Deficiencies are communicated to
management and Board
18

(E) Control Environment
• Set of standards, processes and structures
–basis for carrying out IC
• Tone at the top regarding importance
• Integrity and ethical values of organization
• Governance oversight responsibilities
• Provides for a pervasive impact on the overall
system of IC
19

What This Framework Provides
• Means to apply IC to any type of entity
• New Departments, Blended Component Units
• Principals-based approach (not RULES)
• Allows for Judgment
• Requirements for an Effective System
• Means to identify and analyze risk
• Responses to risks within acceptable levels
• Greater focus on anti-fraud measures
• Opportunity to Expand application of IC
• Opportunity to eliminate redundant or inefficient controls
20

IC Definition-Fundamental Concepts
• Geared to the achievement of objectives
• Operations, reporting, and compliance
• A process consisting of ongoing tasks and activities-a means to an
end, not an end
• Effected by people and the actions they take
• Able to provide reasonable (not absolute) assurance to senior
management and Boards
• Adaptable to the entity structure
21

Objectives
• Framework provides for 3 categories of objectives
• Operations
• Efficiencies
• Financial performance goals
• Safeguarding assets against loss
• Reporting
• Internal and external financial and non-financial reporting
• Reliability, timeliness, transparency
• Compliance-adherence to laws and regulations
22

Enhancements
• Expanding financial Reporting Objectives
• Non-financial
• Internal Reporting
• Considerations of changes in doing business
• Expectations for Governance Oversight
• Globalization of markets and operations
• Changes and Greater Complexity in business
• Demands and complexities in laws, regulations…
• Use of, and reliance on, evolving technologies
• Expectations relating to preventing and detecting fraud
23

Wrapping Our Minds Around It!
• Three Volumes
• Executive Summary-high-level overview
• Boards, CEOs, Senior Management
• Framework and Appendices
• Defines IC
• Describes Components
• Provides Direction
• Illustrative Tools for Assessing Effectiveness
• Templates and scenarios useful for application
• In addition-Compendium of Approaches and Examples
• Provide practical approaches and examples how Framework can be applied in preparing
external financial statements
• TOO GOOD TO BE TRUE??!
24

EXAMPLE TOOLS!
25

The Framework and 17
Principles
• Control Environment
1. Commitment to integrity and ethical values
2. BOD is independent from management and exercises
oversight of IC
3. Management (with BOD) establishes structures,
reporting lines and responsibilities
4. Commitment to attract, develop and retain competent
individuals
5. Holds individuals accountable for their IC responsibilities
27

Framework and 17 Principals
(cont)
• Risk Assessment
6. Organization specifies objectives with sufficient
clarity to enable identify risks.
7. Organization identifies risks and analyzes how risks
should be managed.
8. The organization considers the potential for fraud in
assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes
that could significantly impact the system of internal
control.
28

Framework and 17 Principals
• Control Activities
(cont)
10. The organization selects and develops control
activities that contribute to the mitigation of risks to
the achievement of objectives to acceptable levels.
11. The organization selects and develops general
control activities over technology to support the
achievement of objectives.
12. The organization deploys control activities through
policies that establish what is expected and
procedures that put policies into action.
29

Framework and 17 Principals
(cont)
• Information and Communication
13. The organization obtains or generates and uses relevant,
quality information to support the functioning of other
components of internal control.
14. The organization internally communicates information,
including objectives and responsibilities for internal
control, necessary to support the functioning of other
components of internal control
15. The organization communicates with external parties
regarding matters affecting the functioning of other
components of internal control.
30

Framework and 17 Principals
(concluded)
• Monitoring Activities
16. The organization selects, develops, and performs
ongoing and/or separate evaluations to ascertain
whether the components of internal control are present
and functioning.
17. The organization evaluates and communicates
internal control deficiencies in a timely manner to those
parties responsible for taking corrective action, including
senior management and the board of directors, as
appropriate
31

Roles and Responsibilities
• Who should be responsible?
• Board of Directors, School Boards, City Council,
County Commissioners, Owners
• Overseeing system of internal control
• Defines expectations
• Integrity and Ethical Values
• Transparency
• Accountability
• Objective
• Form Subcommittees
• Audit Committee
32

Roles and Responsibilities
(cont)
• Audit Committees
• Audit and Risk Committee
• Audit Committees request corrective and
timely actions to issues
• Should be independent from management
• Interacts with external Auditors
• Scope of Planned Audit Procedures
• Results of Audit Procedures 33

Roles and Responsibilities
(cont)
• Chief Executive Director, President,
Superintendent of Schools
• Sets tone at the top
• Control environment
• Accountable to the Board
• Responsible for designing , implementing, and
conducting an effective system of internal control
34

Roles and Responsibilities
(cont)
• Chief Financial Officer
• Supports the CEO
• Front-line responsibilities for IC over financial
reporting
35

Roles and Responsibilities (cont)
• Senior Management
• Guides the development and implementation of IC
policies and procedures within their operating unit
• Assigns responsibilities for establishing more specific
IC procedures to those personnel within the
departments.
• Each manager should be accountable to the next
higher level for their portion of the internal control
system
36

Roles and Responsibilities
• Other Personnel
(cont)
• Internal Control is the responsibility of
everyone in an entity-part of everyone’s job
37

Roles and Responsibilities
(cont)
• Internal Auditors
• Provide assurance and advisory support on IC
• Required or optional
• Internal or Outsourced
• Evaluates the adequacy and effectiveness of
controls
• Should provide an impartial review
• Should be objective 38

Roles and Responsibilities (cont)
• Outsource Service Providers
• Examples
• Human Resource Companies
• Payroll Companies
• Internal Audit Function
• Grant Administration
• Management is STILL responsible for oversight
• Must assess the effectiveness of the system of IC over these
activities
• Service Organization Control (SOC) reports
39

Roles and Responsibilities
(concluded)
• Independent Auditors
• Provide information useful to management
• Audit findings
• Analytical Information
• Recommendations
• Findings regarding deficiencies in IC
40

What About Small Entities?
• Fewer lines of business and fewer products within lines
• Concentration of marketing focus by channel or geography
• Leadership by management with significant ownership interest or
rights
• Fewer levels of management with wider spans of control
• Less complex transaction processing systems
• Fewer personnel, many having a wider range of duties
• Limited ability to maintain deep resources in line as well as
support staff positions such as legal, human resources,
accounting, and internal auditing
41

Smaller Entities-Meeting
Challenges
• Sufficient resources to achieve adequate
Segregation of Duties
• Balancing improper management override of
processes to met goals
• Recruiting and retaining experienced personnel
• Running the organization vs. providing sufficient
focus on IC
• Controlling information technology with limited
resources
42

Solutions-Segregation of Duties
• “Management” Could Randomly
• Review Reports of Detailed Transactions
• Review Selected Transaction
• Take Periodic Asset Counts (physical
inventory, equipment) and compare with
accounting records
• Review random reconciliations (cash,
investments, revenues, accounts receivable) 43

Solutions-Mitigating the Risk of
Management Override
• Maintain a corporate culture where integrity and
ethical values are held in high esteem
• Implement a whistle-blower program
• Establish an internal audit function that reports
directly to an audit committee
• Attract and retain qualified board members
44

Component Evaluation Template
46

Component Evaluation Template-
Example
48

Questions?
50