Internal Controls and Fraud
Internal Controls and Fraud
Internal Controls and Fraud
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
COSO’s New <strong>Internal</strong><br />
Control—Integrated<br />
Framework-(Exposure<br />
Draft)<br />
Helen Y. Painter, CPA<br />
Audit Partner<br />
Purvis, Gray & Co., LLP<br />
1
What is the Status?<br />
• Exposure Draft Stage<br />
• Comments Due November 16, 2012<br />
• Written comments will be available on-line March 31, 2013<br />
• www.ic.coso.org<br />
• Framework <strong>and</strong> Appendices<br />
• IC over External Financial Reporting: A Compendium of<br />
Approaches <strong>and</strong> Examples<br />
• Illustrative Tools for Assessing Effectiveness of a System of<br />
<strong>Internal</strong> Control<br />
• Executive Summary & Feedback Questions<br />
2
Do You Remember COSO?<br />
• Committee of Sponsoring Organizations of the<br />
Treadway Commission (COSO)<br />
• 1992 released the original framework<br />
• Gained Broad Acceptance<br />
• Leading framework for<br />
• Designing<br />
• Implementing<br />
• Conducting internal control<br />
• Assessing the effectiveness of internal Control<br />
3
Twenty Years Latter<br />
• Business <strong>and</strong> Organizational Changes<br />
• Technology<br />
• Complex Transactions<br />
• Global<br />
• Stakeholders-Want More Assurance<br />
• Taxpayers<br />
• Shareholders<br />
• Owners<br />
4
Mission of COSO<br />
Dedicated to providing thought leadership<br />
through the development of<br />
comprehensive frameworks <strong>and</strong> guidance<br />
on internal control, enterprise risk<br />
management, <strong>and</strong> fraud deterrence<br />
designed to improve organizational<br />
performance <strong>and</strong> oversight <strong>and</strong> to reduce<br />
the extent of fraud in organizations.<br />
5
Updated COSO Cube<br />
7
Help For External Stakeholders<br />
• Greater confidence in the Board’s Oversight of<br />
IC<br />
• Greater confidence in achieving Entity’s goals<br />
• Greater confidence to identify risks<br />
• Greater underst<strong>and</strong>ing of the requirement of<br />
effective system of IC<br />
• Greater underst<strong>and</strong>ing that management can<br />
eliminate ineffective or redundant controls<br />
8
COSO’s Structure<br />
• Private Sector Initiative<br />
• Sponsored <strong>and</strong> Funded by:<br />
• American Accounting Association<br />
• American Institute of Certified Public Accountants<br />
• Financial Executives International<br />
• Institute of Management Accountants<br />
• The Institute of <strong>Internal</strong> Auditors<br />
9
COSO’s Participants<br />
• Board Members – 8<br />
• Principal Contributors (From PwC) – 9<br />
• Advisory Council – 5<br />
• Members at Large – 9<br />
• Regulatory Observers <strong>and</strong> Other<br />
Observers - 6<br />
10
Defining <strong>Internal</strong> Control<br />
• <strong>Internal</strong> control is a process, effected by<br />
an entity’s board of directors,<br />
management, <strong>and</strong> other personnel,<br />
designed to provide reasonable assurance<br />
regarding the achievement of objectives<br />
relating to operations, reporting, <strong>and</strong><br />
compliance<br />
12
Core of Original Framework<br />
Remains<br />
• 5 Components of <strong>Internal</strong> Control<br />
• (C ) Control Activities<br />
• (R) Risk Assessment<br />
• (I) Information & Communication<br />
• (M) Monitoring Activities<br />
• (E) Control Environment<br />
• Management’s Judgment<br />
• Designing, implement <strong>and</strong> conduct IC AND assessing<br />
effectiveness of a system of IC<br />
14
Quick Course on CRIME<br />
• (C) Control Activities-actions established<br />
through policies <strong>and</strong> procedures.<br />
• Preventive or Detective<br />
• Manual or automated<br />
• Examples<br />
• Authorizations <strong>and</strong> approvals<br />
• Reconciliations<br />
• Segregation of Duties is built into the<br />
selection <strong>and</strong> development of control activities<br />
15
(R)Risk Assessment<br />
• Definition-possibility that an event will<br />
occur <strong>and</strong> adversely affect the<br />
achievement of objectives<br />
• Precondition to Risk Assessment is the<br />
establishment of Objectives<br />
• Consideration of the impact of possible<br />
changes externally that may effect IC<br />
16
(I) Information <strong>and</strong> Communication<br />
• Information-necessary to carry out IC<br />
responsibilities<br />
• Communication-continual process of<br />
providing, sharing, <strong>and</strong> obtaining<br />
necessary information<br />
17
(M) Monitoring Activities<br />
• Ongoing evaluations to ensure IC are<br />
present <strong>and</strong> functioning<br />
• Findings are evaluated<br />
• Deficiencies are communicated to<br />
management <strong>and</strong> Board<br />
18
(E) Control Environment<br />
• Set of st<strong>and</strong>ards, processes <strong>and</strong> structures<br />
–basis for carrying out IC<br />
• Tone at the top regarding importance<br />
• Integrity <strong>and</strong> ethical values of organization<br />
• Governance oversight responsibilities<br />
• Provides for a pervasive impact on the overall<br />
system of IC<br />
19
What This Framework Provides<br />
• Means to apply IC to any type of entity<br />
• New Departments, Blended Component Units<br />
• Principals-based approach (not RULES)<br />
• Allows for Judgment<br />
• Requirements for an Effective System<br />
• Means to identify <strong>and</strong> analyze risk<br />
• Responses to risks within acceptable levels<br />
• Greater focus on anti-fraud measures<br />
• Opportunity to Exp<strong>and</strong> application of IC<br />
• Opportunity to eliminate redundant or inefficient controls<br />
20
IC Definition-Fundamental Concepts<br />
• Geared to the achievement of objectives<br />
• Operations, reporting, <strong>and</strong> compliance<br />
• A process consisting of ongoing tasks <strong>and</strong> activities-a means to an<br />
end, not an end<br />
• Effected by people <strong>and</strong> the actions they take<br />
• Able to provide reasonable (not absolute) assurance to senior<br />
management <strong>and</strong> Boards<br />
• Adaptable to the entity structure<br />
21
Objectives<br />
• Framework provides for 3 categories of objectives<br />
• Operations<br />
• Efficiencies<br />
• Financial performance goals<br />
• Safeguarding assets against loss<br />
• Reporting<br />
• <strong>Internal</strong> <strong>and</strong> external financial <strong>and</strong> non-financial reporting<br />
• Reliability, timeliness, transparency<br />
• Compliance-adherence to laws <strong>and</strong> regulations<br />
22
Enhancements<br />
• Exp<strong>and</strong>ing financial Reporting Objectives<br />
• Non-financial<br />
• <strong>Internal</strong> Reporting<br />
• Considerations of changes in doing business<br />
• Expectations for Governance Oversight<br />
• Globalization of markets <strong>and</strong> operations<br />
• Changes <strong>and</strong> Greater Complexity in business<br />
• Dem<strong>and</strong>s <strong>and</strong> complexities in laws, regulations…<br />
• Use of, <strong>and</strong> reliance on, evolving technologies<br />
• Expectations relating to preventing <strong>and</strong> detecting fraud<br />
23
Wrapping Our Minds Around It!<br />
• Three Volumes<br />
• Executive Summary-high-level overview<br />
• Boards, CEOs, Senior Management<br />
• Framework <strong>and</strong> Appendices<br />
• Defines IC<br />
• Describes Components<br />
• Provides Direction<br />
• Illustrative Tools for Assessing Effectiveness<br />
• Templates <strong>and</strong> scenarios useful for application<br />
• In addition-Compendium of Approaches <strong>and</strong> Examples<br />
• Provide practical approaches <strong>and</strong> examples how Framework can be applied in preparing<br />
external financial statements<br />
• TOO GOOD TO BE TRUE??!<br />
24
EXAMPLE TOOLS!<br />
25
The Framework <strong>and</strong> 17<br />
Principles<br />
• Control Environment<br />
1. Commitment to integrity <strong>and</strong> ethical values<br />
2. BOD is independent from management <strong>and</strong> exercises<br />
oversight of IC<br />
3. Management (with BOD) establishes structures,<br />
reporting lines <strong>and</strong> responsibilities<br />
4. Commitment to attract, develop <strong>and</strong> retain competent<br />
individuals<br />
5. Holds individuals accountable for their IC responsibilities<br />
27
Framework <strong>and</strong> 17 Principals<br />
(cont)<br />
• Risk Assessment<br />
6. Organization specifies objectives with sufficient<br />
clarity to enable identify risks.<br />
7. Organization identifies risks <strong>and</strong> analyzes how risks<br />
should be managed.<br />
8. The organization considers the potential for fraud in<br />
assessing risks to the achievement of objectives.<br />
9. The organization identifies <strong>and</strong> assesses changes<br />
that could significantly impact the system of internal<br />
control.<br />
28
Framework <strong>and</strong> 17 Principals<br />
• Control Activities<br />
(cont)<br />
10. The organization selects <strong>and</strong> develops control<br />
activities that contribute to the mitigation of risks to<br />
the achievement of objectives to acceptable levels.<br />
11. The organization selects <strong>and</strong> develops general<br />
control activities over technology to support the<br />
achievement of objectives.<br />
12. The organization deploys control activities through<br />
policies that establish what is expected <strong>and</strong><br />
procedures that put policies into action.<br />
29
Framework <strong>and</strong> 17 Principals<br />
(cont)<br />
• Information <strong>and</strong> Communication<br />
13. The organization obtains or generates <strong>and</strong> uses relevant,<br />
quality information to support the functioning of other<br />
components of internal control.<br />
14. The organization internally communicates information,<br />
including objectives <strong>and</strong> responsibilities for internal<br />
control, necessary to support the functioning of other<br />
components of internal control<br />
15. The organization communicates with external parties<br />
regarding matters affecting the functioning of other<br />
components of internal control.<br />
30
Framework <strong>and</strong> 17 Principals<br />
(concluded)<br />
• Monitoring Activities<br />
16. The organization selects, develops, <strong>and</strong> performs<br />
ongoing <strong>and</strong>/or separate evaluations to ascertain<br />
whether the components of internal control are present<br />
<strong>and</strong> functioning.<br />
17. The organization evaluates <strong>and</strong> communicates<br />
internal control deficiencies in a timely manner to those<br />
parties responsible for taking corrective action, including<br />
senior management <strong>and</strong> the board of directors, as<br />
appropriate<br />
31
Roles <strong>and</strong> Responsibilities<br />
• Who should be responsible?<br />
• Board of Directors, School Boards, City Council,<br />
County Commissioners, Owners<br />
• Overseeing system of internal control<br />
• Defines expectations<br />
• Integrity <strong>and</strong> Ethical Values<br />
• Transparency<br />
• Accountability<br />
• Objective<br />
• Form Subcommittees<br />
• Audit Committee<br />
32
Roles <strong>and</strong> Responsibilities<br />
(cont)<br />
• Audit Committees<br />
• Audit <strong>and</strong> Risk Committee<br />
• Audit Committees request corrective <strong>and</strong><br />
timely actions to issues<br />
• Should be independent from management<br />
• Interacts with external Auditors<br />
• Scope of Planned Audit Procedures<br />
• Results of Audit Procedures 33
Roles <strong>and</strong> Responsibilities<br />
(cont)<br />
• Chief Executive Director, President,<br />
Superintendent of Schools<br />
• Sets tone at the top<br />
• Control environment<br />
• Accountable to the Board<br />
• Responsible for designing , implementing, <strong>and</strong><br />
conducting an effective system of internal control<br />
34
Roles <strong>and</strong> Responsibilities<br />
(cont)<br />
• Chief Financial Officer<br />
• Supports the CEO<br />
• Front-line responsibilities for IC over financial<br />
reporting<br />
35
Roles <strong>and</strong> Responsibilities (cont)<br />
• Senior Management<br />
• Guides the development <strong>and</strong> implementation of IC<br />
policies <strong>and</strong> procedures within their operating unit<br />
• Assigns responsibilities for establishing more specific<br />
IC procedures to those personnel within the<br />
departments.<br />
• Each manager should be accountable to the next<br />
higher level for their portion of the internal control<br />
system<br />
36
Roles <strong>and</strong> Responsibilities<br />
• Other Personnel<br />
(cont)<br />
• <strong>Internal</strong> Control is the responsibility of<br />
everyone in an entity-part of everyone’s job<br />
37
Roles <strong>and</strong> Responsibilities<br />
(cont)<br />
• <strong>Internal</strong> Auditors<br />
• Provide assurance <strong>and</strong> advisory support on IC<br />
• Required or optional<br />
• <strong>Internal</strong> or Outsourced<br />
• Evaluates the adequacy <strong>and</strong> effectiveness of<br />
controls<br />
• Should provide an impartial review<br />
• Should be objective 38
Roles <strong>and</strong> Responsibilities (cont)<br />
• Outsource Service Providers<br />
• Examples<br />
• Human Resource Companies<br />
• Payroll Companies<br />
• <strong>Internal</strong> Audit Function<br />
• Grant Administration<br />
• Management is STILL responsible for oversight<br />
• Must assess the effectiveness of the system of IC over these<br />
activities<br />
• Service Organization Control (SOC) reports<br />
39
Roles <strong>and</strong> Responsibilities<br />
(concluded)<br />
• Independent Auditors<br />
• Provide information useful to management<br />
• Audit findings<br />
• Analytical Information<br />
• Recommendations<br />
• Findings regarding deficiencies in IC<br />
40
What About Small Entities?<br />
• Fewer lines of business <strong>and</strong> fewer products within lines<br />
• Concentration of marketing focus by channel or geography<br />
• Leadership by management with significant ownership interest or<br />
rights<br />
• Fewer levels of management with wider spans of control<br />
• Less complex transaction processing systems<br />
• Fewer personnel, many having a wider range of duties<br />
• Limited ability to maintain deep resources in line as well as<br />
support staff positions such as legal, human resources,<br />
accounting, <strong>and</strong> internal auditing<br />
41
Smaller Entities-Meeting<br />
Challenges<br />
• Sufficient resources to achieve adequate<br />
Segregation of Duties<br />
• Balancing improper management override of<br />
processes to met goals<br />
• Recruiting <strong>and</strong> retaining experienced personnel<br />
• Running the organization vs. providing sufficient<br />
focus on IC<br />
• Controlling information technology with limited<br />
resources<br />
42
Solutions-Segregation of Duties<br />
• “Management” Could R<strong>and</strong>omly<br />
• Review Reports of Detailed Transactions<br />
• Review Selected Transaction<br />
• Take Periodic Asset Counts (physical<br />
inventory, equipment) <strong>and</strong> compare with<br />
accounting records<br />
• Review r<strong>and</strong>om reconciliations (cash,<br />
investments, revenues, accounts receivable) 43
Solutions-Mitigating the Risk of<br />
Management Override<br />
• Maintain a corporate culture where integrity <strong>and</strong><br />
ethical values are held in high esteem<br />
• Implement a whistle-blower program<br />
• Establish an internal audit function that reports<br />
directly to an audit committee<br />
• Attract <strong>and</strong> retain qualified board members<br />
44
Component Evaluation Template<br />
46
Component Evaluation Template-<br />
Example<br />
48
Questions?<br />
50