A Framework for Control

COSOs five components of internal control and questions too important to ignore
www.theiia.org

What is COSO?

www.theiia.org

What is COSO?
COSO, the Committee of Sponsoring Organizations of the Treadway Commission, is a private sector initiative established in 1985 by five financial professional associations.

www.theiia.org

Who?

www.theiia.org

Who?
The Institute of Internal Auditors

www.theiia.org

Who?
The Institute of Internal Auditors American Institute of Certified Public Accountants

www.theiia.org

Who?
The Institute of Internal Auditors American Institute of Certified Public Accountants American Accounting Association

www.theiia.org

Who?
The Institute of Internal Auditors American Institute of Certified Public Accountants American Accounting Association Institute of Management Accountants
www.theiia.org

Who?
The Institute of Internal Auditors American Institute of Certified Public Accountants American Accounting Association Institute of Management Accountants Financial Executives Institute
www.theiia.org

Why?

www.theiia.org

Why?
COSOs goal is to improve the quality of financial reporting through a focus on corporate governance, ethical practices, and internal control.
www.theiia.org

Definition of Internal Control

www.theiia.org

Definition of Internal Control

A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.

www.theiia.org

Categories of Internal Control

www.theiia.org

Categories of Internal Control

Effectiveness and efficiency of operations

www.theiia.org

Categories of Internal Control

Effectiveness and efficiency of operations Reliability of financial reporting

www.theiia.org

Categories of Internal Control

Effectiveness and efficiency of operations
Reliability of financial reporting Compliance with applicable laws and regulations

www.theiia.org

Components of Internal Control

www.theiia.org

Components of Internal Control

1. Control Environment

www.theiia.org

Components of Internal Control

1. Control Environment
2. Risk Assessment

www.theiia.org

Components of Internal Control

1. Control Environment
2. Risk Assessment

3. Control Activities

www.theiia.org

Components of Internal Control

1. Control Environment
2. Risk Assessment

3. Control Activities
4. Information and Communication

www.theiia.org

Components of Internal Control

1. Control Environment
2. Risk Assessment

3. Control Activities
4. Information and Communication 5. Monitoring

www.theiia.org

Ask the Right Internal Control Questions about:

www.theiia.org

ETHICS

www.theiia.org

ETHICS
1. Do board members and senior executives set a day-in, day-out example of high integrity and ethical behavior?

www.theiia.org

ETHICS
2. Is there a written code of conduct for employees, and is it reinforced by training, top down communications, and requirements for periodic written statements of compliance from key employees?

www.theiia.org

ETHICS
3. Are performance and incentive compensation targets reasonable and realistic, or do they create undue pressure on achievement of shortterm results?

www.theiia.org

ETHICS
4. Is it clear that fraudulent financial reporting at any level and in any form will not be tolerated?

www.theiia.org

ETHICS
5. Are ethics woven into criteria that are used to evaluate individual and business unit performance?

www.theiia.org

ETHICS
6. Does management react appropriately when receiving bad news from subordinates and business units?

www.theiia.org

ETHICS
7. Does a process exist to resolve close ethical calls?

www.theiia.org

ETHICS
8. Are business risks identified and candidly discussed with the board of directors?

www.theiia.org

RISK

www.theiia.org

RISK
1. Is relevant and reliable internal and external information identified, compiled, and communicated in a timely manner to those who are positioned to act?

www.theiia.org

RISK
2. Are risks identified and analyzed, and actions taken to mitigate them?

www.theiia.org

RISK
3. Are controls in place to assure that management decisions are properly carried out?

www.theiia.org

INTERNAL CONTROL

www.theiia.org

INTERNAL CONTROL
1. Do senior and line management executives demonstrate that they accept control responsibility, not just delegate that responsibility to financial and audit staff?

www.theiia.org

INTERNAL CONTROL
2. Does management routinely monitor controls in process of running the organizations operations?

www.theiia.org

INTERNAL CONTROL
3. Does management clearly assign responsibilities for training and monitoring of internal controls?

www.theiia.org

INTERNAL CONTROL
4. Are periodic, systematic evaluations of control systems conducted and documented?

www.theiia.org

INTERNAL CONTROL
5. Are such evaluations conducted by personnel with appropriate responsibilities, business experience, and knowledge of the organizations affairs?

www.theiia.org

INTERNAL CONTROL
6. Are appropriate criteria established to evaluate controls?

www.theiia.org

INTERNAL CONTROL
7. Are control deficiencies reported to higher levels of management and corrected on a timely basis?

www.theiia.org

INTERNAL CONTROL
8. Are appropriate controls built in as new systems are designed and brought on stream?

www.theiia.org

AUDIT COMMITTEES

www.theiia.org

AUDIT COMMITTEES
1. Has the board recently reviewed adequacy of the audit committees written charter?

www.theiia.org

AUDIT COMMITTEES
2. Are audit committee members functioning and, in fact, independent of management?

www.theiia.org

AUDIT COMMITTEES
3. Do audit committee members possess an appropriate mix of operating and financial control expertise?

www.theiia.org

AUDIT COMMITTEES
4. Does the audit committee understand and monitor the broad organizational control environment?

www.theiia.org

AUDIT COMMITTEES
5. Does the audit committee oversee appropriateness, relevance, and reliability of operational and financial reporting to the board, as well as to investors and other external users?

www.theiia.org

AUDIT COMMITTEES
6. Does the audit committee oversee existence of and compliance with ethical standards?

www.theiia.org

AUDIT COMMITTEES
7. Does the audit committee or full board have a meaningful but challenging relationship with independent auditors, internal auditors, senior financial control executives, and key corporate and business unit operating executives?

www.theiia.org

INTERNAL AUDITING

www.theiia.org

INTERNAL AUDITING
1. Does internal auditing have the support of top management, the audit committee, and the board of directors as a whole?

www.theiia.org

INTERNAL AUDITING
2. Has the written scope of internal audit responsibilities been reviewed by the audit committee for adequacy?

www.theiia.org

INTERNAL AUDITING
3. Is the organizational relationship between internal auditing and senior executives appropriate?

www.theiia.org

INTERNAL AUDITING
4. Does internal auditing have and use open lines of communication and private access to all senior officers and the audit committee?

www.theiia.org

INTERNAL AUDITING
5. Are audit reports covering the right subjects distributed to the right people and acted upon in a timely manner?

www.theiia.org

INTERNAL AUDITING
6. Do key audit executives possess an appropriate level of expertise?

www.theiia.org

To Purchase the Framework:

Visit The IIA Bookstore at

www.theiia.org

www.theiia.org

For More about the Framework:

www.theiia.org

For More about the Framework:

Visit

www.coso.org

www.theiia.org

A Framework for Control

This presentation was produced by

www.theiia.org

The IIA is the internal audit professions global voice, recognized authority, acknowledged leader, chief advocate and principal educator worldwide.

www.theiia.org