internal controls myths and best practices
DESCRIPTION
This presentation provides an overview of COSO changes related to the development of an internal control system using principles-based guidance.TRANSCRIPT
COSO Final Changes
May 2013
Consideration of changes in business and operating environments
Expanded operations and reporting objectives
Fundamental concepts of the five components now known as principles
Added additional approaches and examples concerning operations, compliance and non-financial
reporting
Internal Controls – Myths and “Best Practices”
2
Internal Controls – Myths and “Best Practices”
Updated matrix
3
Objectives
Components
Organ
ization
al structu
re
Internal Controls – Myths and “Best Practices”
4
Best Practices?
Internal Control Myths Internal Controls – Myths and “Best Practices”
5
Internal Control Myths
Internal control means different
things to different people
Not a “cure-all” in the prevention and
detection of possible fraudulent activities
Internal Controls – Myths and “Best Practices”
6
Internal Control Myths
• Judgment
• Breakdowns
• Management override
• Collusion
• Materiality
• Point-in-time evaluation
• Cost/Benefit considerations
Internal Controls – Myths and “Best Practices”
7
Focus Points – Control
Environment
Is there “Tone at the Top”?
Are there standards of conduct concerning integrity and ethical values?
Is there an evaluation of individual and/or team performance against the standards of conduct?
Internal Controls – Myths and “Best Practices”
8
Focus Points – Control
Environment
Are deviations from the expected standards of conduct identified and remediated both consistently and timely?
Does the board of directors or an appropriate level of oversight operate independently from management
Are there established lines of authority and reporting?
Internal Controls – Myths and “Best Practices”
9
Focus Points – Control
Environment
Have performance measures, incentives and rewards been established?
Is there an evaluation process to evaluate competence and address short-comings?
Does the board of directors and management evaluate and adjust for excessive pressures?
Internal Controls – Myths and “Best Practices”
10
Examples– Control
Environment
Organization has a policy on the importance of integrity and ethics throughout the company.
The BOD and senior management have formulated a set of policies on integrity and ethics.
These policies are regularly flashed on the firm’s internal portal, newsletters and incorporated into contracts with outsourced service providers.
Internal Controls – Myths and “Best Practices”
11
Examples– Control
Environment
There is a formal training program to make employees aware of the importance of complying to the standards of conduct.
Management has a formal process to evaluate individuals against the policies and standards of conduct.
Management proactively identifies and addresses deviations against the company’s integrity and ethic policies.
Internal Controls – Myths and “Best Practices”
12
Examples– Control
Environment
The BOD has a charter that is comprehensive and outlines the board’s oversight responsibilities.
The board consists of members with significant experience, with some members coming from outside organizations.
The board delegates certain responsibilities to its committees, with each committee having a well-defined charter.
Internal Controls – Myths and “Best Practices”
13
Focus Points – Risk
Assessment
Has management designed and evaluated lines of reporting? (Complex lines of authority are best.)
Does the board of directors retain oversight responsibility for management’s development and performance of internal
controls?
Do the operations objectives reflect management’s choices about structure, industry considerations, and performance?
Internal Controls – Myths and “Best Practices”
14
Focus Points – Risk
Assessment
Is there a process in place to determine how to respond to risks and are the responses appropriate?
Does management ensure compliance with applicable accounting standards, regulations, laws, etc.?
What are the acceptable levels of variation relative to operational objectives and financial performance?
Internal Controls – Myths and “Best Practices”
15
Focus Points – Risk
Assessment
Does the risk identification process include changes in the external environment, the business model and/or changes in
leadership?
Does management’s fraud risk assessment also assess incentives, pressures, opportunities, attitudes and
rationalizations?
Does management ‘s risk assessment consider various types of fraud?
Internal Controls – Myths and “Best Practices”
16
Examples – Risk
Assessment
Operational personnel possess the necessary skills to identify risks associated with new technology.
Risks are identified and reviewed at the appropriate level.
Objectives within the company are clearly defined.
Internal Controls – Myths and “Best Practices”
17
Examples – Risk
Assessment
Policies, procedures and controls support the fraud identification and remediation processes.
Risks are identified by senior management and reviewed by the head of quality assurance.
Risk assessments are reviewed by the BOD at least annually.
Internal Controls – Myths and “Best Practices”
18
Focus Points – Control
Activities
Do control activities address and mitigate risks?
Do relevant business processes have and maintain
current control activities?
Do control activities include a range and variety of controls,
including both manual and automated controls, as well as preventive and detective
controls?
Internal Controls – Myths and “Best Practices”
19
Focus Points – Control
Activities
Do control activities address segregation of
duties?
Do the control activities include technology
general controls, including technology
infrastructure?
Do control activities include controls that
are designed and implemented to restrict
technology access?
Internal Controls – Myths and “Best Practices”
20
Focus Points – Control
Activities
Do control activities address responsibility and accountability and take correction action
timely?
Are policies and procedures developed
timely?
Are control policies and procedures re-assessed
to determine their continued use or
relevance?
Internal Controls – Myths and “Best Practices”
21
Examples – Control
Activities
The company has developed control
activities that link to the risks identified in the risk
assessment process.
The company has controls over technology, including access controls,
changes and infrastructure.
The company maintains policies and procedures
that clearly outline expectations.
Internal Controls – Myths and “Best Practices”
22
Examples – Control
Activities
Staff is formally trained on policies and
procedures.
Consistency of remedial action taken in
response to departures from approved policies
and procedures.
Oversight of the BOD in determining
compensation of executive officers.
Internal Controls – Myths and “Best Practices”
23
Focus Points – Information
and Communication
Is a process in place to identify all information required to support internal control functions?
Does the information system process capture internal and external data and transform relevant data into information?
Does management consider the costs and benefits with the nature, quantity and precision of information that supports the company’s operational objectives?
Internal Controls – Myths and “Best Practices”
24
Best Practices – Information
and Communication
Is internal control information communicated with personnel?
Are there separate communication lines used to enable anonymous or confidential communication?
Are the selections of communications relevant?
Internal Controls – Myths and “Best Practices”
25
Best Practices – Information
and Communication Is there a process in place to communicate timely information to external parties?
Are there open channels of communication to allow input from external sources?
Do the methods of communication consider the timing, audience and the nature of the communication?
Internal Controls – Myths and “Best Practices”
26
Examples – Information and
Communication Information policies are well developed, relevant, and quality information is generated to support all aspects of internal control.
Objectives and internal control responsibilities are clearly communicated, at least quarterly.
External communications in place such as a robust customer feedback and supplier partner programs.
Internal Controls – Myths and “Best Practices”
27
Examples – Information and
Communication Committee appointed for development or revision of information systems based upon strategic plans and overall strategy of the company.
Establishment of channels of communications for people to report suspected improprieties and/or suggestions for improvements.
Commitment of appropriate resources for the development of necessary information.
Internal Controls – Myths and “Best Practices”
28
Focus Points – Monitoring
Activities
Is there a mix of ongoing and
separate evaluations?
Is there a baseline
understanding for ongoing and
separate valuations?
Do the evaluators have
sufficient knowledge and
training?
Internal Controls – Myths and “Best Practices”
29
Focus Points – Monitoring
Activities
Do the ongoing evaluations adjust
to changing conditions?
Does manage adjust the scope and frequency of
separate evaluations
depending on risk?
Do the evaluations provide objective
feedback?
Internal Controls – Myths and “Best Practices”
30
Focus Points – Monitoring
Activities
How does management and
the board of directors assess
results of ongoing and separate evaluations?
How are deficiencies
communicated to parties?
How does management track
whether deficiencies are
remediated timely?
Internal Controls – Myths and “Best Practices”
31
Examples – Monitoring
Activities
Quality assurance conducts internal
operational reviews with input
and oversight of internal audit.
Personnel performing
reviews receive formal training on new technology and processes.
Experienced senior
management review internal
operational reports.
Internal Controls – Myths and “Best Practices”
32
Examples – Monitoring
Activities
Deficiencies are evaluated as to
severity, responsibility and communicated to
senior management.
Development of a tracking system for
deficiencies and that they are
remediated timely.
Deficiencies are also reported to
the Board of directors or the
appropriate level of oversight.
Internal Controls – Myths and “Best Practices”
33
Internal Controls – Myths and “Best Practices”
34