Volume 21, Issue 23
Published on: Sep 05, 2014
Oct 28, 2016 - In an effective internal control system, these five COSO components. This model has been adopted as the generally accepted framework for internal control and is widely. Control–Integrated Framework Executive Summary Control. Energy & utilities (1) fixed assets (1) flash report (1) free tool of the. The COSO Internal Control Integrated Framework is an interactive two-day seminar where the attendees will learn how COSO’s Internal Control Integrated Framework (IC-IF) principles-based approach can be designed effectively and deployed successfully within organizations. Note: If you're looking for a free download links of COSO Internal Control – Integrated Framework: Turning Principles Into Positive Action Pdf, epub, docx and torrent then this site is not for you. Ebookphp.com only do ebook promotions online and we does not distribute any free download of ebook on this site.
A separate document provided at the time of download. (COSO) released its Internal Control—Integrated Framework (the original framework).
by Jennifer Burns, Deloitte LLP; and Sandy Herrygers, Deloitte & Touche LLP
Introduction
In response to a confluence of regulatory statements and standard-setting activities (e.g., by COSO,1 the PCAOB, and the SEC), companies, audit committees, auditors, and regulators have increased their focus on internal control over financial reporting (ICFR). Statements by representatives from the SEC and PCAOB have emphasized that companies and auditors should increase the attention they give to internal control. For example, in a December 2013 speech, SEC Deputy Chief Accountant Brian Croteau stated the following:
As we maintain or increase the intensity of our focus in [ICFR] Katy perry i kissed a girl mp3 song free download. . . . I remain convinced that at least some of the PCAOB’s inspection findings related to the audits of internal control over financial reporting are likely indicators of similar problems with management’s evaluations of ICFR, and thus potentially also indicative of risk for unidentified material weaknesses [and] I continue to question whether all material weaknesses are being properly identified. . . . This could be either because the deficiencies are not being identified in the first instance or otherwise because the severity of deficiencies is not being evaluated appropriately.
And in a March 2014 speech, PCAOB Board Member Jeanette Franzel noted:
We are currently in a “perfect storm” in the area of internal control over financial reporting, which demands effective action by all participants in the financial reporting and auditing chain. Management, internal auditors, and external auditors will be navigating the updated Committee of Sponsoring Organizations of the Treadway Commission (COSO) “Internal Control — Integrated Framework” at the same time that external audit firms are taking steps to respond to PCAOB inspection findings associated with their audits of internal control.
Since COSO issued its Internal Control — Integrated Framework (the “2013 Framework”) in May 2013,2 management teams have been taking steps to implement it in accordance with COSO’s transition guidance.
While the 2013 Framework’s internal control components (i.e., control environment, risk assessment, control activities, information and communication, and monitoring activities) are the same as those in the 1992 Framework, the new framework requires companies to assess whether 17 principles are present and functioning in determining whether their system of internal control is effective. Further, the 17 principles are supported by points of focus, which are important considerations in a company’s evaluation of the design and operating effectiveness of controls to address the principles. These changes will drive the need for a different deficiency evaluation process. From an ICFR perspective, when one or more of the 2013 Framework’s 17 principles are not present and functioning, a major deficiency exists, which equates to a material weakness under Section 404 of the Sarbanes-Oxley Act of 2002 (“SOX 404”).3 In addition, it is important to recognize that entity-level controls are generally indirectly related to the financial statements and therefore are more difficult to quantitatively evaluate than direct process-level controls. Entity-level controls are also typically more tailored to the size, complexity, and risk profile of the organization and therefore their evaluation is more qualitative.
While companies use COSO’s framework in connection with SOX 404 compliance and ICFR, a significant trend has emerged regarding extending its application to other regulatory or operational risks. Overall, companies have both an impetus and an opportunity to use their implementation of the 2013 Framework as a means to objectively reevaluate their internal controls, identify areas of improvement and synergies, and identify opportunities for systematically managing regulatory, operational, and reporting risks.
This Heads Up discusses issues related to the timing of implementing the 2013 Framework as well as implementation challenges and leading ICFR practices. It also provides observations and perspectives regarding applying the 2013 Framework for operational and regulatory compliance purposes. See Deloitte’s June 10, 2013, Heads Up for an overview of the 2013 Framework.
Implementation Timing
Questions have arisen about whether companies are required to adopt the 2013 Framework in the current year. COSO provided transition guidance that recommends adoption of the 2013 Framework by December 15, 2014, at which time the 1992 Framework will be superseded. The SEC requires companies to use a “suitable, recognized control framework.”4
Most companies are moving forward with adopting the 2013 Framework this year, in accordance with COSO’s transition guidance. They have cited a number of reasons for doing so, including:
These companies have their gap assessment under way right now, with a target to have the gap assessment and initial testing of ICFR completed by the end of the third quarter. This leaves the fourth quarter for remediation of internal control gaps and retesting. This timing helps ensure an efficient and effective ICFR attestation process for management at year-end.
We have observed some instances in which companies have decided to continue to apply the 1992 Framework for the current calendar year. Their decisions were generally based on consultations with a number of stakeholders, including the board, audit committee, and internal and external auditors. Regardless of their decision, companies should clearly disclose in their annual assessment of ICFR whether they used the 1992 Framework or the 2013 Framework.
Implementation Challenges and Leading Practices
As companies work their way through the implementation process, some may resort to a checklist approach in complying with the new framework. To truly unlock the value that can be achieved by adopting the 2013 Framework, management should take a step back and evaluate how it is addressing the risks to its organization in light of the company’s size, complexity, global reach, and risk profile. In companies’ implementation of the 2013 Framework, there is a difference between doing the minimum to address the framework’s principles and doing the right thing to effectively address the principles. Companies that choose to do the right thing will unlock the value, reduce fraud risk, avoid financial reporting surprises, and support sustained business performance over the long term.
The table below summarizes the 2013 Framework’s principles by component, and the paragraphs that follow discuss common challenges that companies are experiencing as they work to implement the framework for SOX 404 purposes as well as leading internal control practices that may help address the implementation challenges.
Demonstrating an Effective Ethics Program (Principles 1, 2)
As organizations evolve and change, their ethics programs may become stale or inadequate, and compliance with them may become “check the box” exercises. In addition, although many organizations have established ethics programs, they do not always address financial reporting or ICFR. Enron’s code of conduct was widely acknowledged to be world-class at the time of the fraud scandal that ultimately ended the company and affected so many. In material fraud cases, there are often other alternate and conflicting messages in addition to those about integrity and ethical values. In many cases, the pressure on earnings and the personalities delivering alternate messages are so strong that they overpower the organization’s message on integrity and ethical values. The tone that pervades such organizations can become a factor in employees’ decisions to commit and rationalize fraud that they might not otherwise entertain. When it comes to tone at the top, actions speak louder than words.
Risk Assessment, Including Performing an Effective Fraud Risk Assessment (Principles 7, 8)
Management’s attention to risk assessment may be focused more on operational or regulatory risks than financial reporting risks; and in the context of financial reporting, it may be focused more on safeguarding assets and fraud, such as theft of inventory or fraudulent expense reporting (which generally represents only about 3 to 4 percent of the material frauds actually identified6), than on the risk of fraudulent financial reporting. Carefully identifying the entity’s fraud risks, particularly when earnings pressures and aggressive incentive compensation programs exist, is an important part of a fraud risk assessment. In addition, management often does not adequately consider industry-specific risks and potential fraud schemes as part of the fraud risk assessment. For example, the potential for management override of internal control and financial reporting areas involving significant judgment and estimates should be specific areas of focus in a fraud risk assessment related to ICFR.
Because the risk assessment underpins the design and implementation of controls, an incomplete or ineffective risk-assessment process can have a significant effect on the effectiveness of ICFR. Further, significant errors or deficiencies (individually or in the aggregate) may indicate that the principles related to the risk-assessment component were not effective.
Identifying Changes and Appropriately Factoring Them Into the Risk-Assessment Process (Principle 9)
Change creates risk; therefore, management should implement processes that enable it to identify and evaluate changes affecting the organization on a timely basis. While companies typically have robust change processes for IT systems, they often lack a defined process for managing other changes that could affect financial reporting, which may originate externally (e.g., new accounting requirements) or internally (e.g., accounting for nonroutine or complex transactions, business process redesign or centralization, or outsourcing to service providers). Sometimes the roles and responsibilities associated with these changes and the related controls are spread across multiple parties and are not effectively monitored. In addition, many companies underemphasize the importance of providing employee training on these new roles and responsibilities during the transition period, thereby creating a risk of ineffective internal control.
In practice, material weaknesses are frequently related to these changes and result in part from both an inadequate assessment of the related risks and insufficient deployment and monitoring of the controls that directly address the risks.
Segregation of Duties (Principles 10, 11)
Many management teams and boards rightly worry about the risk that employees will collude to commit fraud. However, management’s failure to segregate duties appropriately across multiple systems or manual processes poses the unique risk that employees will be able to commit fraud or conceal fraudulent activity without collusion. The opportunity to commit fraud and the likelihood of its occurrence are much greater when collusion is not necessary, as when duties are not appropriately segregated. This is particularly true in the era of large enterprise resource planning (ERP) systems, which individually process a substantial number of financial transactions. Detective controls alone, which may be imprecise and more operationally focused, are, by their nature, often ineffective in preventing or detecting fraud, especially since many material acts of fraud are not the result of a single material transaction and only become material in the aggregate over time.
Deficiencies in segregation of duties have been a common root cause of material weaknesses and material acts of fraud. The following are a few examples of the numerous public-company internal control disclosures reported over the past 10 years about material weaknesses involving such deficiencies:
Effective Design of Management Review Controls (Principles 10, 12, 13, 16)![]()
Management’s design of processes and controls typically consists of both preventive and detective controls (e.g., management review controls). However, management may be overrelying on such controls for SOX 404 purposes since they are often not precise enough on their own to detect material misstatements, particularly smaller or systemic errors that could aggregate into a material amount. Sometimes there is an operational bias in these controls (e.g., controls comparing actual to budget); while a control may identify a potential error when a variance occurs, it may not be designed to identify errors when a variance does not exist. For this reason, the design of management review controls and evidence of their operational effectiveness have been a significant area of focus for management, auditors, and regulators, particularly with respect to management review controls related to estimates and the application of U.S. GAAP to new or infrequent transactions or events.
Outsourced Service Providers (Multiple Principles)
Given the significant increase in outsourcing relationships for information, business processes, and IT, internal controls related to outsourced service providers (OSPs) have become critical. While most companies have processes in place for evaluating SSAE 168 reports obtained from service organizations to address the control activities component of the 2013 Framework, most user organizations lack formal and auditable controls to address the OSP considerations related to the other four components of the framework (e.g., controls over the communication of expectations regarding the code of conduct, responsibilities, and authority; and controls for monitoring service-level agreements and communications). In addition, companies may directly record significant journal entries based on reports from OSPs without appropriate monitoring mechanisms to determine whether those reports are materially accurate and complete. It is important for management to establish robust monitoring controls over OSPs. Without such controls, there could be unfortunate surprises late in the year when SSAE 16 reports are delivered, such as unexpected report qualifications.
Information Quality (Principle 13)
Financial reporting misstatements may result from inappropriate reliance on erroneous data or reports, which could be triggered by failures in design or operational effectiveness related to any of the following:
Sometimes, companies either lack appropriate controls for addressing the risks associated with important information on which they depend for SOX 404 purposes or fail to identify and test the controls over such information. A solution to this problem is ensuring that management has specific controls in place over data, including non-system-generated reports and data to and from OSPs. In addition, companies need to look beyond basic GITCs and also focus on the process-level controls over financial reporting information and data.
Internal Control Design Evaluation (Multiple Principles)
If the design of entity-level controls is not fully evaluated, deficiencies in such controls may be overlooked. Given the requirement to separately determine whether each of the 17 principles in the 2013 Framework is present and functioning, entity-level controls are important foundational controls. In our experience, the majority of gaps are identified as a result of evaluating the design of controls and the ability of management, internal auditors, and external auditors to test those controls rather than as a result of performing a mapping exercise (i.e., mapping current controls to the 2013 Framework). It is important that management conduct a robust design evaluation to improve its internal controls and support its ICFR attestation.
Using the 2013 Framework for Operational and Regulatory Compliance
Use of the 2013 Framework for operational and compliance purposes (in addition to ICFR) is a growing trend among companies. Implementing the updated framework provides a good opportunity, regardless of how mature a company’s system of internal control may be, to take a fresh look at internal controls with the potential for creating value for the organization. Improvements in the effectiveness of a company’s system of internal control can lead to more efficient operations, greater compliance rates, and more effective internal management reporting. Examples of voluntary uses of the 2013 Framework include the following:
Use of the 2013 Framework outside the financial reporting context can provide helpful and necessary discipline to boards and audit committees as they address the increasingly complex array of risks they oversee. It can also provide management with a consistent and efficient framework to define, implement, and monitor its control structure and help it continually improve its overall risk management processes.
____________________
1 COSO is the Committee of Sponsoring Organizations of the Treadway Commission. In May 2013, COSO updated its Internal Control — Integrated Framework, which was originally issued in 1992.
2 The 2013 Framework and Illustrative Tools can be purchased from the AICPA Store. An executive summary of the 2013 Framework is available for free on COSO’s Web site.
3 The 2013 Framework contains the following new guidance on a major deficiency in internal control:
“When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control. A major deficiency exists in the system of internal control when management determines that a component and one or more relevant principles are not present or functioning or that components are not operating together.
A major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component. Similarly, a major deficiency in a relevant principle cannot be mitigated to an acceptable level by the presence and functioning of other principles.”
4 SEC Exchange Act Rule 13a-15(c).
5 PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements.
6 See Deloitte’s Ten Things About Financial Statement Fraud.
![]()
7 Information produced by the entity.
8 AICPA Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization.
Coso
On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the1992 document Internal Control - Integrated Framework. COSO’s goal in updating the framework was to increase its relevance in the increasingly complex and global business environment so that organizations worldwide can better design, implement, and assess internal control. COSO believes this framework will provide organizations significant benefits; for example, increased confidence that controls mitigate risks to acceptable levels and reliable information supporting sound decision making.
COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. The AICPA is a member of COSO.
In recognizing technological and business developments along with increased corporate risks, the need to codify existing principles and supporting attributes, as well as provide expanded guidance on nonfinancial reporting, COSO issued the updated framework for public comment in December 2011. Along with 200 other individuals and organizations, the AICPA provided its comments. The framework retains the core definition of internal control and the five components of a system of internal control. Companies that already have an effective system of internal control should not experience additional responsibilities under the clarified framework.
COSO has released several documents in conjunction with their announcement.
The publications above are also available in a comprehensive bundle.
Exception: When someone who has the link to your unlisted video adds it to their playlists, other people will be able to view it and search for it on YouTube Once you upload unlisted video, load it and send a URL to people you want to have access to it. It doesn’t require you to mark a specific person who can view a video. What makes Unlisted video different from a public video is that nobody will be able to see it in your Videos tab of your channel page and in search results. How to download an unlisted youtube video. As long as a person has the URL, he/she can view it. Unlisted video Unlisted videos can be viewed if you have shared a video URL with them.
Visit COSO on the web for more information, including their document The 2013 COSO Framework & SOX Compliance.
Coso 2013 FrameworkVideoModernizing the Internal Control - Integrated Framework
Bill Schneider, Director of Accounting at AT&T and Member of the AICPA Board of Directors and the COSO Advisory Council gives an overview of the work COSO has undertaken to update the internal control framework and explains what the project might mean for a CPA.
Internal Control SystemMore on AICPA TVComments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |