Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This is a visual depiction of COSO’s five interrelated components of internal control. The Control Environment encompasses every facet of the internal control framework and sets the tone of an organization, influencing the control consciousness of its people. Risk Assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Control Activities are the policies and procedures that help ensure management directives are carried out. Control activities are developed to specifically address each control objective to mitigate risks identified in the risk assessment. Information and Communication is the identification, capture and communication of pertinent information in a form and timeframe that enable people to carry out their responsibilities. This process should also work in reverse, communicating information on results, deficiencies and emerging issues from employees to management. Monitoring is the process of assessing the quality of the control system's performance over time through ongoing and special evaluations.
  • cache

    1. 1. Project Definition <ul><li>Project name - RiskML </li></ul><ul><li>Project Leader name – ? </li></ul><ul><li>Date – 9/12/03 </li></ul>
    2. 2. Agenda <ul><li>Charter </li></ul><ul><li>Key Deliverables Summary </li></ul><ul><li>Scenario Diagram </li></ul><ul><li>Business Workflow </li></ul><ul><li>BOD’s/Nouns to be added </li></ul><ul><li>BODs to be changed </li></ul><ul><li>Project Team </li></ul><ul><li>Planned Schedule </li></ul><ul><li>Assumptions, Dependencies, and Issues </li></ul><ul><li>Outside Resources </li></ul><ul><li>Questions </li></ul><ul><li>Next Steps </li></ul>
    3. 3. RiskML Charter <ul><li>Sarbanes Oxely: </li></ul><ul><ul><li>New Reporting Requirements </li></ul></ul><ul><ul><ul><li>Sufficient and adequate Internal Controls </li></ul></ul></ul><ul><ul><li>Independence Requirements </li></ul></ul><ul><ul><ul><li>External Audit – Attestation (Section 404) Annually </li></ul></ul></ul><ul><ul><ul><li>Management Certification (Section 302) Quarterly </li></ul></ul></ul><ul><ul><li>Penalties </li></ul></ul><ul><ul><ul><li>Personal and Criminal liability of the Signing Officers </li></ul></ul></ul>
    4. 4. New Enterprise Component
    5. 5. Process (Kinda) Risk and Control Library Risk and Control Library Risk and Control Library Applications Controls Manual Controls Risk Assurance Services External Auditor Process and Procedures Control Testing Management Certification Auditor Attestation
    6. 6. Business Workflow (Kinda) Evaluate Overall Effectiveness,Identify Matters for Improvement, and Establish Monitoring Systems Organize a Project Team to Conduct The Evaluation Evaluate Internal Control at the Entity Level Understand/Agree on Definition Of Internal Control Understand & Evaluate Internal Controls at the Process, Transaction or Application Level Report on Internal Control
    7. 7. Big Assumptions <ul><li>There is no prevailing IP in the structure of the Risk and Control library though there is diverse content captured by audit firms as an embodiment of their expertise. </li></ul><ul><li>The applications built by the software vendors are the true embodiment of their expertise and the structure of the Risk and Control library used is essentially public domain through the COSO framework. </li></ul><ul><li>On implementation of a risk and control library, there is an allied need for a standard mechanism for publication offered by the audit firms to keep the libraries up to date, even though services are always required to provide assurance around the risks. </li></ul><ul><li>There would be a real market need for a standardized vocabulary to describe a risk and control library facilitating risk library information exchange and a standardized mechanism for publication. </li></ul>
    8. 8. So what is COSO? <ul><li>Internal Audits </li></ul><ul><li>Messages from Senior Management </li></ul><ul><li>Policies and Procedures </li></ul><ul><li>Code of Ethics </li></ul>The process which ensures that relevant information is identified and communicated in a timely manner The policies and procedures that help ensure that actions are identified to manage risk are executed and timely The control conscience of an organization. The “tone at the top” The evaluation of internal and external factors that impact an organization’s performance <ul><li>Business Risk Management </li></ul><ul><li>Process Risk Management </li></ul><ul><li>Internal Audit Risk Assessment </li></ul><ul><li>Disclosure Committee </li></ul><ul><li>Delegation of Authority </li></ul><ul><li>Approvals </li></ul><ul><li>Common Processes and Systems </li></ul><ul><li>Segregation of Duties </li></ul><ul><li>Account Reconciliations </li></ul><ul><li>Information Technology Controls </li></ul><ul><li>Code of Ethics </li></ul><ul><li>Documented Policies and Procedures </li></ul><ul><li>Cultural Assessment </li></ul><ul><li>Training </li></ul><ul><li>Management Analysis </li></ul>The process to determine whether internal control is adequately designed, executed effective and adaptive
    9. 9. Big Conclusions <ul><li>With the advent of recent legislation there is increased likelihood of ERP customers and Audit Firms exchanging a great deal of risk and control information. </li></ul><ul><li>The separation of the External Audit from the Risk Assurance activity will mean that Audit firms will be exchanging risk and control information. </li></ul><ul><li>Mapping different formats from different audit firms and different ERP solutions is inefficient, expensive and adds no value to the parties involved. </li></ul>
    10. 10. Biggest Conclusion <ul><li>It is very likely that an XML Standards consortium will fill the market need for standardization. The charter of this group is to form this consortium and solve the problem. </li></ul>
    11. 11. Proposed Scope <ul><li>What is in scope </li></ul><ul><ul><li>Exchange of Risk and Controls Matrix </li></ul></ul><ul><ul><ul><li>Account </li></ul></ul></ul><ul><ul><ul><li>Process </li></ul></ul></ul><ul><ul><ul><li>Risk </li></ul></ul></ul><ul><ul><ul><li>Control </li></ul></ul></ul><ul><ul><ul><li>Issue </li></ul></ul></ul><ul><li>What is out of scope </li></ul><ul><ul><li>Assurance Reporting </li></ul></ul>
    12. 12. Key Deliverables Summary <ul><li>Class Diagram </li></ul><ul><li>Use Case Diagram </li></ul><ul><li>XML Schema Definition </li></ul><ul><li>Surrounding Documentation </li></ul>
    13. 13. BODs/Nouns to be added <ul><li>Financial Statement </li></ul><ul><li>Process </li></ul><ul><li>Objective </li></ul><ul><li>Risk </li></ul><ul><li>Control </li></ul><ul><li>Testing Procedure </li></ul>
    14. 14. BODs to be changed <ul><li>To Be Determined </li></ul>
    15. 15. Project Team <ul><li>? – Project Leader </li></ul><ul><li>Nigel King – Oracle Worker </li></ul><ul><li>Arthur Stewart – E&Y Worker </li></ul><ul><li>Bastin Gerald – Oracle Worker </li></ul><ul><li>Sampathkumar – Worker </li></ul><ul><li>Mike Rowell – OAG Worker </li></ul><ul><li>Sohail Siddiqui – PWC Worker </li></ul><ul><li>Sean Spillane – Deloitte Worker </li></ul><ul><li>Brad Straw – PWC Worker </li></ul>
    16. 16. Planned Schedule <ul><li>1st Draft delivery December ‘03 </li></ul><ul><li>1st Review Jan ‘04 </li></ul><ul><li>2nd Review and Vote in Mar ‘04. </li></ul>
    17. 17. Assumptions, Dependencies and Issues <ul><li>Assumptions </li></ul><ul><ul><li>Will have enough people/time committed to making this happen </li></ul></ul><ul><li>Dependencies </li></ul><ul><ul><li>We need the ongoing buy in of the Risk Assurance community. </li></ul></ul><ul><li>Issues </li></ul><ul><ul><li>The Risk Assurance firms provide services around the risks and assurance thereon. The Risk library in “Abstract” has little assurance value. </li></ul></ul>
    18. 18. Outside Resources <ul><li>XBRL Community for Financial Statement Definition (Feelers out) </li></ul><ul><li>Institute of Internal Auditors for Domain Expertise (Feelers out) </li></ul><ul><li>Public Company Accounting Oversight Board for Authority (Feelers out) </li></ul><ul><li>XBRL (For Process Definition) </li></ul>
    19. 19. Questions? * This is the time to address any questions not asked during the presentation.
    20. 20. Next steps <ul><li>Decision on Project </li></ul><ul><ul><li>Approved/not Approved? </li></ul></ul><ul><li>Call for Team Members </li></ul><ul><li>Schedule Meeting </li></ul><ul><ul><li>Conference Call </li></ul></ul><ul><ul><li>Face to Face </li></ul></ul><ul><li>Set up eGroup (Done - </li></ul><ul><li>Assign OAGI Architect </li></ul>