COSO and Internal Audit<br />Ijaz ur Rehman Qureshi<br />
Session objectives <br />By the end of the session you will be able to <br />Understand how COSO links to our audit approach<br />Understand the dimensions of the COSO cube<br />List the 5 internal control components<br />Describe the key considerations within each component<br />Have an awareness of COSO2<br />
What are the 4 stages of the ACM?<br />Scoping<br />Understanding<br />Evaluating<br />Validating<br />
Where does COSO fit into Audit<br />When performing the understanding, evaluating and validating stages we look at our clients’ internal controls.<br />SCOPING<br />VALIDATING<br />AUDITCOMFORT<br />CYCLE<br />UNDERSATANDING<br />EVALUATING<br />INTERNALCONTROLS<br />
Internal Control Framework (COSO)<br />SCOPING<br />VALIDATING<br />AUDITCOMFORT<br />CYCLE<br />UNDERSATANDING<br />EVALUATING<br />INTERNALCONTROLS<br />COSO = Framework <br />against which we <br />assess internal <br />controls<br />
Who or what is COSO?<br />The Committee of Sponsoring Organizations of the Treadway Commission<br />Voluntary, private sector organisation originally formed in 1985<br />Dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.<br />
Five components of internal control<br />Monitoring<br />Information and Communication<br />Control Activities<br />Risk Assessment<br />Control Environment<br />The five components of internal control as <br />described in the COSO framework are as follows:<br />
Understanding Control Activities <br /><ul><li>Policies/procedures that ensure management directives are carried out.
They help ensure that necessary actions are taken to address risks.
Control activities occur throughout the organization, at all levels and in all functions.
Range of activities including:</li></ul>Approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.<br />
COSO and Control Activities <br /><ul><li>Business performance reviews:
Segregation of duties </li></li></ul><li>Understanding Monitoring <br /><ul><li>Assessment of a control system’s performance over time.
Combination of ongoing and separate evaluation.
Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
The combination of ongoing and separate evaluations will ensure that the internal control system remains effective over time.</li></li></ul><li>Understanding Information andCommunication <br /><ul><li>Pertinent information is identified, captured and communicated in a timeframe that allows people to carry out their responsibilities.
Includes internal and externally information about events, activities and conditions necessary for informed business decision-making and external reporting.
Flow of information that allows for successful control from instructions on responsibilities to summary of findings for management action.</li></li></ul><li>Understanding Risk Assessment <br /><ul><li>A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent.
The identification and analysis of relevant risks to achievement of the objectives.
Forms a basis for determining how risks should be managed.
Mechanisms are needed to identify and deal with the special risks associated with change.</li></li></ul><li>Understanding ControlEnvironment <br /><ul><li> Sets the tone of an organization, influencing the control consciousness of its people.
The way authority and responsibility are assigned, and
The attention and direction provided by the board.
Foundation for all other components of control.</li></li></ul><li>Reflecting COSO in our documentation<br />SCOPING<br />VALIDATING<br />AUDITCOMFORT<br />CYCLE<br />UNDERSATANDING<br />EVALUATING<br />INTERNALCONTROLS<br />
Enterprise Risk Management - COSO 2<br />Enterprise Risk Management (ERM) model was developed.<br />Incorporates the notion of risk administration, defined as a process designed to identify future events that can rebound in the future of the entity.<br />Enterprise objectives defined in 4 categories:<br />Strategic<br />Operational<br />Informative<br />Observance<br />
ERM Includes<br />Alignment of the appetite of risk and strategy. <br />It improves the answer to the waterings. <br />It reduces surprises and operational losses. <br />To take possession of opportunities. <br />
ERM Components<br />Original COSO Components:<br />Control Activities<br />Risk Assessment<br />Information & Communication<br />Monitoring of Controls<br />Environment (Control Environment)<br />Plus: <br />Establishment of objectives<br />Identification of events<br />Answer to the risk<br />
Summary<br />Upon conclusion of this session you should now:<br />Understand how COSO fits into our audit approach<br />Understand the dimensions of the COSO cube<br />List the 5 internal control components<br />Describe the key considerations within each component<br />Have an awareness of COSO2<br />
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.