The document discusses COSO (Committee of Sponsoring Organizations of the Treadway Commission), an internal control framework that auditors use to assess clients' internal controls. It describes the five components of COSO - control environment, risk assessment, control activities, information and communication, and monitoring. The document also discusses how COSO fits into the audit process and provides an overview of COSO 2, which incorporates enterprise risk management.

1. COSO and Internal AuditIjaz ur Rehman Qureshi

2. Session objectives By the end of the session you will be able to Understand how COSO links to our audit approachUnderstand the dimensions of the COSO cubeList the 5 internal control componentsDescribe the key considerations within each componentHave an awareness of COSO2

3. What are the 4 stages of the ACM?ScopingUnderstandingEvaluatingValidating

4. Where does COSO fit into AuditWhen performing the understanding, evaluating and validating stages we look at our clients’ internal controls.SCOPINGVALIDATINGAUDITCOMFORTCYCLEUNDERSATANDINGEVALUATINGINTERNALCONTROLS

5. Internal Control Framework (COSO)SCOPINGVALIDATINGAUDITCOMFORTCYCLEUNDERSATANDINGEVALUATINGINTERNALCONTROLSCOSO = Framework against which we assess internal controls

6. Who or what is COSO?The Committee of Sponsoring Organizations of the Treadway CommissionVoluntary, private sector organisation originally formed in 1985Dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.

7. Five components of internal controlMonitoringInformation and CommunicationControl ActivitiesRisk AssessmentControl EnvironmentThe five components of internal control as described in the COSO framework are as follows:

8. Understanding Control Activities Policies/procedures that ensure management directives are carried out.

9. They help ensure that necessary actions are taken to address risks.

10. Control activities occur throughout the organization, at all levels and in all functions.

11. Range of activities including:Approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

12. COSO and Control Activities Business performance reviews:

13. Top Level Reviews

14. Direct Functional or Activity Management

15. Performance Indicators

16. Information Processing

17. Application controls

18. IT general controls

19. Physical Controls

20. Segregation of duties Understanding Monitoring Assessment of a control system’s performance over time.

21. Combination of ongoing and separate evaluation.

22. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

23. The combination of ongoing and separate evaluations will ensure that the internal control system remains effective over time.Understanding Information andCommunication Pertinent information is identified, captured and communicated in a timeframe that allows people to carry out their responsibilities.

24. Includes internal and externally information about events, activities and conditions necessary for informed business decision-making and external reporting.

25. Flow of information that allows for successful control from instructions on responsibilities to summary of findings for management action.Understanding Risk Assessment A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent.

26. The identification and analysis of relevant risks to achievement of the objectives.

27. Forms a basis for determining how risks should be managed.

28. Mechanisms are needed to identify and deal with the special risks associated with change.Understanding ControlEnvironment Sets the tone of an organization, influencing the control consciousness of its people.

29. Factors include:

30. Integrity and ethical values,

31. Competence of people,

32. HR practices,

33. Management’s operating philosophy,

34. The way authority and responsibility are assigned, and

35. The attention and direction provided by the board.

36. Foundation for all other components of control.Reflecting COSO in our documentationSCOPINGVALIDATINGAUDITCOMFORTCYCLEUNDERSATANDINGEVALUATINGINTERNALCONTROLS

37. Enterprise Risk Management - COSO 2Enterprise Risk Management (ERM) model was developed.Incorporates the notion of risk administration, defined as a process designed to identify future events that can rebound in the future of the entity.Enterprise objectives defined in 4 categories:StrategicOperationalInformativeObservance

38. ERM IncludesAlignment of the appetite of risk and strategy. It improves the answer to the waterings. It reduces surprises and operational losses. To take possession of opportunities.

39. ERM ComponentsOriginal COSO Components:Control ActivitiesRisk AssessmentInformation & CommunicationMonitoring of ControlsEnvironment (Control Environment)Plus: Establishment of objectivesIdentification of eventsAnswer to the risk

40. SummaryUpon conclusion of this session you should now:Understand how COSO fits into our audit approachUnderstand the dimensions of the COSO cubeList the 5 internal control componentsDescribe the key considerations within each componentHave an awareness of COSO2