Session objectives By the end of the session you will be able to Understand how COSO links to our audit approach Understand the dimensions of the COSO cube List the 5 internal control components Describe the key considerations within each component Have an awareness of COSO2
What are the 4 stages of the ACM? Scoping Understanding Evaluating Validating
Where does COSO fit into Audit When performing the understanding, evaluating and validating stages we look at our clients’ internal controls. SCOPING VALIDATING AUDITCOMFORT CYCLE UNDERSATANDING EVALUATING INTERNALCONTROLS
Internal Control Framework (COSO) SCOPING VALIDATING AUDITCOMFORT CYCLE UNDERSATANDING EVALUATING INTERNALCONTROLS COSO = Framework against which we assess internal controls
Who or what is COSO? The Committee of Sponsoring Organizations of the Treadway Commission Voluntary, private sector organisation originally formed in 1985 Dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.
Five components of internal control Monitoring Information and Communication Control Activities Risk Assessment Control Environment The five components of internal control as described in the COSO framework are as follows:
Understanding Control Activities
Policies/procedures that ensure management directives are carried out.
They help ensure that necessary actions are taken to address risks.
Control activities occur throughout the organization, at all levels and in all functions.
Range of activities including:
Approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.
COSO and Control Activities
Business performance reviews:
Top Level Reviews
Direct Functional or Activity Management
IT general controls
Segregation of duties
Assessment of a control system’s performance over time.
Combination of ongoing and separate evaluation.
Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
The combination of ongoing and separate evaluations will ensure that the internal control system remains effective over time.
Understanding Information andCommunication
Pertinent information is identified, captured and communicated in a timeframe that allows people to carry out their responsibilities.
Includes internal and externally information about events, activities and conditions necessary for informed business decision-making and external reporting.
Flow of information that allows for successful control from instructions on responsibilities to summary of findings for management action.
Understanding Risk Assessment
A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent.
The identification and analysis of relevant risks to achievement of the objectives.
Forms a basis for determining how risks should be managed.
Mechanisms are needed to identify and deal with the special risks associated with change.
Sets the tone of an organization, influencing the control consciousness of its people.
Integrity and ethical values,
Competence of people,
Management’s operating philosophy,
The way authority and responsibility are assigned, and
The attention and direction provided by the board.
Enterprise Risk Management - COSO 2 Enterprise Risk Management (ERM) model was developed. Incorporates the notion of risk administration, defined as a process designed to identify future events that can rebound in the future of the entity. Enterprise objectives defined in 4 categories: Strategic Operational Informative Observance
ERM Includes Alignment of the appetite of risk and strategy. It improves the answer to the waterings. It reduces surprises and operational losses. To take possession of opportunities.
ERM Components Original COSO Components: Control Activities Risk Assessment Information & Communication Monitoring of Controls Environment (Control Environment) Plus: Establishment of objectives Identification of events Answer to the risk
Summary Upon conclusion of this session you should now: Understand how COSO fits into our audit approach Understand the dimensions of the COSO cube List the 5 internal control components Describe the key considerations within each component Have an awareness of COSO2