SlideShare a Scribd company logo

Internal Audit COSO Framework

Download as PPT, PDF
J
Jesús Gándara

Summary of the document "COSO Internal Control Framework" (www.coso.org )

Business
1 of 12
Internal Audit Internal Control Framework (COSO) Information Source: - COSO Internal Control Framework ( www.coso.org )
Internal Audit Internal Control Framework (COSO) The COSO Framework states that “monitoring ensures that internal control continues to operate effectively.” COSO’s 2006 Guidance enhances the understanding of monitoring by articulating the following two related principles: • Ongoing and/or separate evaluations enable management to determine whether the other components of internal control continue to function over time. • Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate. Monitoring involves establishing a foundation for monitoring, designing and executing monitoring procedures that are prioritized based on risk, and assessing and reporting the results, including following up on corrective action where necessary.
Internal Audit Internal Control Framework (COSO) Planning and organizational support form the foundation for monitoring, which includes a tone from the top about the importance of internal control (including monitoring), an organizational structure that considers the roles of management and the board in regard to monitoring and the use of evaluators with appropriate capabilities, objectivity and authority, and a baseline understanding of internal control effectiveness. As with every internal control component, the ways in which management and the board express their beliefs about the importance of monitoring have a direct impact on its effectiveness. Management’s tone influences the way employees conduct and react to monitoring. Likewise, the board’s tone influences he way management conducts and reacts to monitoring. Tone from the Top Organizational Structure Role of Management and the Board — Management has the primary responsibility for the effectiveness of an organization’s internal control system. Management establishes the system and makes sure that it continues to operate effectively. However, controls performed directly by members of senior management cannot be monitored objectively by those individuals or their designees. The board may also need to monitor such controls, which it frequently accomplishes through an audit committee and an internal audit function . In most cases, the board is ultimately responsible for determining whether management has implemented effective internal control (including monitoring). Establishing a Foundation for Monitoring
Internal Audit Internal Control Framework (COSO) Organizational Structure Baseline Understanding of Internal Control Effectiveness When ongoing-monitoring or separate-evaluation procedures identify a change in the environment, the organization determines whether a corresponding change is needed in the internal control system. When monitoring identifies a change in the internal control system, the organization needs to verify whether that change was designed and implemented properly. Characteristics of Evaluators — Monitoring is conducted by evaluators who are appropriately competent and objective in the given circumstances. Competence refers to the evaluator’s knowledge of the controls and related processes, including how controls should operate and what constitutes a control deficiency. The evaluator’s objectivity refers to the extent to which he or she can be expected to perform an evaluation with no concern about possible personal consequences and no vested interest in manipulating the information for personal benefit or self-preservation. Monitoring starts with a supported understanding of the internal control system’s design and of whether controls have been implemented to accomplish the organization’s internal control objectives. An established baseline understanding of internal control effectiveness provides an appropriate starting point for more-effective and more-efficient monitoring — monitoring that focuses on identifying changes either in the environment or in the internal control system and on the organization’s ability to manage those changes properly.
Internal Audit Internal Control Framework (COSO) Designing and Executing Monitoring Procedures The core of effective and efficient monitoring lies in designing and executing monitoring procedures that evaluate important controls over meaningful risks to the organization’s objectives. The model reiterates the importance of understanding risks, and the relationship of controls to risks, as a fundamental part of the COSO Framework.
Internal Audit Internal Control Framework (COSO) Designing monitoring begins with understanding and prioritizing the risks to achieving important organizational objectives. Prioritizing risks helps identify which risks are meaningful enough to subject to control monitoring. In a properly operating internal control system, the risk assessment component will routinely identify and prioritize risks to the organization’s objectives. Important controls — often referred to as key controls — are those that are most important to monitor in order to support a conclusion about the internal control system’s ability to operate effectively. They often have one or both of the following characteristics: • Their failure might materially affect the organization’s objectives, yet not reasonably be detected in a timely manner by other controls, and/or • Their operation might prevent other control failures or detect such failures before they have an opportunity to become material to the organization’s objectives. Once key controls are noted, evaluators identify the information that will support a conclusion about whether those controls have been implemented and are operating as designed. Identifying this information entails knowing how control failure might occur and what information will be persuasive in determining whether the control system is or is not working properly. The identification of persuasive information allows the organization to determine which monitoring procedures to employ (i.e., ongoing monitoring or separate evaluations), as well as the frequency with which the monitoring procedures should take place.
Internal Audit Internal Control Framework (COSO) Persuasive Information To be effective, monitoring must evaluate a sufficient amount of suitable information. Suitable information is relevant, reliable , and timely in the given circumstances. Sufficient suitable information provides the evaluator with the support needed to conclude on the internal control system’s ability to manage or mitigate identified risks. One of the most important aspects of suitability (and, thus, of persuasive information) is the distinction between direct and indirect information . Direct information substantiates the operation of controls and is obtained by observing controls in operation, reperforming them, or otherwise testing their operation directly. It can be useful in both ongoing monitoring and separate evaluations. Generally, direct information is highly relevant because it provides an unobstructed view of control operation. Indirect information is all other information used to infer whether controls or control components continue to operate effectively. It either relates to or is produced by the process in which the controls reside. Indirect information might include, but is not limited to, operating statistics, key risk indicators , key performance indicators , and comparative industry metrics. Approaches and Frequency With the risks prioritized, key controls noted, and available persuasive information identified, the organization implements monitoring procedures that evaluate the effectiveness of the internal control system’s ability to manage or mitigate the identified risks. Monitoring involves the use of ongoing monitoring procedures and/or separate evaluations to gather and analyze persuasive information supporting conclusions about the effectiveness of internal control across all five COSO components.
Internal Audit Internal Control Framework (COSO) Approaches and Frequency Ongoing monitoring occurs when the normal operations of an organization provide feedback — through both direct and indirect information — to risk owners about the effectiveness of the internal control system. It includes regular management and supervisory activities, peer comparisons and trend analysis using internal and external data, reconciliations, and other routine actions. Ongoing monitoring might also include automated tools that electronically evaluate controls and/or transactions. Because they are performed routinely, often on a real-time basis, ongoing monitoring procedures can offer the first opportunity to identify and correct control deficiencies. Separate evaluations can employ the same techniques as ongoing monitoring, but they are designed to evaluate controls periodically and are not ingrained in the daily operations of the organization. They do, however, play an important role in monitoring in that they often provide: • A more objective analysis of control effectiveness than ongoing monitoring procedures that are often performed by less objective personnel, and • Periodic feedback regarding the effectiveness of ongoing monitoring procedures. When ongoing monitoring is effective, periodic separate evaluations are used as necessary to reconfirm the conclusions reached through ongoing monitoring. Separate evaluations are also used to address controls that are not subject to ongoing monitoring.
Internal Audit Internal Control Framework (COSO) Assessing and Reporting Results The monitoring process is complete when the results are compiled and reported to appropriate personnel. This final stage enables the results of monitoring to either confirm previously established expectations about the effectiveness of internal control or highlight identified deficiencies for possible corrective action. Prioritizing and Communicating Results Identifying and prioritizing potential control deficiencies allows organizations to determine the levels to which the potential deficiencies should be reported, and the corrective action, if any, that should be taken. Several factors may influence an organization’s prioritization of identified deficiencies, including: • The likelihood that the deficiency will result in an error, • The effectiveness of other, compensating controls , • The potential effect of an identified deficiency on organizational objectives, • The potential effect of the deficiency on other objectives, and • The aggregating effect of multiple deficiencies.
Internal Audit Internal Control Framework (COSO) Reporting Externally A properly designed and executed monitoring program helps support external assertions because it provides persuasive information that internal control operated effectively at a point in time or during a particular period. The presence of external assertion requirements may affect the type, timing, and extent of monitoring an organization decides to perform. Therefore, organizations that are required to report to third parties on the effectiveness of their internal control system may design and execute monitoring activities differently than entities that are not required to report. Reporting protocols vary depending on the purpose for which the monitoring is conducted and the severity of the deficiencies. Typically, the results of monitoring conducted for purposes of evaluating an organization’s entity-wide objectives are reported to senior management and the board. Control deficiencies should be reported to the person directly responsible for the control’s operation and to management that has oversight responsibilities and is at least one level higher. Reporting at least to these two levels gives the responsible person the information necessary to correct control operation and also helps ensure that appropriately objective people are involved in the severity assessment and followup.
Internal Audit Internal Control Framework (COSO) Summary Considerations Regarding Effective Monitoring Many organizations are performing effective monitoring in certain areas, but are not fully utilizing the results of that monitoring to support their conclusions about the effectiveness of the internal control system. Monitoring considers how the entire internal control system addresses meaningful risks, not how individual control activities operate in isolation, without regard to the level of risk and the effectiveness of other elements of the internal control system. Monitoring works best when management approaches it proactively, establishing a baseline understanding of internal control effectiveness and an information system that alerts it to changes in internal control processes or risks that affect the need to change or add controls. The board has important responsibilities in monitoring internal control (especially the controls that relate to ensuring a strong tone from the top) and in mitigating the risk of management override. Internal audit , through added skills and objectivity, can play an important role in assisting management and the board in monitoring, especially as organizations grow in size and complexity. 1. 2. 3. 4. 5.
Internal Audit Internal Control Framework (COSO) Summary Considerations Regarding Effective Monitoring Organizations should follow a systematic process in determining “what” and “how” to monitor. That process is developed in this guidance and starts with identifying and prioritizing the risks that are being mitigated by effective internal controls. Judgment is required in determining both the optimal approach to monitoring, and the effectiveness of monitoring. Monitoring generally includes the use of both direct and indirect information. However, indirect information can be used only for a finite period of time without some direct evidence that the underlying control is operating effectively. Monitoring can be performed using either “ongoing” monitoring activities or “separate evaluations.” Most organizations will use a combination of both approaches, but ongoing monitoring using appropriately persuasive information is often most effective and efficient. Computerized applications have undergone substantial development and can be built into, or added onto, existing computer applications, providing a high degree of continuous monitoring. 6. 7. 8. 9. 10.

Recommended

Coso framework
Coso frameworkCoso framework
Coso frameworkDarryl Woolley
 
Model i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for iaModel i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for iaRajeswaran Muthu Venkatachalam
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Improving effectiveness of internal auditing
Improving effectiveness of internal auditingImproving effectiveness of internal auditing
Improving effectiveness of internal auditingPECB
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditingFrederick Altum Pokoo-Aikins
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptLetzconsult.com
 

Recommended

Coso framework
Coso frameworkCoso framework
Coso frameworkDarryl Woolley
 
Model i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for iaModel i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for iaRajeswaran Muthu Venkatachalam
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Improving effectiveness of internal auditing
Improving effectiveness of internal auditingImproving effectiveness of internal auditing
Improving effectiveness of internal auditingPECB
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditingFrederick Altum Pokoo-Aikins
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptLetzconsult.com
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptIbrahim Jimalle
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologyManoj Agarwal
 
Internal Audit effectiveness
Internal Audit effectivenessInternal Audit effectiveness
Internal Audit effectivenessKaran Puri
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit FrameworkAhmad Tariq Bhatti
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
Process Audit and ISO
Process Audit and ISOProcess Audit and ISO
Process Audit and ISOSadafhazel
 
MEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEMEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEbbongio
 
Internal audit
Internal auditInternal audit
Internal auditShoab Malek (Certified Quality Auditor)
 
Standards of Internal Audit
Standards of Internal AuditStandards of Internal Audit
Standards of Internal AuditKaran Puri
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
Illustrative Tools for Assessing Effectiveness of a System of Internal Control
Illustrative Tools for Assessing Effectiveness of a System of Internal Control Illustrative Tools for Assessing Effectiveness of a System of Internal Control
Illustrative Tools for Assessing Effectiveness of a System of Internal Control Tahir Abbas
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
Recent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsRecent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsInternational Federation of Accountants
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writingNeha Kothari
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
Internal Auditor Roles
Internal Auditor RolesInternal Auditor Roles
Internal Auditor RolesIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Internal Audit
Internal AuditInternal Audit
Internal AuditAhmad Tariq Bhatti
 
Internal audit
Internal auditInternal audit
Internal auditS.M. Towhidul Islam
 
INTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptxINTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptxHeldaMaryA
 
Controlling
ControllingControlling
ControllingSa Na
 

More Related Content

What's hot

Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologyManoj Agarwal
 
Internal Audit effectiveness
Internal Audit effectivenessInternal Audit effectiveness
Internal Audit effectivenessKaran Puri
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
Process Audit and ISO
Process Audit and ISOProcess Audit and ISO
Process Audit and ISOSadafhazel
 
MEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEMEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEbbongio
 
Standards of Internal Audit
Standards of Internal AuditStandards of Internal Audit
Standards of Internal AuditKaran Puri
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
Illustrative Tools for Assessing Effectiveness of a System of Internal Control
Illustrative Tools for Assessing Effectiveness of a System of Internal Control Illustrative Tools for Assessing Effectiveness of a System of Internal Control
Illustrative Tools for Assessing Effectiveness of a System of Internal Control Tahir Abbas
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writingNeha Kothari
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 

What's hot (20)

Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit ppt
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
 
Internal Audit effectiveness
Internal Audit effectivenessInternal Audit effectiveness
Internal Audit effectiveness
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit Framework
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance framework
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
 
Process Audit and ISO
Process Audit and ISOProcess Audit and ISO
Process Audit and ISO
 
MEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEMEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCE
 
Internal audit
Internal auditInternal audit
Internal audit
 
Standards of Internal Audit
Standards of Internal AuditStandards of Internal Audit
Standards of Internal Audit
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing Presentation
 
Illustrative Tools for Assessing Effectiveness of a System of Internal Control
Illustrative Tools for Assessing Effectiveness of a System of Internal Control Illustrative Tools for Assessing Effectiveness of a System of Internal Control
Illustrative Tools for Assessing Effectiveness of a System of Internal Control
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing Presentation
 
Recent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsRecent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management Developments
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writing
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
Internal Auditor Roles
Internal Auditor RolesInternal Auditor Roles
Internal Auditor Roles
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
 
Internal audit
Internal auditInternal audit
Internal audit
 

Similar to Internal Audit COSO Framework

INTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptxINTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptxHeldaMaryA
 
Controlling
ControllingControlling
ControllingSa Na
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
topic 3 internal controls..audit.pptx
topic 3 internal controls..audit.pptxtopic 3 internal controls..audit.pptx
topic 3 internal controls..audit.pptxvailethmwaisanila
 
Designing Effective Financial Controls
Designing Effective Financial ControlsDesigning Effective Financial Controls
Designing Effective Financial ControlsStephen G. Lynch
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Evaluation of the effect of monitoring and control activities on fraud detect...
Evaluation of the effect of monitoring and control activities on fraud detect...Evaluation of the effect of monitoring and control activities on fraud detect...
Evaluation of the effect of monitoring and control activities on fraud detect...Alexander Decker
 
Internal control.. control env
Internal control.. control envInternal control.. control env
Internal control.. control envPhillys Sebastiane
 
Managerial Control By Rajendra Nath Naik
Managerial Control By Rajendra Nath NaikManagerial Control By Rajendra Nath Naik
Managerial Control By Rajendra Nath NaikRajendra Nath Naik
 
Controlling in management
Controlling in managementControlling in management
Controlling in managementTumblr
 
CS1-1Internal Auditing Assurance & Advisory Services, 3rd Edi.docx
CS1-1Internal Auditing Assurance & Advisory Services, 3rd Edi.docxCS1-1Internal Auditing Assurance & Advisory Services, 3rd Edi.docx
CS1-1Internal Auditing Assurance & Advisory Services, 3rd Edi.docxannettsparrow
 

Similar to Internal Audit COSO Framework (20)

INTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptxINTERNAL CONTROL-PPT.pptx
INTERNAL CONTROL-PPT.pptx
 
Controlling
ControllingControlling
Controlling
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
topic 3 internal controls..audit.pptx
topic 3 internal controls..audit.pptxtopic 3 internal controls..audit.pptx
topic 3 internal controls..audit.pptx
 
Designing Effective Financial Controls
Designing Effective Financial ControlsDesigning Effective Financial Controls
Designing Effective Financial Controls
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...
 
Evaluation of the effect of monitoring and control activities on fraud detect...
Evaluation of the effect of monitoring and control activities on fraud detect...Evaluation of the effect of monitoring and control activities on fraud detect...
Evaluation of the effect of monitoring and control activities on fraud detect...
 
Internal control
Internal controlInternal control
Internal control
 
Controlling
Controlling Controlling
Controlling
 
Internal control.. control env
Internal control.. control envInternal control.. control env
Internal control.. control env
 
Controlling
ControllingControlling
Controlling
 
Coso Monitoring - Templates
Coso Monitoring - TemplatesCoso Monitoring - Templates
Coso Monitoring - Templates
 
Control28
Control28Control28
Control28
 
Managerial Control By Rajendra Nath Naik
Managerial Control By Rajendra Nath NaikManagerial Control By Rajendra Nath Naik
Managerial Control By Rajendra Nath Naik
 
Controlling in management
Controlling in managementControlling in management
Controlling in management
 
CONTROLLING
CONTROLLING CONTROLLING
CONTROLLING
 
Audit procedures
Audit proceduresAudit procedures
Audit procedures
 
CS1-1Internal Auditing Assurance & Advisory Services, 3rd Edi.docx
CS1-1Internal Auditing Assurance & Advisory Services, 3rd Edi.docxCS1-1Internal Auditing Assurance & Advisory Services, 3rd Edi.docx
CS1-1Internal Auditing Assurance & Advisory Services, 3rd Edi.docx
 

Recently uploaded

Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...Paul Menig
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetDenis Gagné
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxtrishalcan8
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 

Recently uploaded (20)

Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst Summit
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 

Internal Audit COSO Framework

  • 1. Internal Audit Internal Control Framework (COSO) Information Source: - COSO Internal Control Framework ( www.coso.org )
  • 2. Internal Audit Internal Control Framework (COSO) The COSO Framework states that “monitoring ensures that internal control continues to operate effectively.” COSO’s 2006 Guidance enhances the understanding of monitoring by articulating the following two related principles: • Ongoing and/or separate evaluations enable management to determine whether the other components of internal control continue to function over time. • Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate. Monitoring involves establishing a foundation for monitoring, designing and executing monitoring procedures that are prioritized based on risk, and assessing and reporting the results, including following up on corrective action where necessary.
  • 3. Internal Audit Internal Control Framework (COSO) Planning and organizational support form the foundation for monitoring, which includes a tone from the top about the importance of internal control (including monitoring), an organizational structure that considers the roles of management and the board in regard to monitoring and the use of evaluators with appropriate capabilities, objectivity and authority, and a baseline understanding of internal control effectiveness. As with every internal control component, the ways in which management and the board express their beliefs about the importance of monitoring have a direct impact on its effectiveness. Management’s tone influences the way employees conduct and react to monitoring. Likewise, the board’s tone influences he way management conducts and reacts to monitoring. Tone from the Top Organizational Structure Role of Management and the Board — Management has the primary responsibility for the effectiveness of an organization’s internal control system. Management establishes the system and makes sure that it continues to operate effectively. However, controls performed directly by members of senior management cannot be monitored objectively by those individuals or their designees. The board may also need to monitor such controls, which it frequently accomplishes through an audit committee and an internal audit function . In most cases, the board is ultimately responsible for determining whether management has implemented effective internal control (including monitoring). Establishing a Foundation for Monitoring
  • 4. Internal Audit Internal Control Framework (COSO) Organizational Structure Baseline Understanding of Internal Control Effectiveness When ongoing-monitoring or separate-evaluation procedures identify a change in the environment, the organization determines whether a corresponding change is needed in the internal control system. When monitoring identifies a change in the internal control system, the organization needs to verify whether that change was designed and implemented properly. Characteristics of Evaluators — Monitoring is conducted by evaluators who are appropriately competent and objective in the given circumstances. Competence refers to the evaluator’s knowledge of the controls and related processes, including how controls should operate and what constitutes a control deficiency. The evaluator’s objectivity refers to the extent to which he or she can be expected to perform an evaluation with no concern about possible personal consequences and no vested interest in manipulating the information for personal benefit or self-preservation. Monitoring starts with a supported understanding of the internal control system’s design and of whether controls have been implemented to accomplish the organization’s internal control objectives. An established baseline understanding of internal control effectiveness provides an appropriate starting point for more-effective and more-efficient monitoring — monitoring that focuses on identifying changes either in the environment or in the internal control system and on the organization’s ability to manage those changes properly.
  • 5. Internal Audit Internal Control Framework (COSO) Designing and Executing Monitoring Procedures The core of effective and efficient monitoring lies in designing and executing monitoring procedures that evaluate important controls over meaningful risks to the organization’s objectives. The model reiterates the importance of understanding risks, and the relationship of controls to risks, as a fundamental part of the COSO Framework.
  • 6. Internal Audit Internal Control Framework (COSO) Designing monitoring begins with understanding and prioritizing the risks to achieving important organizational objectives. Prioritizing risks helps identify which risks are meaningful enough to subject to control monitoring. In a properly operating internal control system, the risk assessment component will routinely identify and prioritize risks to the organization’s objectives. Important controls — often referred to as key controls — are those that are most important to monitor in order to support a conclusion about the internal control system’s ability to operate effectively. They often have one or both of the following characteristics: • Their failure might materially affect the organization’s objectives, yet not reasonably be detected in a timely manner by other controls, and/or • Their operation might prevent other control failures or detect such failures before they have an opportunity to become material to the organization’s objectives. Once key controls are noted, evaluators identify the information that will support a conclusion about whether those controls have been implemented and are operating as designed. Identifying this information entails knowing how control failure might occur and what information will be persuasive in determining whether the control system is or is not working properly. The identification of persuasive information allows the organization to determine which monitoring procedures to employ (i.e., ongoing monitoring or separate evaluations), as well as the frequency with which the monitoring procedures should take place.
  • 7. Internal Audit Internal Control Framework (COSO) Persuasive Information To be effective, monitoring must evaluate a sufficient amount of suitable information. Suitable information is relevant, reliable , and timely in the given circumstances. Sufficient suitable information provides the evaluator with the support needed to conclude on the internal control system’s ability to manage or mitigate identified risks. One of the most important aspects of suitability (and, thus, of persuasive information) is the distinction between direct and indirect information . Direct information substantiates the operation of controls and is obtained by observing controls in operation, reperforming them, or otherwise testing their operation directly. It can be useful in both ongoing monitoring and separate evaluations. Generally, direct information is highly relevant because it provides an unobstructed view of control operation. Indirect information is all other information used to infer whether controls or control components continue to operate effectively. It either relates to or is produced by the process in which the controls reside. Indirect information might include, but is not limited to, operating statistics, key risk indicators , key performance indicators , and comparative industry metrics. Approaches and Frequency With the risks prioritized, key controls noted, and available persuasive information identified, the organization implements monitoring procedures that evaluate the effectiveness of the internal control system’s ability to manage or mitigate the identified risks. Monitoring involves the use of ongoing monitoring procedures and/or separate evaluations to gather and analyze persuasive information supporting conclusions about the effectiveness of internal control across all five COSO components.
  • 8. Internal Audit Internal Control Framework (COSO) Approaches and Frequency Ongoing monitoring occurs when the normal operations of an organization provide feedback — through both direct and indirect information — to risk owners about the effectiveness of the internal control system. It includes regular management and supervisory activities, peer comparisons and trend analysis using internal and external data, reconciliations, and other routine actions. Ongoing monitoring might also include automated tools that electronically evaluate controls and/or transactions. Because they are performed routinely, often on a real-time basis, ongoing monitoring procedures can offer the first opportunity to identify and correct control deficiencies. Separate evaluations can employ the same techniques as ongoing monitoring, but they are designed to evaluate controls periodically and are not ingrained in the daily operations of the organization. They do, however, play an important role in monitoring in that they often provide: • A more objective analysis of control effectiveness than ongoing monitoring procedures that are often performed by less objective personnel, and • Periodic feedback regarding the effectiveness of ongoing monitoring procedures. When ongoing monitoring is effective, periodic separate evaluations are used as necessary to reconfirm the conclusions reached through ongoing monitoring. Separate evaluations are also used to address controls that are not subject to ongoing monitoring.
  • 9. Internal Audit Internal Control Framework (COSO) Assessing and Reporting Results The monitoring process is complete when the results are compiled and reported to appropriate personnel. This final stage enables the results of monitoring to either confirm previously established expectations about the effectiveness of internal control or highlight identified deficiencies for possible corrective action. Prioritizing and Communicating Results Identifying and prioritizing potential control deficiencies allows organizations to determine the levels to which the potential deficiencies should be reported, and the corrective action, if any, that should be taken. Several factors may influence an organization’s prioritization of identified deficiencies, including: • The likelihood that the deficiency will result in an error, • The effectiveness of other, compensating controls , • The potential effect of an identified deficiency on organizational objectives, • The potential effect of the deficiency on other objectives, and • The aggregating effect of multiple deficiencies.
  • 10. Internal Audit Internal Control Framework (COSO) Reporting Externally A properly designed and executed monitoring program helps support external assertions because it provides persuasive information that internal control operated effectively at a point in time or during a particular period. The presence of external assertion requirements may affect the type, timing, and extent of monitoring an organization decides to perform. Therefore, organizations that are required to report to third parties on the effectiveness of their internal control system may design and execute monitoring activities differently than entities that are not required to report. Reporting protocols vary depending on the purpose for which the monitoring is conducted and the severity of the deficiencies. Typically, the results of monitoring conducted for purposes of evaluating an organization’s entity-wide objectives are reported to senior management and the board. Control deficiencies should be reported to the person directly responsible for the control’s operation and to management that has oversight responsibilities and is at least one level higher. Reporting at least to these two levels gives the responsible person the information necessary to correct control operation and also helps ensure that appropriately objective people are involved in the severity assessment and followup.
  • 11. Internal Audit Internal Control Framework (COSO) Summary Considerations Regarding Effective Monitoring Many organizations are performing effective monitoring in certain areas, but are not fully utilizing the results of that monitoring to support their conclusions about the effectiveness of the internal control system. Monitoring considers how the entire internal control system addresses meaningful risks, not how individual control activities operate in isolation, without regard to the level of risk and the effectiveness of other elements of the internal control system. Monitoring works best when management approaches it proactively, establishing a baseline understanding of internal control effectiveness and an information system that alerts it to changes in internal control processes or risks that affect the need to change or add controls. The board has important responsibilities in monitoring internal control (especially the controls that relate to ensuring a strong tone from the top) and in mitigating the risk of management override. Internal audit , through added skills and objectivity, can play an important role in assisting management and the board in monitoring, especially as organizations grow in size and complexity. 1. 2. 3. 4. 5.
  • 12. Internal Audit Internal Control Framework (COSO) Summary Considerations Regarding Effective Monitoring Organizations should follow a systematic process in determining “what” and “how” to monitor. That process is developed in this guidance and starts with identifying and prioritizing the risks that are being mitigated by effective internal controls. Judgment is required in determining both the optimal approach to monitoring, and the effectiveness of monitoring. Monitoring generally includes the use of both direct and indirect information. However, indirect information can be used only for a finite period of time without some direct evidence that the underlying control is operating effectively. Monitoring can be performed using either “ongoing” monitoring activities or “separate evaluations.” Most organizations will use a combination of both approaches, but ongoing monitoring using appropriately persuasive information is often most effective and efficient. Computerized applications have undergone substantial development and can be built into, or added onto, existing computer applications, providing a high degree of continuous monitoring. 6. 7. 8. 9. 10.