Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
COSO, which has provided global thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence for over three decades, recently released a draft update to the original COSO ERM Framework. This framework is widely used by organizations to enhance their ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the Framework was released, demanding heightened board awareness and oversight of risk management, as well as improved risk reporting. For those organizations exploring ESRM – these themes will be strikingly familiar and the lessons learned, highly relevant.
Presentation by: Bob Hirth, Global Chairman of COSO.
This plan is uploaded to be use as a sample to help people to get an idea. This internal audit plan is prepared for an automotive business activity. I hope it will be useful.
In 2013, COSO released their update to the COSO 1992 framework. This framework is used widely by public companies for SEC compliance. After working on updating their compliance efforts, many users are having discussions with their financial auditors about the use of the new standard.
This presentation looks at the needs of the auditor in understanding internal control and its documentation.
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
COSO, which has provided global thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence for over three decades, recently released a draft update to the original COSO ERM Framework. This framework is widely used by organizations to enhance their ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the Framework was released, demanding heightened board awareness and oversight of risk management, as well as improved risk reporting. For those organizations exploring ESRM – these themes will be strikingly familiar and the lessons learned, highly relevant.
Presentation by: Bob Hirth, Global Chairman of COSO.
This plan is uploaded to be use as a sample to help people to get an idea. This internal audit plan is prepared for an automotive business activity. I hope it will be useful.
In 2013, COSO released their update to the COSO 1992 framework. This framework is used widely by public companies for SEC compliance. After working on updating their compliance efforts, many users are having discussions with their financial auditors about the use of the new standard.
This presentation looks at the needs of the auditor in understanding internal control and its documentation.
Internal Audit is a tool of control to measure and evaluate the effectiveness of the working of an organization primarily with accounting, financial and operational matters.
Internal Audit plays a constructive role by rendering service to the management with objective appraisal of systems, procedures, practices, compliance with policies.
LetzConsult presents a smarter ways for companies to find the most relevant Consultant for their business needs. Find the right consultants for your Company on LetzConsult.com
What is the purpose of internal auditing? How important is it to the business? How are internal audits planned and carried out? These slides show the relevance of internal audit to the business, how internal audits relate to the objectives and risks of the business, how they are planned and the work involved in an internal audit. Further advice is available from www.internalaudit.biz
COSO's Internal Control - Integrated Framework.
Includes:
Objectives;
Components;
Principles relating to the components and
Point of Focus assisting users in determining whether the principles are present and functioning
A practical approach to defining indicators within an integrated ERM Framework
Workshop Overview
Many organisations have made considerable progress in the area of enterprise and operational risk management since the financial crisis in 2007/2008. However events over the last few years have demonstrated, and continue to demonstrate the need to make improvements in organisational risk management capabilities and tools.
One area of weakness and, particular challenge for many organisations is around indictors, specifically developing and managing with Key Risk indicators (KRIs). KRIs have a vital role to play in monitoring and managing risk exposure within any organisation, and should be developed and deployed in the context of a wider indicator suite which includes Key Performance Indicators (KPIs) and Key Control Indicators (KCIs).
Workshop Objective
This interactive workshop provided attendees with a deep understanding of developing and managing with Key Risk Indicators. We started by providing an overarching management framework which integrated strategy execution and risk management. We then moved on to clarify the role of KRIs, alongside KPIs and KCIs.
Using a combination of presentations and practical examples, we were able to:
Learn how to define robust suite of indicators, including the different between Leading and Lagging, and Financial and Non-Financial indicators
Understand how to use a well-structured risk definition to guide the definition of KRIs
Understand the relationship between risk appetite and KRIs, and however Risk Appetite should influence the definition of KRIs
Understand the role KRIs play in scenario analysis
Understand the role of KRIs in the risk assessment process
Understand the role of KRIs within the risk, regulatory and management reporting
Who Attended:
CROs, Directors, General Managers, Senior Management and Managers of: Operations, Operational Risk Management, Enterprise Risk Management, Internal Audit, Compliance, Operational Risk, Strategy and Performance.
Please contact andrew.smart@stratexsystems.com for more details about the presentation or to have a talk about our software solutions.
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
This presentation is my endeavor to bring to notice the new position that internal audit enjoys today in the corporate framework, expectations of the industry and emerging opportunities for the professionals.
An internal audit is designed to review what a company is doing in order to identify potential threats to the organization's financial health and profitability and to make suggestions for mitigating the risk associated with those threats.
Internal Audit is a tool of control to measure and evaluate the effectiveness of the working of an organization primarily with accounting, financial and operational matters.
Internal Audit plays a constructive role by rendering service to the management with objective appraisal of systems, procedures, practices, compliance with policies.
LetzConsult presents a smarter ways for companies to find the most relevant Consultant for their business needs. Find the right consultants for your Company on LetzConsult.com
What is the purpose of internal auditing? How important is it to the business? How are internal audits planned and carried out? These slides show the relevance of internal audit to the business, how internal audits relate to the objectives and risks of the business, how they are planned and the work involved in an internal audit. Further advice is available from www.internalaudit.biz
COSO's Internal Control - Integrated Framework.
Includes:
Objectives;
Components;
Principles relating to the components and
Point of Focus assisting users in determining whether the principles are present and functioning
A practical approach to defining indicators within an integrated ERM Framework
Workshop Overview
Many organisations have made considerable progress in the area of enterprise and operational risk management since the financial crisis in 2007/2008. However events over the last few years have demonstrated, and continue to demonstrate the need to make improvements in organisational risk management capabilities and tools.
One area of weakness and, particular challenge for many organisations is around indictors, specifically developing and managing with Key Risk indicators (KRIs). KRIs have a vital role to play in monitoring and managing risk exposure within any organisation, and should be developed and deployed in the context of a wider indicator suite which includes Key Performance Indicators (KPIs) and Key Control Indicators (KCIs).
Workshop Objective
This interactive workshop provided attendees with a deep understanding of developing and managing with Key Risk Indicators. We started by providing an overarching management framework which integrated strategy execution and risk management. We then moved on to clarify the role of KRIs, alongside KPIs and KCIs.
Using a combination of presentations and practical examples, we were able to:
Learn how to define robust suite of indicators, including the different between Leading and Lagging, and Financial and Non-Financial indicators
Understand how to use a well-structured risk definition to guide the definition of KRIs
Understand the relationship between risk appetite and KRIs, and however Risk Appetite should influence the definition of KRIs
Understand the role KRIs play in scenario analysis
Understand the role of KRIs in the risk assessment process
Understand the role of KRIs within the risk, regulatory and management reporting
Who Attended:
CROs, Directors, General Managers, Senior Management and Managers of: Operations, Operational Risk Management, Enterprise Risk Management, Internal Audit, Compliance, Operational Risk, Strategy and Performance.
Please contact andrew.smart@stratexsystems.com for more details about the presentation or to have a talk about our software solutions.
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
This presentation is my endeavor to bring to notice the new position that internal audit enjoys today in the corporate framework, expectations of the industry and emerging opportunities for the professionals.
An internal audit is designed to review what a company is doing in order to identify potential threats to the organization's financial health and profitability and to make suggestions for mitigating the risk associated with those threats.
Normas para Control interno en el Gobierno Federal – Libro Verde la Oficina d...miguelserrano5851127
El Libro verde Normas de Control Interno en el Gobierno Federal, proporcionan el marco general para establecer y mantener un sistema de control interno efectivo.
El Libro Verde también puede ser adoptado por el estado, locales y cuasi estatales entidades, así como a las organizaciones sin fines de lucro, como un marco para un sistema de control interno.
Las normas revisadas conservan los cinco componentes del control interno, pero introducen 17 principios para ayudar a los gestores en la consecución de un sistema de control interno efectivo. El documento remarca claramente los requisitos a través del uso de “debe” y del “debería”.
Se adoptaron estos principios al ámbito público una vez que el COSO ha revisado y actualizado, durante el año pasado, su documento Control interno: Marco Integrado y puede ser aplicada por gobiernos estatales, locales, así como organizaciones sin fines de lucro, como un marco para su sistema de control interno.
El libro verde se estructura en cuatro partes. Una visión general de los conceptos fundamentales del control interno, un análisis de sus componentes, principios y atributos, así como una serie de consideraciones finales que se aplican a todos los componentes del sistema de control interno.
The most comprehensive definition of internal audit is given by the IIA, USA. It is,
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."
The purpose of the presentation is to provide clarification for a better understanding of what internal audit definition, objectives, functions, stages and reporting are all about? What difference does it make in the presence of an external audit? How different is its scope from that of the external audit? How internal audit standards contribute to better performance of internal audit work and its reporting to the Board or Audit Committee?
Reporting to Management and Audit CommitteeManoj Agarwal
Reporting to Management and Audit Committee involve balancing the value add and assurance. It also involve certain skills to ensure that you can influence change.
Risk is the effect of uncertainty to on objectives. Risk can be negative or positive. When Risks are converted into opportunity, it create huge success.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Francesca Gottschalk - How can education support child empowerment.pptx
internal control and control self assessment
1. Internal Control and
Control Self Assessment
Presented by CA Manoj Agarwal
December 30, 2012, Thane CPE Study Circle of WIRC, ICAI
2. Disclaimer
• All the contents of the presentation constitute the opinion of
the speaker, and the speaker alone; they do not represent the
views and opinions of the speaker’s employers, supervisors,
nor do they represent the view of organizations, businesses or
institutions the speaker is, or has been a part of.
2
3. Agenda
• Internal Control
• Control Self Assessment
• Case Study
• Q&A
3
4. Definitions
Internal Auditing definition states the fundamental purpose, nature, and
scope of internal auditing.
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes
Internal control is defined by COSO (www.coso.org) as follows:
Internal control is a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations, reporting, and
compliance.
4
5. Internal Control
On paraphrasing definition of Internal control, we get:
1. Geared to the achievement of objectives in one or more separate but
overlapping categories
2. A process consisting of ongoing tasks and activities—it is a means to an
end, not an end in itself.
3. Effected by people - it is not merely about policy and procedure manuals,
systems, and forms, but about people and the actions they take at every
level of an organization to effect internal control.
4. Able to provide reasonable assurance, not absolute assurance, to an
entity’s senior management and board of directors.
5. Adaptable to the entity structure - flexible in application for the entire
entity or for a particular subsidiary, division, operating unit, or business
process
5
6. COSO Internal Control Framework
• Objectives of Internal Control
– Operational Objectives - Effectiveness and efficiency of operations
– Reporting Objective - Reliability of reporting
– Compliance Objectives - Compliance with applicable laws and regulations
• Process
– Policies (Management Statement what should be done)
– Procedures (Actions that implement policies)
• Process is managed through Planning, Executing (doing), Checking,
amending (Planning Do Check Act)
PDCA 5 Components of Internal Control
Plan Control Environment
Risk Assessment
Do Control Activities
Check Information &Communication
Act Monitoring Activities
6
8. Principles of Internal Controls-1
Components Principles
Control 1. The organization demonstrates a commitment to integrity and ethical
environment values.
2. The board of directors demonstrates independence of management
and exercises oversight for the development and performance of
internal control
3. Management establishes, with board oversight, structures, reporting
lines, and appropriate authorities and responsibilities in the pursuit of
objectives.
4. The Organization demonstrates a commitment to attract, develop, and
retain competent individual in alignment with objectives.
5. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
8
9. Principles of Internal Controls-2
Components Principles
Risk 6. The organization specifies objectives with sufficient clarity to enable
Assessment identification and assessment of risks relating to objectives
7. The organization identifies risks to achievement of its objectives across
the entity and analyses risks as a basis for determining how the risks
should be managed.
8. The organization considers the potential of fraud in assessing risks to
achievement of objectives.
9. The organization identifies and assesses changes that could significantly
impact the system of internal control.
Control 10.Select and develops control activities that contribute to the mitigation
Activities of risks to the achievement of objectives to acceptable levels.
11.Select and develops general control activities over technology to
support the achievement of objectives.
12.Deploy control activities as manifested in policies that establish what is
expected and in relevant procedures to effect the policies.
9
10. Principles of Internal Controls-3
Components Principles
Information and 13.The organization obtains or generates and uses relevant, quality
Communication information to support the functioning of other components of
internal control
14.The organization internally communicates information, including
objectives and responsibilities for internal control, necessary to
support the functioning of other component of internal control.
15.The organization communicates to external parties regarding
matters affecting the functioning of other components of internal
control
Monitoring 16.The organization selects, develops and performs ongoing and/or
Activities separate evaluations to ascertain whether the components of
internal controls are present and functioning.
17.The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for
taking corrective action, including senior management and the board
of directors, as appropriate.
10
11. Principle Evaluation Template..1
Principle Evaluation Template — Control Environnent
Control Environment Principles Summary of Deficiencies/Notes/Other
Controls Considerations
(also record deficiencies in log
below)
1. Demonstrates Commitment to Integrity and Ethical Values—The organization demonstrates a commitment to integrity and ethical values.
Sets the Tone at the Top—How do the board of directors and management at all levels
of the entity demonstrate through their directives, actions, and behavior the importance
of integrity and ethical values to support the functioning of the system of internal
control?
Establishes Standards of Conduct—How are the expectations of the board of directors
and senior management concerning integrity and ethical values defined in the entity’s
standards of conduct and understood at all levels of the organization and by outsourced
service providers and business partners?
Evaluates Adherence to Standards of Conduct— What processes are in place to evaluate
the performance of individuals and teams against the entity’s expected standards of
conduct?
Addresses Deviations in a Timely Manner—How are deviations of the entity’s expected
standards of conduct identified and remedied in a timely and consistent manner?
(Other entity specific points of focus, if any)
11
12. Principle Evaluation Template..2
Principle Evaluation Template — Control Environnent
Deficiencies Applicable to the Principle
Identificat Internal control deficiency Possible Impact on Evaluate preliminary deficiency List internal control
ion No. description Principle severity: deficiencies related to
(Consider whether other controls to another principle that
effect this principle compensate for the may impact this
internal control deficiency.) internal
control deficiency
Present? Functionin Preliminary Comments/
(Y/N) g? Severity— Compensating
(Y/N) Is internal control Controls
deficiency a major
deficiency? (Y/N)
Evaluate deficiencies within the principle:* <Explanation>
Evaluate if any internal control deficiencies or
combination of internal control deficiencies,
when considered within the principle,
represent a major deficiency.**
<Update Summary of Deficiencies Template as
required>
Evaluate the principle using judgment.** Y/N Explanation/Conclusion
Is the principle present?
Is the principle functioning?
* Note: Record deficiencies in Summary of Deficiencies Template.
** If it is determined that there is a major deficiency, then management must conclude that the component is not present and functioning
and the overall system of internal control is not effective.
12
13. Controls Objectives
Objectives Input Process Output
Authorization Is the source authorized? Are the procedures approved? What was approved?
Recording Is it accurate and Who does it? Is it accurate and complete?
complete? When? Is there an audit trail?
Is it timely? Are procedures followed? Is management review adequate?
Is it documented? Is it recoverable? Does it balance?
Is management review adequate?
Safeguarding/ Who should control? Who can access it? Is it confidential?
Security Are duties separated? Are duties separated? Who should have it?
Verification Are sources proper? Are procedures followed complete? Are differences properly
Are investigation and review of resolved?
differences adequate? Is management review adequate?
Existence/ Do policies and Are there procedures to create a Is the residual risk acceptable
Placement procedures define the control? according to the company's risk
adequate level of Are controls adequate? tolerance?
controls? Are controls placed in the most
efficient part of the process?
13
14. Controls Objectives-Payroll - 1
Objectives Input Questions to be asked
Authorization Is the source authorized? Is the persons sending the inputs for payroll are authorized
Recording Is it accurate and Is person sends the correct and Complete Inputs?
complete?
Is it timely? Is inputs are send in a timely manner to ensure processing happens as per
plan?
Is it documented? Is there is evidence that inputs have been actually received from person
specified?
Safeguarding/ Who should control? Who should receive the inputs?
Security
Are duties separated? Is the person receiving the inputs is the person who process the payroll?
Verification Are sources proper? How does we know that the person has actually taken information from
correct source?
Existence/ Do policies and Does all this is documented? Does the responsibility has been
Placement procedures define the documented?
adequate level of
controls?
14
15. Controls Objectives – Payroll -2
Objectives Process Question to be asked
Authorization Are the procedures approved? Is the process / method to process payroll is approved?
Recording Who does it? Does it can be established who has actually performed which job?
When? Is there any audit trail which can establish that procedures are actually
followed?
Are procedures followed? Is it repeatable?
Is it recoverable?
Is management review adequate? Does some one has review the processing and is there an evidence
which can confirm that review has been actually been performed?
Safeguarding/ Who can access it? Who can access the location/ system/ office processing the
Security information?
Are duties separated? Is there SOD in place?
Verification Are procedures followed Who verify that the process has been actually been followed?
complete?
Are investigation and review of In case of any exception has been observed , then whether the same
differences adequate? has been taken to its logical conclusion and the same is documented.
Existence/ Are there procedures to create a Is someone is responsible to ensure that process has been actually
Placement control? completed as specified?
Are controls adequate? Is any controls have been put in place to ensure that process is
happening as specified?
Are these adequate?
Are controls placed in the most Is control has been put in place to ensure optimum cost and benefit?
efficient part of the process?
15
16. Controls Objectives – Payroll - 3
Objectives Output Question to be asked
Authorization What was approved? Is there an evidence that output of the process is authorized and
accountability of person authorizing can be established?
Recording Is it accurate and How is it ensures that output is accurate and complete?
complete?
Is there an audit trail? Is there an audit trail of process of ensuring the completeness of output?
Is management review Is there adequate management review?
adequate?
Does it balance? Does output matches with input to ensure that output is proper?
Safeguarding/ Is it confidential? Is there any guideline defined regarding who should have access the
Security Who should have it? output and to what extent?
Verification Are differences properly In case of any differences observed in management review or a question
resolved? raised in review, the same has been resolved properly with audit trail?
Is management review
adequate?
Existence/ Is the residual risk What is the risk observed and not (insured/controlled) and is that
Placement acceptable according to acceptable to company? Is there any document evidencing acceptance?
the company's risk
tolerance?
16
17. Control Types
• Preventative Controls: are installed to stop • Segregation of duties to prevent
undesirable outcomes before they can occur. These intentional wrongdoing,
types of controls are typically the most cost-effective • Proper authorization to prevent
controls because they avoid the cost of improper use of organizational
correction. E.g. resources,
• Adequate documentation and
• Detective Controls: are necessary to measure the records to deter improper
effectiveness of the preventive controls. While some transactions,
errors cannot be effectively controlled through • Physical control over assets to
preventative controls, they must be detected as they prevent their improper
occur. E.g. conversion or use.
• Corrective Controls: are necessary, for they correct • Reviews and comparisons of
the identified deficiency and therefore deter it from records,
occurring again. Documentation and reporting • Independent check on
systems are developed to identify undesirable performance,
• Bank reconciliations,
outcomes and keep problems under management’s
confirmation of bank
purview until they can be solved or the defect can be balances, cash counts,
corrected. • Computerized techniques
Ref: Marks on Governance (http://normanmarks.wordpress.com/) such as transaction limits and
http://www.theiia.org/blogs/marks/index.cfm?postid=396 passwords.
17
18. What is CSA?
Control Self Assessment
• A set of techniques used to assess risk, control strength,
and control weaknesses utilizing a control framework.
The 'self' refers to the involvement of management and staff
in the assessment process often facilitated by internal
auditors
• to analyze, within a chosen control framework, the obstacles
and strengths which affect their ability to achieve their key
business objectives, and
• to decide upon appropriate action.
18
19. CSA Rationale
• Responsibility for controlling risk belongs to management and
all employees
• People are the most important control factor
• Most employees are honest, competent, and want their
organization to succeed
• People are far more likely to embrace needed changes if they
are involved
in the assessment process
• Helps employees understand control
19
20. When do you want to use CSA?
• New work processes/projects
• New organizations
– to identify the risk exposures and required controls
• Reorganizations
• Management / Employee turnover
– to identify where risks are
– to create understanding for business objectives
– to assess how risks are changing
– to put emphasis on highest priority
risks and controls
• Processes that cross over into other work groups
– to get to the root cause of problems
– helps bring groups together
– participants learn how their activities interrelate
– collaborative problem solving
20
21. CSA - GOALS & OBJECTIVES
• Provide a forum for participants (stakeholders) to:
– Conduct an assessment of risks and controls.
– Develop recommendations for improvement.
– Enhance their ability to achieve objectives.
– Increase communication with the Unit.
– Improve the efficiency and effectiveness of operations.
21
22. Benefits of CSA
• Honest feedback on control environment communication and
monitoring
• Ability to discuss and explore areas of concern to determine
reasons and root causes of concern
• Ability to obtain an understanding of the degree of concern
among participants
• Development of recommendations by employees in the Unit
• Buy-in/Ownership of Recommendations
22
23. COSO Framework - Control Components
CSA Traditional
Auditing/Testing
MONITORING
CONTROL ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
23
The basic control objectives have been divided into the business cycle format for ease of implementation, reference, and subsequent evaluation. The control matrix shown below provides a general guideline for the processing of all transactions consistent with fundamental control criteria.
These control questions are segmented by purpose of control. Some controls are installed to prevent undesirable outcomes before they can happen. Others are created to identify undesirable events as they happen and still others make sure that action is taken to undo the undesirable outcome or to see that they do not recur. The following text defines three classes of controls.