SlideShare a Scribd company logo

Internal Control - Who is responsible for what?

Stephanie Pennell
Stephanie Pennell

This slide compilation will introduce viewers to COSO’s Internal Control – Integrated Framework for establishing an effective system of internal control, and will delve deeper with a summary of the Three Lines of Defense Model in assigning roles and responsibilities among the organization’s employees, managers, and board members.  The roles and responsibilities within an organization can easily become commingled, confused, or simply overlooked.  This is particularly true in small and medium sized organizations where board members are new or are volunteers, and where employees are tasked with performing functions outside their normal job duties.

Leadership & Management
1 of 19
Download to read offline
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 1       Before we answer the question “Who is responsible for what?” with regard to internal control, it’s  critically important that we have a basic understanding of what a system of internal control is, what  its purpose serves, and the components of an effective system of internal control.    The Committee of Sponsoring Organizations of the Treadway Commission updated its Internal  Control – Integrated Framework document in 2013.  The first part of this seminar summarizes its  major concepts and lists its components and principles.                                Committee of Sponsoring Organizations of the Treadway Commission. (2013). Internal Control – Integrated Framework.  Available for purchase or subscription at https://www.cpa2biz.com     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 3       This definition is intentionally broad in order to (a) capture important concepts that are  fundamental to designing, implementing, and assessing internal controls, and (b) to accommodate  subsets of internal control, such as a focusing solely on controls over external financial reporting.    The fundamental concepts are:   Internal control is a process (or, more accurately, a series of processes)   It is effected by people   It provides reasonable assurance   It is objectives‐focused    It’s important to note that a system of internal control is different from an internal control activity.   The system of internal control is the entire process – which is both dynamic and iterative –  effected by the organization.   An internal control activity only a part of the entire process.  An internal control activity by  itself is of little value.  All too often, though, the focus is on the internal control activity and  not the entire system.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 5       Having a complete system of internal control in place is important because it reduces risk in  achieving objectives.    Risk is simply uncertainty and variability. Therefore, a system of internal control reduces the  uncertainty and variability in achieving objectives.    It’s important to note that it does not eliminate risk. It merely reduces it.  Hence, reasonable  assurance is used in the definition and not absolute assurance.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 7     Operational Objectives   Relate to the achievement of the organization’s basic mission and vision.   Reflect management’s choices based on the organization’s operating model, its external  environment and industry, and the level of performance it wishes to operate at.   Safeguarding of Assets is included as part of an organization’s operational objectives.  This  includes preventing unauthorized acquisition, use, or disposition of organizational assets.   This specific objective is often considered a separate category of objectives.  And, if so, the  Framework can accommodate that, although COSO considers it an operational objective.    Reporting Objectives   Relate to the preparation of reports for use by the organization internally, external  organizations, and stakeholders.   These are often broken out into sub‐categories:  o Internal Reporting Objectives (Financial and Non‐Financial)  o External Reporting Objectives (Financial and Non‐Financial)   Internal reporting objectives are associated with timely information for management to be  able to make decisions and assess performance.  Reporting standards are set internally by  management and are based on their information needs.   External reporting objectives are associated with accessing capital markets, acquiring credit,  being awarded contracts, reporting to regulators, dealing with suppliers and vendors, and  communicating with customers, constituents, and other stakeholders.   
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 9       Compliance Objectives   Related to activities and actions that are governed by laws, rules, and regulations.   These include well‐known laws and regulations, such as those relating to human resources,  taxation, and environmental compliance.  But, they also pertain to more obscure  compliance requirements   Laws and regulations establish minimum standards of conduct.  Any additional standards  imposed on the organization by the organizations governance and management are  considered operational objectives.  Often there is overlap of objective categories. That is, a particular objective may be simultaneously  an operational, reporting, or compliance objective.  That’s perfectly fine.  The key, though, is to  understand how that objective relates to and supports each of those categories.  Because, while a  particular objective may have, say, an operational and reporting function right now.  In the future,  overall operational goals may shift.  That particular objective may no longer be considered an  operational objective, but it may still be considered a reporting objective.  Operational and internal reporting objectives are usually based on the organization’s preferences,  judgements, and choices.  External reporting and compliance objectives are usually based on external requirements.  All objectives, regardless of category, start at the entity level and cascade down to subunits  (divisions, operating units, functions) so that the subunits’ operational objectives support and  contribute to the overall entity‐level objectives.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 11     Control Environment   The organization demonstrates a commitment to integrity and ethical values.   The board of directors demonstrates independence from management and exercises  oversight of the development and performance of internal control.   Management establishes, with board oversight, structures, reporting lines, and appropriate  authorities and responsibilities in the pursuit of objectives.   The organization demonstrates a commitment to attract, develop, and retain competent  individuals in alignment with objectives.   The organization holds individuals accountable for their internal control responsibilities in  the pursuit of objectives.    Risk Assessment   The organization specifies objectives with sufficient clarity to enable the identification and  assessment of risks relating to objectives.   The organization identifies risks to the achievement of its objectives across the entity and  analyzes risks as a basis for determining how the risks should be managed.   The organization considers the potential for fraud in assessing risks to the achievement of  objectives.   The organization identifies and assesses changes that could significantly impact the system  of internal control.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 13     Control Activities   The organization selects and develops control activities that contribute to the mitigation of  risks to the achievement of objectives to acceptable levels.   The organization selects and develops general control activities over technology to support  the achievement of objectives.   The organization deploys control activities through policies that establish what is expected  and procedures that put policies into action.    Information and Communication   The organization obtains or generates and uses relevant, quality information to support the  functioning of internal control.   The organization internally communicates information, including objectives and  responsibilities for internal control, necessary to support the functioning of internal control.   The organization communicates with external parties regarding matters affecting the  functioning of internal control.    Monitoring Activities   The organization selects, develops, and performs ongoing and/or separate evaluations to  ascertain whether the components of internal control are present and functioning.   The organization evaluates and communicates internal control deficiencies in a timely  manner to those parties responsible for taking corrective action, including senior  management and the board of directors, as appropriate.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 15     To be effective, all five components and their relevant principles must be present and functioning,  and they must be operating together in an integrated manner.   “Present and functioning” means that the components and principles exist in the design and  implementation of the system of internal control and continue to exist in the conduct of the  system of internal control.   “Operating together” means that the components collectively reduce risk.    The Framework views all components of internal controls as suitable and relevant to all entities.   Likewise, because principles are fundamental concepts associated with components and have a  significant bearing on the presence and functioning of an associated component, all seventeen  principles are considered suitable and relevant to all entities.  Therefore, if a principle is not present  and functioning, the associated component cannot be considered present and functioning.   Management, with board oversight, may determine that a particular principle is not relevant  to the organization.  However, this is rare.  If it is determined as such, though, the  organization must support its determination with the rationale of how, in the absence of  that principle, the associated component can be present and functioning.      
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 17     When a shortcoming exists in a component and relevant principles that reduces the likelihood of  achieving organizational objectives (i.e., increases risk), an internal control deficiency exists.  A major deficiency is one that severely reduces the likelihood of achieving objectives.   Whenever a component and one or more relevant principles are not present or functioning  or when components are not operating together, a major deficiency automatically exists.   When a major deficiency exists, management cannot conclude that it has met the  requirements for an effective system of internal control    When a system of internal control is effective, management and those charged with governance can  be reasonably assured that…   the organization is achieving effective and efficient operations (operations),   the organization is preparing reliable internal and external reports (reporting), and   the organization is operating in compliance with applicable laws and regulations  (compliance).     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 19     Now that we have a basic understanding of what a system of internal control consists of and how it  is designed, we can move on to the seminar’s question:  Who is responsible for what?    Seeing as the system of internal control is effected by people, those people – the organization’s  employees – should have a good understanding of what their roles are, where their role fits into the  entire organization, and, most importantly, what their responsibilities are.    COSO and the Institute of Internal Auditors released a whitepaper in July 2015 to assist  organizations in obtaining a better understanding of roles and responsibilities.  This whitepaper,  Leveraging COSO across the Three Lines of Defense, is summarized the second half of this seminar.                    The Institute of Internal Auditors, Anderson, D., and Eubanks, G. (2015). Leveraging COSO across the Three Lines of  Defense.  Available for download at http://www.coso.org/guidance.htm.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 21     Organizations may have unique structures, but most have the following broad categories of roles:   Board of Directors (Board of Trustees, City Councilors, Board of Selectmen, etc., a.k.a. Those  Charged with Governance)   Senior Management (CEO, Executive Director, City Administrator, Town Manager, CFO,  Director of Finance, CIO, COO, Chief Legal Officer, etc.)   Operational Managers (subunit managers, divisional managers, functional managers, etc.)   Area Specialists and Internal Monitors (information security, physical security, quality  control, environmental compliance, legal compliance, supply chain, etc.)   Internal Auditors       
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 23     The board is responsible for overseeing the system of internal control.   Establish the overall, long‐term objectives of the organization   Define high‐level strategies for achieving objectives   Establish governance structures to best manage risk   Define expectations about integrity, ethical values, transparency, and accountability    To execute their responsibilities properly, board members must…   Have a working knowledge of the organization’s activities and environment   Commit the time necessary to fulfill their responsibilities   Maintain open and unrestricted communications with all entity personnel, independent  auditors, external reviewers, and legal counsel   Be objective, capable, and inquisitive    Together with Senior Management, they establish the Control Environment component of the  system of internal control.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 25     Senior Management is responsible for designing, implementing, and leading an effective system of  internal control.   Provide leadership and direction in shaping organizational values, standards, expectations of  competence, organizational structure, and accountability   Specify entity‐wide objectives and policies   Maintain oversight and control over the risks the organization faces   Guide the development and performance of control activities at the entity‐level   Communicate expectations and information requirements   Evaluate control deficiencies and their impact on effectiveness of the system of internal  control   Delegate responsibility for designing, implementing, and assessing more specific internal  control procedures to subunit managers.    For functional or operating unit senior management (e.g., CFO, CIO, COO, etc.), they focus on the  objectives of their respective units, ensure that they are aligned with entity‐wide objectives, and  develop and implement internal control policies and procedures to support those objectives.    With board oversight, senior management establishes the Control Environment component of the  system of internal control.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 27     Operational management are front‐line and mid‐line managers who are responsible for day‐to‐day  ownership of risk and management of control.   Design and implement processes to identify and assess significant risks within their  operational realm.   Select and develop internal control activities to respond to identified risks.   Highlight inadequate processes and address control breakdowns.   Communicate to key stakeholders of the activity.    Operational management is responsible for the Risk Assessment, Control Activities, and  Information and Communication components of the Framework.  Additionally, in conjunction with  the area specialists and internal monitors, they have shared responsibility for the Monitoring  component.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 29     Area specialists and internal monitors are responsible for the ongoing monitoring of control and risk.   Work closely with operating managers to define implementation strategies   Provide expertise in their respective areas with regard to risk.   Help identify known and emerging risks   Assist management in defining which activities to monitor, assist in designing effective  controls, provide communication and education about control processes, and explain how  to measure success.   Monitor controls on an ongoing basis to determine whether the controls are functioning as  intended.   Evaluate and communicate deficiencies to operating and senior management and assist in  developing corrective actions.    They are part of management and, therefore, are not independent, but they should still exercise an  adequate degree of objectivity.    Along with operational management, they are responsible for the Monitoring component of the  system of internal control.       
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 31     Internal auditors are responsible for providing independent, objective assurance to the board and  senior management regarding the design, implementation, and effectiveness of the system of  internal control.   They assess all components of the Framework   They have independence from management and have direct communication with the board.   They provide assurance regarding the efficiency and effectiveness of governance, risk  management, and internal control.   They review all aspects of the organization’s operations and activities.    Internal auditors do not design or implement controls and are not responsible for the organization’s  operations.    They are responsible for assessing and reporting on all components of the system of internal  control.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 33     The Board and Senior Management set the overall objectives and create a good Control  Environment.  They are not one of the three lines of defense, but rather they use the three lines of  defense to help reduce risk in achieving organizational objectives.    Each level within the organization is accountable to the next higher level for his/her portion of the  internal control system.   Employees who perform control activities (including area specialists and internal monitors)  are accountable to operational management.   Operational management is accountable to senior management.   Members of senior management are accountable to the CEO.   The CEO is accountable to the board.   Internal auditors are accountable to the board.   And, finally, the board is accountable to its shareholders/citizens.    The “lines of defense” should be as distinct as possible, with roles and responsibilities clearly  articulated through policies and procedures and reinforced by a consistent tone at the top and a  sound Control Environment.    The Three Lines of Defense Model is designed to be flexible to allow for different sized and  differently structured organizations.  Therefore, some blending of responsibilities may be okay for  some organizations, but the overall aim should be to delineate as much as possible the three lines of  defense.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 35     Coordination should not be confused with structure.  While the three lines of defense are separate  and have their own unique responsibilities, they should not operate in isolation.  The idea is to share  information and coordinate efforts regarding risk, control, and governance to achieve the overall  organizational objectives.    The best way to ensure sound structure and effective and efficient coordination is for senior  management to carefully analyze the organization, assign responsibilities to specific individuals, and  communicate those responsibilities through written policies and procedures.    Each person should know their role and both the extent and limits of their responsibilities.   That is,  there should be no gaps in coverage, but there should be no overlap in coverage either.  The former  ensures effectiveness, the latter facilitates efficiency.     
Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 37     External auditors and regulators are not part of an organization’s system of internal control.   They are not part of the organization   In most cases, they have a limited focus  o For example, regulators may only be concerned with a particular aspect of the  organization, such as controls over expenditures or occupational safety  o Independent financial statement auditors are primarily concerned with financial  reporting controls and place less emphasis on operational and compliance controls  (unless they have some bearing on financial reporting controls).    However, they can help boost the overall governance and control structure   Regulators often have requirements that are intended to strengthen governance and  control   External auditors can provide useful observations about financial reporting risks and related  controls.    External auditors and regulators should not be considered as substitutes for the internal lines of  defense and management does not relinquish its responsibilities simply because regulators and  external auditors examine and report on aspects of the organization.   

Recommended

Internal control & compliance
Internal control & complianceInternal control & compliance
Internal control & compliance
Makhluk Hasan
 
Internal Control and Compliance.
Internal Control and Compliance.Internal Control and Compliance.
Internal Control and Compliance.
Mohammad Robiul
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ssKashif Rana ACCA
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...
The Business Council of Mongolia
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
Corporate Compliance Seminars
 
Improving and Implementing Internal Controls
Improving and Implementing Internal ControlsImproving and Implementing Internal Controls
Improving and Implementing Internal Controls
Tommy Seah
 

Recommended

Internal control & compliance
Internal control & complianceInternal control & compliance
Internal control & compliance
Makhluk Hasan
 
Internal Control and Compliance.
Internal Control and Compliance.Internal Control and Compliance.
Internal Control and Compliance.
Mohammad Robiul
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ssKashif Rana ACCA
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...
The Business Council of Mongolia
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
Corporate Compliance Seminars
 
Improving and Implementing Internal Controls
Improving and Implementing Internal ControlsImproving and Implementing Internal Controls
Improving and Implementing Internal Controls
Tommy Seah
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
Corporate Compliance Seminars
 
A COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkA COSO Based Risk & Control Framework
A COSO Based Risk & Control Framework
Jhurt7103
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Eric Pesik
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
Sophia Abigayle
 
Internal Financial Controls
Internal Financial ControlsInternal Financial Controls
Internal Financial Controls
tarunmallappa
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Framework
hyesue
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It Right
BlackLine
 
Best Practices: Change Management
Best Practices: Change ManagementBest Practices: Change Management
Best Practices: Change Management
Corporate Compliance Seminars
 
Icc risk
Icc riskIcc risk
Icc risk
pervez321
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
Manoj Agarwal
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
Irfan Ahmed - ACA, CICA
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditingHardik Shah
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002
SARVJEET KAUSHAL
 
Kontrol & Audit Sistem Informasi
Kontrol & Audit Sistem InformasiKontrol & Audit Sistem Informasi
Kontrol & Audit Sistem Informasi
dwiki apsyarin
 
Tugas control & audit sistem informasi
Tugas control & audit sistem informasiTugas control & audit sistem informasi
Tugas control & audit sistem informasi
Nur Fatrianti
 
International Professional Practices Framework (IPPF)pdf
International Professional Practices Framework (IPPF)pdfInternational Professional Practices Framework (IPPF)pdf
International Professional Practices Framework (IPPF)pdf
AavyaSidhu
 
Coso Monitoring - Templates
Coso Monitoring - TemplatesCoso Monitoring - Templates
Coso Monitoring - Templates
Aviva Spectrum™
 
How do auditors gain an understanding of the internal controls in an.pdf
How do auditors gain an understanding of the internal controls in an.pdfHow do auditors gain an understanding of the internal controls in an.pdf
How do auditors gain an understanding of the internal controls in an.pdf
irshadkumar3
 
Fice Of Internal Audit
Fice Of Internal AuditFice Of Internal Audit
Fice Of Internal Audit
Christina Berger
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review Reports
Laura Martin
 
Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Support for Improvement in Governance and Management SIGMA
 

More Related Content

What's hot

Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
Corporate Compliance Seminars
 
A COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkA COSO Based Risk & Control Framework
A COSO Based Risk & Control Framework
Jhurt7103
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
Eric Pesik
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
Sophia Abigayle
 
Internal Financial Controls
Internal Financial ControlsInternal Financial Controls
Internal Financial Controls
tarunmallappa
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Framework
hyesue
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It Right
BlackLine
 
Best Practices: Change Management
Best Practices: Change ManagementBest Practices: Change Management
Best Practices: Change Management
Corporate Compliance Seminars
 
Icc risk
Icc riskIcc risk
Icc risk
pervez321
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
Manoj Agarwal
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
Irfan Ahmed - ACA, CICA
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditingHardik Shah
 

What's hot (13)

Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
 
A COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkA COSO Based Risk & Control Framework
A COSO Based Risk & Control Framework
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 
Internal Financial Controls
Internal Financial ControlsInternal Financial Controls
Internal Financial Controls
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Framework
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It Right
 
Best Practices: Change Management
Best Practices: Change ManagementBest Practices: Change Management
Best Practices: Change Management
 
Icc risk
Icc riskIcc risk
Icc risk
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditing
 

Similar to Internal Control - Who is responsible for what?

Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002
SARVJEET KAUSHAL
 
Kontrol & Audit Sistem Informasi
Kontrol & Audit Sistem InformasiKontrol & Audit Sistem Informasi
Kontrol & Audit Sistem Informasi
dwiki apsyarin
 
Tugas control & audit sistem informasi
Tugas control & audit sistem informasiTugas control & audit sistem informasi
Tugas control & audit sistem informasi
Nur Fatrianti
 
International Professional Practices Framework (IPPF)pdf
International Professional Practices Framework (IPPF)pdfInternational Professional Practices Framework (IPPF)pdf
International Professional Practices Framework (IPPF)pdf
AavyaSidhu
 
Coso Monitoring - Templates
Coso Monitoring - TemplatesCoso Monitoring - Templates
Coso Monitoring - Templates
Aviva Spectrum™
 
How do auditors gain an understanding of the internal controls in an.pdf
How do auditors gain an understanding of the internal controls in an.pdfHow do auditors gain an understanding of the internal controls in an.pdf
How do auditors gain an understanding of the internal controls in an.pdf
irshadkumar3
 
Fice Of Internal Audit
Fice Of Internal AuditFice Of Internal Audit
Fice Of Internal Audit
Christina Berger
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review Reports
Laura Martin
 
Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...
Tina Jordan
 
The Objectives Of Internal Audit
The Objectives Of Internal AuditThe Objectives Of Internal Audit
The Objectives Of Internal Audit
Sonia Sanchez
 
13 internal controls
13 internal controls13 internal controls
13 internal controls
CA. (Dr.) Rajkumar Adukia
 
Audit Report And Internal Control Evaluation
Audit Report And Internal Control EvaluationAudit Report And Internal Control Evaluation
Audit Report And Internal Control Evaluation
Rochelle Schear
 
Internal Audit Reporting
Internal Audit ReportingInternal Audit Reporting
Internal Audit Reporting
SALIH AHMED ISLAM
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo Wachira
Jenard Wachira
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
BlackLine
 
The “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in detailsThe “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in detailsMohammad Wahid Abdullah Khan
 
Internal control system
Internal control systemInternal control system
Internal control system
Madiha Hassan
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 

Similar to Internal Control - Who is responsible for what? (20)

Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002
 
Kontrol & Audit Sistem Informasi
Kontrol & Audit Sistem InformasiKontrol & Audit Sistem Informasi
Kontrol & Audit Sistem Informasi
 
Tugas control & audit sistem informasi
Tugas control & audit sistem informasiTugas control & audit sistem informasi
Tugas control & audit sistem informasi
 
International Professional Practices Framework (IPPF)pdf
International Professional Practices Framework (IPPF)pdfInternational Professional Practices Framework (IPPF)pdf
International Professional Practices Framework (IPPF)pdf
 
Coso Monitoring - Templates
Coso Monitoring - TemplatesCoso Monitoring - Templates
Coso Monitoring - Templates
 
How do auditors gain an understanding of the internal controls in an.pdf
How do auditors gain an understanding of the internal controls in an.pdfHow do auditors gain an understanding of the internal controls in an.pdf
How do auditors gain an understanding of the internal controls in an.pdf
 
Fice Of Internal Audit
Fice Of Internal AuditFice Of Internal Audit
Fice Of Internal Audit
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review Reports
 
Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...
 
Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...
 
The Objectives Of Internal Audit
The Objectives Of Internal AuditThe Objectives Of Internal Audit
The Objectives Of Internal Audit
 
13 internal controls
13 internal controls13 internal controls
13 internal controls
 
Audit Report And Internal Control Evaluation
Audit Report And Internal Control EvaluationAudit Report And Internal Control Evaluation
Audit Report And Internal Control Evaluation
 
Internal Audit Reporting
Internal Audit ReportingInternal Audit Reporting
Internal Audit Reporting
 
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo Wachira
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
 
The “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in detailsThe “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in details
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Internal control system
Internal control systemInternal control system
Internal control system
 

Recently uploaded

在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
tdt5v4b
 
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish GermanCV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
EUS+ Management & Consulting Excellence
 
Senior Project and Engineering Leader Jim Smith.pdf
Senior Project and Engineering Leader Jim Smith.pdfSenior Project and Engineering Leader Jim Smith.pdf
Senior Project and Engineering Leader Jim Smith.pdf
Jim Smith
 
Case Analysis - The Sky is the Limit | Principles of Management
Case Analysis - The Sky is the Limit | Principles of ManagementCase Analysis - The Sky is the Limit | Principles of Management
Case Analysis - The Sky is the Limit | Principles of Management
A. F. M. Rubayat-Ul Jannat
 
12 steps to transform your organization into the agile org you deserve
12 steps to transform your organization into the agile org you deserve12 steps to transform your organization into the agile org you deserve
12 steps to transform your organization into the agile org you deserve
Pierre E. NEIS
 
Public Speaking Tips to Help You Be A Strong Leader.pdf
Public Speaking Tips to Help You Be A Strong Leader.pdfPublic Speaking Tips to Help You Be A Strong Leader.pdf
Public Speaking Tips to Help You Be A Strong Leader.pdf
Pinta Partners
 
Risk-Management-presentation for cooperatives
Risk-Management-presentation for cooperativesRisk-Management-presentation for cooperatives
Risk-Management-presentation for cooperatives
bernanbumatay1
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
gcljeuzdu
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
Muhammad Adil Jamil
 
The Management Guide: From Projects to Portfolio
The Management Guide: From Projects to PortfolioThe Management Guide: From Projects to Portfolio
The Management Guide: From Projects to Portfolio
Ahmed AbdelMoneim
 
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
tdt5v4b
 
Strategic Org Design with Org Topologies™
Strategic Org Design with Org Topologies™Strategic Org Design with Org Topologies™
Strategic Org Design with Org Topologies™
Alexey Krivitsky
 
Employment Practices Regulation and Multinational Corporations
Employment Practices Regulation and Multinational CorporationsEmployment Practices Regulation and Multinational Corporations
Employment Practices Regulation and Multinational Corporations
RoopaTemkar
 
20240608 QFM019 Engineering Leadership Reading List May 2024
20240608 QFM019 Engineering Leadership Reading List May 202420240608 QFM019 Engineering Leadership Reading List May 2024
20240608 QFM019 Engineering Leadership Reading List May 2024
Matthew Sinclair
 
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
tdt5v4b
 
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
William (Bill) H. Bender, FCSI
 
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
tdt5v4b
 
Integrity in leadership builds trust by ensuring consistency between words an...
Integrity in leadership builds trust by ensuring consistency between words an...Integrity in leadership builds trust by ensuring consistency between words an...
Integrity in leadership builds trust by ensuring consistency between words an...
Ram V Chary
 
Comparing Stability and Sustainability in Agile Systems
Comparing Stability and Sustainability in Agile SystemsComparing Stability and Sustainability in Agile Systems
Comparing Stability and Sustainability in Agile Systems
Rob Healy
 
Addiction to Winning Across Diverse Populations.pdf
Addiction to Winning Across Diverse Populations.pdfAddiction to Winning Across Diverse Populations.pdf
Addiction to Winning Across Diverse Populations.pdf
Bill641377
 

Recently uploaded (20)

在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
 
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish GermanCV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
 
Senior Project and Engineering Leader Jim Smith.pdf
Senior Project and Engineering Leader Jim Smith.pdfSenior Project and Engineering Leader Jim Smith.pdf
Senior Project and Engineering Leader Jim Smith.pdf
 
Case Analysis - The Sky is the Limit | Principles of Management
Case Analysis - The Sky is the Limit | Principles of ManagementCase Analysis - The Sky is the Limit | Principles of Management
Case Analysis - The Sky is the Limit | Principles of Management
 
12 steps to transform your organization into the agile org you deserve
12 steps to transform your organization into the agile org you deserve12 steps to transform your organization into the agile org you deserve
12 steps to transform your organization into the agile org you deserve
 
Public Speaking Tips to Help You Be A Strong Leader.pdf
Public Speaking Tips to Help You Be A Strong Leader.pdfPublic Speaking Tips to Help You Be A Strong Leader.pdf
Public Speaking Tips to Help You Be A Strong Leader.pdf
 
Risk-Management-presentation for cooperatives
Risk-Management-presentation for cooperativesRisk-Management-presentation for cooperatives
Risk-Management-presentation for cooperatives
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
 
The Management Guide: From Projects to Portfolio
The Management Guide: From Projects to PortfolioThe Management Guide: From Projects to Portfolio
The Management Guide: From Projects to Portfolio
 
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
 
Strategic Org Design with Org Topologies™
Strategic Org Design with Org Topologies™Strategic Org Design with Org Topologies™
Strategic Org Design with Org Topologies™
 
Employment Practices Regulation and Multinational Corporations
Employment Practices Regulation and Multinational CorporationsEmployment Practices Regulation and Multinational Corporations
Employment Practices Regulation and Multinational Corporations
 
20240608 QFM019 Engineering Leadership Reading List May 2024
20240608 QFM019 Engineering Leadership Reading List May 202420240608 QFM019 Engineering Leadership Reading List May 2024
20240608 QFM019 Engineering Leadership Reading List May 2024
 
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
 
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
 
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
 
Integrity in leadership builds trust by ensuring consistency between words an...
Integrity in leadership builds trust by ensuring consistency between words an...Integrity in leadership builds trust by ensuring consistency between words an...
Integrity in leadership builds trust by ensuring consistency between words an...
 
Comparing Stability and Sustainability in Agile Systems
Comparing Stability and Sustainability in Agile SystemsComparing Stability and Sustainability in Agile Systems
Comparing Stability and Sustainability in Agile Systems
 
Addiction to Winning Across Diverse Populations.pdf
Addiction to Winning Across Diverse Populations.pdfAddiction to Winning Across Diverse Populations.pdf
Addiction to Winning Across Diverse Populations.pdf
 

Internal Control - Who is responsible for what?

  • 1. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 1       Before we answer the question “Who is responsible for what?” with regard to internal control, it’s  critically important that we have a basic understanding of what a system of internal control is, what  its purpose serves, and the components of an effective system of internal control.    The Committee of Sponsoring Organizations of the Treadway Commission updated its Internal  Control – Integrated Framework document in 2013.  The first part of this seminar summarizes its  major concepts and lists its components and principles.                                Committee of Sponsoring Organizations of the Treadway Commission. (2013). Internal Control – Integrated Framework.  Available for purchase or subscription at https://www.cpa2biz.com     
  • 2. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 3       This definition is intentionally broad in order to (a) capture important concepts that are  fundamental to designing, implementing, and assessing internal controls, and (b) to accommodate  subsets of internal control, such as a focusing solely on controls over external financial reporting.    The fundamental concepts are:   Internal control is a process (or, more accurately, a series of processes)   It is effected by people   It provides reasonable assurance   It is objectives‐focused    It’s important to note that a system of internal control is different from an internal control activity.   The system of internal control is the entire process – which is both dynamic and iterative –  effected by the organization.   An internal control activity only a part of the entire process.  An internal control activity by  itself is of little value.  All too often, though, the focus is on the internal control activity and  not the entire system.     
  • 3. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 5       Having a complete system of internal control in place is important because it reduces risk in  achieving objectives.    Risk is simply uncertainty and variability. Therefore, a system of internal control reduces the  uncertainty and variability in achieving objectives.    It’s important to note that it does not eliminate risk. It merely reduces it.  Hence, reasonable  assurance is used in the definition and not absolute assurance.     
  • 4. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 7     Operational Objectives   Relate to the achievement of the organization’s basic mission and vision.   Reflect management’s choices based on the organization’s operating model, its external  environment and industry, and the level of performance it wishes to operate at.   Safeguarding of Assets is included as part of an organization’s operational objectives.  This  includes preventing unauthorized acquisition, use, or disposition of organizational assets.   This specific objective is often considered a separate category of objectives.  And, if so, the  Framework can accommodate that, although COSO considers it an operational objective.    Reporting Objectives   Relate to the preparation of reports for use by the organization internally, external  organizations, and stakeholders.   These are often broken out into sub‐categories:  o Internal Reporting Objectives (Financial and Non‐Financial)  o External Reporting Objectives (Financial and Non‐Financial)   Internal reporting objectives are associated with timely information for management to be  able to make decisions and assess performance.  Reporting standards are set internally by  management and are based on their information needs.   External reporting objectives are associated with accessing capital markets, acquiring credit,  being awarded contracts, reporting to regulators, dealing with suppliers and vendors, and  communicating with customers, constituents, and other stakeholders.   
  • 5. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 9       Compliance Objectives   Related to activities and actions that are governed by laws, rules, and regulations.   These include well‐known laws and regulations, such as those relating to human resources,  taxation, and environmental compliance.  But, they also pertain to more obscure  compliance requirements   Laws and regulations establish minimum standards of conduct.  Any additional standards  imposed on the organization by the organizations governance and management are  considered operational objectives.  Often there is overlap of objective categories. That is, a particular objective may be simultaneously  an operational, reporting, or compliance objective.  That’s perfectly fine.  The key, though, is to  understand how that objective relates to and supports each of those categories.  Because, while a  particular objective may have, say, an operational and reporting function right now.  In the future,  overall operational goals may shift.  That particular objective may no longer be considered an  operational objective, but it may still be considered a reporting objective.  Operational and internal reporting objectives are usually based on the organization’s preferences,  judgements, and choices.  External reporting and compliance objectives are usually based on external requirements.  All objectives, regardless of category, start at the entity level and cascade down to subunits  (divisions, operating units, functions) so that the subunits’ operational objectives support and  contribute to the overall entity‐level objectives.     
  • 6. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 11     Control Environment   The organization demonstrates a commitment to integrity and ethical values.   The board of directors demonstrates independence from management and exercises  oversight of the development and performance of internal control.   Management establishes, with board oversight, structures, reporting lines, and appropriate  authorities and responsibilities in the pursuit of objectives.   The organization demonstrates a commitment to attract, develop, and retain competent  individuals in alignment with objectives.   The organization holds individuals accountable for their internal control responsibilities in  the pursuit of objectives.    Risk Assessment   The organization specifies objectives with sufficient clarity to enable the identification and  assessment of risks relating to objectives.   The organization identifies risks to the achievement of its objectives across the entity and  analyzes risks as a basis for determining how the risks should be managed.   The organization considers the potential for fraud in assessing risks to the achievement of  objectives.   The organization identifies and assesses changes that could significantly impact the system  of internal control.     
  • 7. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 13     Control Activities   The organization selects and develops control activities that contribute to the mitigation of  risks to the achievement of objectives to acceptable levels.   The organization selects and develops general control activities over technology to support  the achievement of objectives.   The organization deploys control activities through policies that establish what is expected  and procedures that put policies into action.    Information and Communication   The organization obtains or generates and uses relevant, quality information to support the  functioning of internal control.   The organization internally communicates information, including objectives and  responsibilities for internal control, necessary to support the functioning of internal control.   The organization communicates with external parties regarding matters affecting the  functioning of internal control.    Monitoring Activities   The organization selects, develops, and performs ongoing and/or separate evaluations to  ascertain whether the components of internal control are present and functioning.   The organization evaluates and communicates internal control deficiencies in a timely  manner to those parties responsible for taking corrective action, including senior  management and the board of directors, as appropriate.     
  • 8. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 15     To be effective, all five components and their relevant principles must be present and functioning,  and they must be operating together in an integrated manner.   “Present and functioning” means that the components and principles exist in the design and  implementation of the system of internal control and continue to exist in the conduct of the  system of internal control.   “Operating together” means that the components collectively reduce risk.    The Framework views all components of internal controls as suitable and relevant to all entities.   Likewise, because principles are fundamental concepts associated with components and have a  significant bearing on the presence and functioning of an associated component, all seventeen  principles are considered suitable and relevant to all entities.  Therefore, if a principle is not present  and functioning, the associated component cannot be considered present and functioning.   Management, with board oversight, may determine that a particular principle is not relevant  to the organization.  However, this is rare.  If it is determined as such, though, the  organization must support its determination with the rationale of how, in the absence of  that principle, the associated component can be present and functioning.      
  • 9. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 17     When a shortcoming exists in a component and relevant principles that reduces the likelihood of  achieving organizational objectives (i.e., increases risk), an internal control deficiency exists.  A major deficiency is one that severely reduces the likelihood of achieving objectives.   Whenever a component and one or more relevant principles are not present or functioning  or when components are not operating together, a major deficiency automatically exists.   When a major deficiency exists, management cannot conclude that it has met the  requirements for an effective system of internal control    When a system of internal control is effective, management and those charged with governance can  be reasonably assured that…   the organization is achieving effective and efficient operations (operations),   the organization is preparing reliable internal and external reports (reporting), and   the organization is operating in compliance with applicable laws and regulations  (compliance).     
  • 10. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 19     Now that we have a basic understanding of what a system of internal control consists of and how it  is designed, we can move on to the seminar’s question:  Who is responsible for what?    Seeing as the system of internal control is effected by people, those people – the organization’s  employees – should have a good understanding of what their roles are, where their role fits into the  entire organization, and, most importantly, what their responsibilities are.    COSO and the Institute of Internal Auditors released a whitepaper in July 2015 to assist  organizations in obtaining a better understanding of roles and responsibilities.  This whitepaper,  Leveraging COSO across the Three Lines of Defense, is summarized the second half of this seminar.                    The Institute of Internal Auditors, Anderson, D., and Eubanks, G. (2015). Leveraging COSO across the Three Lines of  Defense.  Available for download at http://www.coso.org/guidance.htm.     
  • 11. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 21     Organizations may have unique structures, but most have the following broad categories of roles:   Board of Directors (Board of Trustees, City Councilors, Board of Selectmen, etc., a.k.a. Those  Charged with Governance)   Senior Management (CEO, Executive Director, City Administrator, Town Manager, CFO,  Director of Finance, CIO, COO, Chief Legal Officer, etc.)   Operational Managers (subunit managers, divisional managers, functional managers, etc.)   Area Specialists and Internal Monitors (information security, physical security, quality  control, environmental compliance, legal compliance, supply chain, etc.)   Internal Auditors       
  • 12. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 23     The board is responsible for overseeing the system of internal control.   Establish the overall, long‐term objectives of the organization   Define high‐level strategies for achieving objectives   Establish governance structures to best manage risk   Define expectations about integrity, ethical values, transparency, and accountability    To execute their responsibilities properly, board members must…   Have a working knowledge of the organization’s activities and environment   Commit the time necessary to fulfill their responsibilities   Maintain open and unrestricted communications with all entity personnel, independent  auditors, external reviewers, and legal counsel   Be objective, capable, and inquisitive    Together with Senior Management, they establish the Control Environment component of the  system of internal control.     
  • 13. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 25     Senior Management is responsible for designing, implementing, and leading an effective system of  internal control.   Provide leadership and direction in shaping organizational values, standards, expectations of  competence, organizational structure, and accountability   Specify entity‐wide objectives and policies   Maintain oversight and control over the risks the organization faces   Guide the development and performance of control activities at the entity‐level   Communicate expectations and information requirements   Evaluate control deficiencies and their impact on effectiveness of the system of internal  control   Delegate responsibility for designing, implementing, and assessing more specific internal  control procedures to subunit managers.    For functional or operating unit senior management (e.g., CFO, CIO, COO, etc.), they focus on the  objectives of their respective units, ensure that they are aligned with entity‐wide objectives, and  develop and implement internal control policies and procedures to support those objectives.    With board oversight, senior management establishes the Control Environment component of the  system of internal control.     
  • 14. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 27     Operational management are front‐line and mid‐line managers who are responsible for day‐to‐day  ownership of risk and management of control.   Design and implement processes to identify and assess significant risks within their  operational realm.   Select and develop internal control activities to respond to identified risks.   Highlight inadequate processes and address control breakdowns.   Communicate to key stakeholders of the activity.    Operational management is responsible for the Risk Assessment, Control Activities, and  Information and Communication components of the Framework.  Additionally, in conjunction with  the area specialists and internal monitors, they have shared responsibility for the Monitoring  component.     
  • 15. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 29     Area specialists and internal monitors are responsible for the ongoing monitoring of control and risk.   Work closely with operating managers to define implementation strategies   Provide expertise in their respective areas with regard to risk.   Help identify known and emerging risks   Assist management in defining which activities to monitor, assist in designing effective  controls, provide communication and education about control processes, and explain how  to measure success.   Monitor controls on an ongoing basis to determine whether the controls are functioning as  intended.   Evaluate and communicate deficiencies to operating and senior management and assist in  developing corrective actions.    They are part of management and, therefore, are not independent, but they should still exercise an  adequate degree of objectivity.    Along with operational management, they are responsible for the Monitoring component of the  system of internal control.       
  • 16. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 31     Internal auditors are responsible for providing independent, objective assurance to the board and  senior management regarding the design, implementation, and effectiveness of the system of  internal control.   They assess all components of the Framework   They have independence from management and have direct communication with the board.   They provide assurance regarding the efficiency and effectiveness of governance, risk  management, and internal control.   They review all aspects of the organization’s operations and activities.    Internal auditors do not design or implement controls and are not responsible for the organization’s  operations.    They are responsible for assessing and reporting on all components of the system of internal  control.     
  • 17. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 33     The Board and Senior Management set the overall objectives and create a good Control  Environment.  They are not one of the three lines of defense, but rather they use the three lines of  defense to help reduce risk in achieving organizational objectives.    Each level within the organization is accountable to the next higher level for his/her portion of the  internal control system.   Employees who perform control activities (including area specialists and internal monitors)  are accountable to operational management.   Operational management is accountable to senior management.   Members of senior management are accountable to the CEO.   The CEO is accountable to the board.   Internal auditors are accountable to the board.   And, finally, the board is accountable to its shareholders/citizens.    The “lines of defense” should be as distinct as possible, with roles and responsibilities clearly  articulated through policies and procedures and reinforced by a consistent tone at the top and a  sound Control Environment.    The Three Lines of Defense Model is designed to be flexible to allow for different sized and  differently structured organizations.  Therefore, some blending of responsibilities may be okay for  some organizations, but the overall aim should be to delineate as much as possible the three lines of  defense.     
  • 18. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 35     Coordination should not be confused with structure.  While the three lines of defense are separate  and have their own unique responsibilities, they should not operate in isolation.  The idea is to share  information and coordinate efforts regarding risk, control, and governance to achieve the overall  organizational objectives.    The best way to ensure sound structure and effective and efficient coordination is for senior  management to carefully analyze the organization, assign responsibilities to specific individuals, and  communicate those responsibilities through written policies and procedures.    Each person should know their role and both the extent and limits of their responsibilities.   That is,  there should be no gaps in coverage, but there should be no overlap in coverage either.  The former  ensures effectiveness, the latter facilitates efficiency.     
  • 19. Internal Control: Who is Responsible for What? Berry Talbot Royer’s Seminar Series 37     External auditors and regulators are not part of an organization’s system of internal control.   They are not part of the organization   In most cases, they have a limited focus  o For example, regulators may only be concerned with a particular aspect of the  organization, such as controls over expenditures or occupational safety  o Independent financial statement auditors are primarily concerned with financial  reporting controls and place less emphasis on operational and compliance controls  (unless they have some bearing on financial reporting controls).    However, they can help boost the overall governance and control structure   Regulators often have requirements that are intended to strengthen governance and  control   External auditors can provide useful observations about financial reporting risks and related  controls.    External auditors and regulators should not be considered as substitutes for the internal lines of  defense and management does not relinquish its responsibilities simply because regulators and  external auditors examine and report on aspects of the organization.