SlideShare a Scribd company logo

Internal controls myths and best practices

P
Pamela Mantone

This presentation provides an overview of COSO changes related to the development of an internal control system using principles-based guidance.

Business
1 of 34
Download to read offline
COSO Final Changes May 2013 Consideration of changes in business and operating environments Expanded operations and reporting objectives Fundamental concepts of the five components now known as principles Added additional approaches and examples concerning operations, compliance and non-financial reporting Internal Controls – Myths and “Best Practices” 2
Internal Controls – Myths and “Best Practices” Updated matrix 3 Objectives Components Organizational structure
Internal Controls – Myths and “Best Practices” 4 Best Practices?
Internal Control Myths Internal Controls – Myths and “Best Practices” 5
Internal Control Myths Internal control means different things to different people Not a “cure-all” in the prevention and detection of possible fraudulent activities Internal Controls – Myths and “Best Practices” 6
Internal Control Myths •Judgment •Breakdowns •Management override •Collusion •Materiality •Point-in-time evaluation •Cost/Benefit considerations Internal Controls – Myths and “Best Practices” 7
Focus Points – Control Environment Is there “Tone at the Top”? Are there standards of conduct concerning integrity and ethical values? Is there an evaluation of individual and/or team performance against the standards of conduct? Internal Controls – Myths and “Best Practices” 8
Focus Points – Control Environment Are deviations from the expected standards of conduct identified and remediated both consistently and timely? Does the board of directors or an appropriate level of oversight operate independently from management Are there established lines of authority and reporting? Internal Controls – Myths and “Best Practices” 9
Focus Points – Control Environment Have performance measures, incentives and rewards been established? Is there an evaluation process to evaluate competence and address short-comings? Does the board of directors and management evaluate and adjust for excessive pressures? Internal Controls – Myths and “Best Practices” 10
Examples– Control Environment Organization has a policy on the importance of integrity and ethics throughout the company. The BOD and senior management have formulated a set of policies on integrity and ethics. These policies are regularly flashed on the firm’s internal portal, newsletters and incorporated into contracts with outsourced service providers. Internal Controls – Myths and “Best Practices” 11
Examples– Control Environment There is a formal training program to make employees aware of the importance of complying to the standards of conduct. Management has a formal process to evaluate individuals against the policies and standards of conduct. Management proactively identifies and addresses deviations against the company’s integrity and ethic policies. Internal Controls – Myths and “Best Practices” 12
Examples– Control Environment The BOD has a charter that is comprehensive and outlines the board’s oversight responsibilities. The board consists of members with significant experience, with some members coming from outside organizations. The board delegates certain responsibilities to its committees, with each committee having a well- defined charter. Internal Controls – Myths and “Best Practices” 13
Focus Points – Risk Assessment Has management designed and evaluated lines of reporting? (Complex lines of authority are best.) Does the board of directors retain oversight responsibility for management’s development and performance of internal controls? Do the operations objectives reflect management’s choices about structure, industry considerations, and performance? Internal Controls – Myths and “Best Practices” 14
Focus Points – Risk Assessment Is there a process in place to determine how to respond to risks and are the responses appropriate? Does management ensure compliance with applicable accounting standards, regulations, laws, etc.? What are the acceptable levels of variation relative to operational objectives and financial performance? Internal Controls – Myths and “Best Practices” 15
Focus Points – Risk Assessment Does the risk identification process include changes in the external environment, the business model and/or changes in leadership? Does management’s fraud risk assessment also assess incentives, pressures, opportunities, attitudes and rationalizations? Does management ‘s risk assessment consider various types of fraud? Internal Controls – Myths and “Best Practices” 16
Examples – Risk Assessment Operational personnel possess the necessary skills to identify risks associated with new technology. Risks are identified and reviewed at the appropriate level. Objectives within the company are clearly defined. Internal Controls – Myths and “Best Practices” 17
Examples – Risk Assessment Policies, procedures and controls support the fraud identification and remediation processes. Risks are identified by senior management and reviewed by the head of quality assurance. Risk assessments are reviewed by the BOD at least annually. Internal Controls – Myths and “Best Practices” 18
Focus Points – Control Activities Do control activities address and mitigate risks? Do relevant business processes have and maintain current control activities? Do control activities include a range and variety of controls, including both manual and automated controls, as well as preventive and detective controls? Internal Controls – Myths and “Best Practices” 19
Focus Points – Control Activities Do control activities address segregation of duties? Do the control activities include technology general controls, including technology infrastructure? Do control activities include controls that are designed and implemented to restrict technology access? Internal Controls – Myths and “Best Practices” 20
Focus Points – Control Activities Do control activities address responsibility and accountability and take correction action timely? Are policies and procedures developed timely? Are control policies and procedures re-assessed to determine their continued use or relevance? Internal Controls – Myths and “Best Practices” 21
Examples – Control Activities The company has developed control activities that link to the risks identified in the risk assessment process. The company has controls over technology, including access controls, changes and infrastructure. The company maintains policies and procedures that clearly outline expectations. Internal Controls – Myths and “Best Practices” 22
Examples – Control Activities Staff is formally trained on policies and procedures. Consistency of remedial action taken in response to departures from approved policies and procedures. Oversight of the BOD in determining compensation of executive officers. Internal Controls – Myths and “Best Practices” 23
Focus Points – Information and Communication Is a process in place to identify all information required to support internal control functions? Does the information system process capture internal and external data and transform relevant data into information? Does management consider the costs and benefits with the nature, quantity and precision of information that supports the company’s operational objectives? Internal Controls – Myths and “Best Practices” 24
Best Practices – Information and Communication Is internal control information communicated with personnel? Are there separate communication lines used to enable anonymous or confidential communication? Are the selections of communications relevant? Internal Controls – Myths and “Best Practices” 25
Best Practices – Information and Communication Is there a process in place to communicate timely information to external parties? Are there open channels of communication to allow input from external sources? Do the methods of communication consider the timing, audience and the nature of the communication? Internal Controls – Myths and “Best Practices” 26
Examples – Information and Communication Information policies are well developed, relevant, and quality information is generated to support all aspects of internal control. Objectives and internal control responsibilities are clearly communicated, at least quarterly. External communications in place such as a robust customer feedback and supplier partner programs. Internal Controls – Myths and “Best Practices” 27
Examples – Information and Communication Committee appointed for development or revision of information systems based upon strategic plans and overall strategy of the company. Establishment of channels of communications for people to report suspected improprieties and/or suggestions for improvements. Commitment of appropriate resources for the development of necessary information. Internal Controls – Myths and “Best Practices” 28
Focus Points – Monitoring Activities Is there a mix of ongoing and separate evaluations? Is there a baseline understanding for ongoing and separate valuations? Do the evaluators have sufficient knowledge and training? Internal Controls – Myths and “Best Practices” 29
Focus Points – Monitoring Activities Do the ongoing evaluations adjust to changing conditions? Does manage adjust the scope and frequency of separate evaluations depending on risk? Do the evaluations provide objective feedback? Internal Controls – Myths and “Best Practices” 30
Focus Points – Monitoring Activities How does management and the board of directors assess results of ongoing and separate evaluations? How are deficiencies communicated to parties? How does management track whether deficiencies are remediated timely? Internal Controls – Myths and “Best Practices” 31
Examples – Monitoring Activities Quality assurance conducts internal operational reviews with input and oversight of internal audit. Personnel performing reviews receive formal training on new technology and processes. Experienced senior management review internal operational reports. Internal Controls – Myths and “Best Practices” 32
Examples – Monitoring Activities Deficiencies are evaluated as to severity, responsibility and communicated to senior management. Development of a tracking system for deficiencies and that they are remediated timely. Deficiencies are also reported to the Board of directors or the appropriate level of oversight. Internal Controls – Myths and “Best Practices” 33
Internal Controls – Myths and “Best Practices” 34

Recommended

Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
Jesús Gándara
 
Coso erm
Coso ermCoso erm
Coso erm
luisrobles_cl
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
Jesús Gándara
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002
SARVJEET KAUSHAL
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Coso framework
Coso frameworkCoso framework
Coso framework
Darryl Woolley
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
Treasury Consulting LLP
 
COSO Framework Model
COSO Framework ModelCOSO Framework Model
COSO Framework Model
TownofAddison
 

Recommended

Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
Jesús Gándara
 
Coso erm
Coso ermCoso erm
Coso erm
luisrobles_cl
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
Jesús Gándara
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002
SARVJEET KAUSHAL
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Coso framework
Coso frameworkCoso framework
Coso framework
Darryl Woolley
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
Treasury Consulting LLP
 
COSO Framework Model
COSO Framework ModelCOSO Framework Model
COSO Framework Model
TownofAddison
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
Corporate Compliance Seminars
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Audit
ijazurrehman
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
Manoj Agarwal
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
Irfan Ahmed - ACA, CICA
 
Risk Management1
Risk Management1Risk Management1
Risk Management1
Henry H L Lim
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
Haresh Lalwani
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your Organization
International Federation of Accountants
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
A COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkA COSO Based Risk & Control Framework
A COSO Based Risk & Control Framework
Jhurt7103
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self Assessment
Manoj Agarwal
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Report
essbaih
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunities
Manoj Agarwal
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAH
Tommy Seah
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
Corporate Compliance Seminars
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
Naresh Parandhaman
 
Coso erm
Coso ermCoso erm
Coso erm
Humberto Omar Valverde Taborga
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
minkhollow
 
Coso illustrative tool
Coso illustrative toolCoso illustrative tool
Coso illustrative tool
SARVJEET KAUSHAL
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based Auditing
Amar Deep Ghimire
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal Audit
Smitesh Bhosale
 
Entity Level Controls And
Entity Level Controls AndEntity Level Controls And
Entity Level Controls And
mkosinsk
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
Rashi Saxena
 

More Related Content

What's hot

Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Audit
ijazurrehman
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
Manoj Agarwal
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
minkhollow
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based Auditing
Amar Deep Ghimire
 

What's hot (20)

COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Audit
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
 
Risk Management1
Risk Management1Risk Management1
Risk Management1
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your Organization
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
A COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkA COSO Based Risk & Control Framework
A COSO Based Risk & Control Framework
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self Assessment
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Report
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunities
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAH
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
Coso erm
Coso ermCoso erm
Coso erm
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
 
Coso illustrative tool
Coso illustrative toolCoso illustrative tool
Coso illustrative tool
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based Auditing
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal Audit
 

Viewers also liked

Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
Rashi Saxena
 
Nick Leeson & the fall of Barings Bank
Nick Leeson & the fall of Barings BankNick Leeson & the fall of Barings Bank
Nick Leeson & the fall of Barings Bank
Mushfique Mannan
 
Case study of Baring bank & Nick Leeson
Case study of Baring bank & Nick LeesonCase study of Baring bank & Nick Leeson
Case study of Baring bank & Nick Leeson
UTCC
 
Creative accounting (1)
Creative accounting (1)Creative accounting (1)
Creative accounting (1)
Urvi Patel
 
Enterprise Risk Management Framework
Enterprise Risk Management FrameworkEnterprise Risk Management Framework
Enterprise Risk Management Framework
Nigel Tebbutt
 

Viewers also liked (11)

Entity Level Controls And
Entity Level Controls AndEntity Level Controls And
Entity Level Controls And
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
Barings bank a failure in risk management
Barings bank a failure in risk managementBarings bank a failure in risk management
Barings bank a failure in risk management
 
Barings Bank Team 3 Final
Barings Bank Team 3 FinalBarings Bank Team 3 Final
Barings Bank Team 3 Final
 
Nick Leeson & the fall of Barings Bank
Nick Leeson & the fall of Barings BankNick Leeson & the fall of Barings Bank
Nick Leeson & the fall of Barings Bank
 
Case study of Baring bank & Nick Leeson
Case study of Baring bank & Nick LeesonCase study of Baring bank & Nick Leeson
Case study of Baring bank & Nick Leeson
 
The Barings Bank Collapse
The Barings Bank CollapseThe Barings Bank Collapse
The Barings Bank Collapse
 
Players in a Derivative Market - Barings Bank Case
Players in a Derivative Market - Barings Bank CasePlayers in a Derivative Market - Barings Bank Case
Players in a Derivative Market - Barings Bank Case
 
Creative accounting (1)
Creative accounting (1)Creative accounting (1)
Creative accounting (1)
 
Enterprise Risk Management Framework
Enterprise Risk Management FrameworkEnterprise Risk Management Framework
Enterprise Risk Management Framework
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 

Similar to Internal controls myths and best practices

controlling.ppt
controlling.pptcontrolling.ppt
controlling.ppt
AnkitSharma892379
 
Caster111111111
Caster111111111Caster111111111
Caster111111111
caster21
 
Compliance Internal Investigation
Compliance Internal Investigation Compliance Internal Investigation
Compliance Internal Investigation
Nexsen Pruet
 

Similar to Internal controls myths and best practices (20)

Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
Management control system
Management control systemManagement control system
Management control system
 
Od 09
Od 09Od 09
Od 09
 
controlling.ppt
controlling.pptcontrolling.ppt
controlling.ppt
 
Caster111111111
Caster111111111Caster111111111
Caster111111111
 
UNIT 5 CONTROLLING.ppt
UNIT 5 CONTROLLING.pptUNIT 5 CONTROLLING.ppt
UNIT 5 CONTROLLING.ppt
 
UNIT 5 CONTROLLING.ppt
UNIT 5 CONTROLLING.pptUNIT 5 CONTROLLING.ppt
UNIT 5 CONTROLLING.ppt
 
Controlling as a Management Function.ppt
Controlling as a Management Function.pptControlling as a Management Function.ppt
Controlling as a Management Function.ppt
 
OD_09.ppt
OD_09.pptOD_09.ppt
OD_09.ppt
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
 
Ethics module2 kerala univer
Ethics module2 kerala univerEthics module2 kerala univer
Ethics module2 kerala univer
 
The Importance of Internal Controls in Fraud Prevention
The Importance of Internal Controls in Fraud Prevention The Importance of Internal Controls in Fraud Prevention
The Importance of Internal Controls in Fraud Prevention
 
Mcs
McsMcs
Mcs
 
Managerial control
Managerial controlManagerial control
Managerial control
 
Controlling in Management
Controlling in ManagementControlling in Management
Controlling in Management
 
Compliance Internal Investigation
Compliance Internal Investigation Compliance Internal Investigation
Compliance Internal Investigation
 
Introduction to research
Introduction to researchIntroduction to research
Introduction to research
 
8. Business achieving & organizational control
8. Business achieving & organizational control 8. Business achieving & organizational control
8. Business achieving & organizational control
 
Internal Controls Topic 2.ppt
Internal Controls Topic 2.pptInternal Controls Topic 2.ppt
Internal Controls Topic 2.ppt
 
Chapter 9 Managing and Controlling Ethics Programs
Chapter 9 Managing and Controlling Ethics ProgramsChapter 9 Managing and Controlling Ethics Programs
Chapter 9 Managing and Controlling Ethics Programs
 

Recently uploaded

Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
creerey
 
PETAVIT SIP-01.pdfAAAAAAAAAAAAAAAAAAAAAAAAAAA
PETAVIT SIP-01.pdfAAAAAAAAAAAAAAAAAAAAAAAAAAAPETAVIT SIP-01.pdfAAAAAAAAAAAAAAAAAAAAAAAAAAA
PETAVIT SIP-01.pdfAAAAAAAAAAAAAAAAAAAAAAAAAAA
lawrenceads01
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
marketingjdass
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 

Recently uploaded (20)

April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
 
University of Connecticut Fees, Courses, Acceptance Rate, Admission deadline,...
University of Connecticut Fees, Courses, Acceptance Rate, Admission deadline,...University of Connecticut Fees, Courses, Acceptance Rate, Admission deadline,...
University of Connecticut Fees, Courses, Acceptance Rate, Admission deadline,...
 
sales plan presentation by mckinsey alum
sales plan presentation by mckinsey alumsales plan presentation by mckinsey alum
sales plan presentation by mckinsey alum
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
PETAVIT SIP-01.pdfAAAAAAAAAAAAAAAAAAAAAAAAAAA
PETAVIT SIP-01.pdfAAAAAAAAAAAAAAAAAAAAAAAAAAAPETAVIT SIP-01.pdfAAAAAAAAAAAAAAAAAAAAAAAAAAA
PETAVIT SIP-01.pdfAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...Accpac to QuickBooks Conversion Navigating the Transition with Online Account...
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
 
Commercial RO Plant Manufacturer In Noida.pdf
Commercial RO Plant Manufacturer In Noida.pdfCommercial RO Plant Manufacturer In Noida.pdf
Commercial RO Plant Manufacturer In Noida.pdf
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
 
Filing Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed GuideFiling Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed Guide
 
Presentation: PLM loves Innovation PI 2013 Berlin
Presentation: PLM loves Innovation PI 2013 BerlinPresentation: PLM loves Innovation PI 2013 Berlin
Presentation: PLM loves Innovation PI 2013 Berlin
 
Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdfDigital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
 

Internal controls myths and best practices

  • 1.
  • 2. COSO Final Changes May 2013 Consideration of changes in business and operating environments Expanded operations and reporting objectives Fundamental concepts of the five components now known as principles Added additional approaches and examples concerning operations, compliance and non-financial reporting Internal Controls – Myths and “Best Practices” 2
  • 3. Internal Controls – Myths and “Best Practices” Updated matrix 3 Objectives Components Organizational structure
  • 4. Internal Controls – Myths and “Best Practices” 4 Best Practices?
  • 5. Internal Control Myths Internal Controls – Myths and “Best Practices” 5
  • 6. Internal Control Myths Internal control means different things to different people Not a “cure-all” in the prevention and detection of possible fraudulent activities Internal Controls – Myths and “Best Practices” 6
  • 7. Internal Control Myths •Judgment •Breakdowns •Management override •Collusion •Materiality •Point-in-time evaluation •Cost/Benefit considerations Internal Controls – Myths and “Best Practices” 7
  • 8. Focus Points – Control Environment Is there “Tone at the Top”? Are there standards of conduct concerning integrity and ethical values? Is there an evaluation of individual and/or team performance against the standards of conduct? Internal Controls – Myths and “Best Practices” 8
  • 9. Focus Points – Control Environment Are deviations from the expected standards of conduct identified and remediated both consistently and timely? Does the board of directors or an appropriate level of oversight operate independently from management Are there established lines of authority and reporting? Internal Controls – Myths and “Best Practices” 9
  • 10. Focus Points – Control Environment Have performance measures, incentives and rewards been established? Is there an evaluation process to evaluate competence and address short-comings? Does the board of directors and management evaluate and adjust for excessive pressures? Internal Controls – Myths and “Best Practices” 10
  • 11. Examples– Control Environment Organization has a policy on the importance of integrity and ethics throughout the company. The BOD and senior management have formulated a set of policies on integrity and ethics. These policies are regularly flashed on the firm’s internal portal, newsletters and incorporated into contracts with outsourced service providers. Internal Controls – Myths and “Best Practices” 11
  • 12. Examples– Control Environment There is a formal training program to make employees aware of the importance of complying to the standards of conduct. Management has a formal process to evaluate individuals against the policies and standards of conduct. Management proactively identifies and addresses deviations against the company’s integrity and ethic policies. Internal Controls – Myths and “Best Practices” 12
  • 13. Examples– Control Environment The BOD has a charter that is comprehensive and outlines the board’s oversight responsibilities. The board consists of members with significant experience, with some members coming from outside organizations. The board delegates certain responsibilities to its committees, with each committee having a well- defined charter. Internal Controls – Myths and “Best Practices” 13
  • 14. Focus Points – Risk Assessment Has management designed and evaluated lines of reporting? (Complex lines of authority are best.) Does the board of directors retain oversight responsibility for management’s development and performance of internal controls? Do the operations objectives reflect management’s choices about structure, industry considerations, and performance? Internal Controls – Myths and “Best Practices” 14
  • 15. Focus Points – Risk Assessment Is there a process in place to determine how to respond to risks and are the responses appropriate? Does management ensure compliance with applicable accounting standards, regulations, laws, etc.? What are the acceptable levels of variation relative to operational objectives and financial performance? Internal Controls – Myths and “Best Practices” 15
  • 16. Focus Points – Risk Assessment Does the risk identification process include changes in the external environment, the business model and/or changes in leadership? Does management’s fraud risk assessment also assess incentives, pressures, opportunities, attitudes and rationalizations? Does management ‘s risk assessment consider various types of fraud? Internal Controls – Myths and “Best Practices” 16
  • 17. Examples – Risk Assessment Operational personnel possess the necessary skills to identify risks associated with new technology. Risks are identified and reviewed at the appropriate level. Objectives within the company are clearly defined. Internal Controls – Myths and “Best Practices” 17
  • 18. Examples – Risk Assessment Policies, procedures and controls support the fraud identification and remediation processes. Risks are identified by senior management and reviewed by the head of quality assurance. Risk assessments are reviewed by the BOD at least annually. Internal Controls – Myths and “Best Practices” 18
  • 19. Focus Points – Control Activities Do control activities address and mitigate risks? Do relevant business processes have and maintain current control activities? Do control activities include a range and variety of controls, including both manual and automated controls, as well as preventive and detective controls? Internal Controls – Myths and “Best Practices” 19
  • 20. Focus Points – Control Activities Do control activities address segregation of duties? Do the control activities include technology general controls, including technology infrastructure? Do control activities include controls that are designed and implemented to restrict technology access? Internal Controls – Myths and “Best Practices” 20
  • 21. Focus Points – Control Activities Do control activities address responsibility and accountability and take correction action timely? Are policies and procedures developed timely? Are control policies and procedures re-assessed to determine their continued use or relevance? Internal Controls – Myths and “Best Practices” 21
  • 22. Examples – Control Activities The company has developed control activities that link to the risks identified in the risk assessment process. The company has controls over technology, including access controls, changes and infrastructure. The company maintains policies and procedures that clearly outline expectations. Internal Controls – Myths and “Best Practices” 22
  • 23. Examples – Control Activities Staff is formally trained on policies and procedures. Consistency of remedial action taken in response to departures from approved policies and procedures. Oversight of the BOD in determining compensation of executive officers. Internal Controls – Myths and “Best Practices” 23
  • 24. Focus Points – Information and Communication Is a process in place to identify all information required to support internal control functions? Does the information system process capture internal and external data and transform relevant data into information? Does management consider the costs and benefits with the nature, quantity and precision of information that supports the company’s operational objectives? Internal Controls – Myths and “Best Practices” 24
  • 25. Best Practices – Information and Communication Is internal control information communicated with personnel? Are there separate communication lines used to enable anonymous or confidential communication? Are the selections of communications relevant? Internal Controls – Myths and “Best Practices” 25
  • 26. Best Practices – Information and Communication Is there a process in place to communicate timely information to external parties? Are there open channels of communication to allow input from external sources? Do the methods of communication consider the timing, audience and the nature of the communication? Internal Controls – Myths and “Best Practices” 26
  • 27. Examples – Information and Communication Information policies are well developed, relevant, and quality information is generated to support all aspects of internal control. Objectives and internal control responsibilities are clearly communicated, at least quarterly. External communications in place such as a robust customer feedback and supplier partner programs. Internal Controls – Myths and “Best Practices” 27
  • 28. Examples – Information and Communication Committee appointed for development or revision of information systems based upon strategic plans and overall strategy of the company. Establishment of channels of communications for people to report suspected improprieties and/or suggestions for improvements. Commitment of appropriate resources for the development of necessary information. Internal Controls – Myths and “Best Practices” 28
  • 29. Focus Points – Monitoring Activities Is there a mix of ongoing and separate evaluations? Is there a baseline understanding for ongoing and separate valuations? Do the evaluators have sufficient knowledge and training? Internal Controls – Myths and “Best Practices” 29
  • 30. Focus Points – Monitoring Activities Do the ongoing evaluations adjust to changing conditions? Does manage adjust the scope and frequency of separate evaluations depending on risk? Do the evaluations provide objective feedback? Internal Controls – Myths and “Best Practices” 30
  • 31. Focus Points – Monitoring Activities How does management and the board of directors assess results of ongoing and separate evaluations? How are deficiencies communicated to parties? How does management track whether deficiencies are remediated timely? Internal Controls – Myths and “Best Practices” 31
  • 32. Examples – Monitoring Activities Quality assurance conducts internal operational reviews with input and oversight of internal audit. Personnel performing reviews receive formal training on new technology and processes. Experienced senior management review internal operational reports. Internal Controls – Myths and “Best Practices” 32
  • 33. Examples – Monitoring Activities Deficiencies are evaluated as to severity, responsibility and communicated to senior management. Development of a tracking system for deficiencies and that they are remediated timely. Deficiencies are also reported to the Board of directors or the appropriate level of oversight. Internal Controls – Myths and “Best Practices” 33
  • 34. Internal Controls – Myths and “Best Practices” 34