Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Internal controls myths and best practices
1.
2. COSO Final Changes May 2013
Consideration of changes in business and operating environments
Expanded operations and reporting objectives
Fundamental concepts of the five components now known as principles
Added additional approaches and examples concerning operations, compliance and non-financial reporting
Internal Controls – Myths and “Best Practices”
2
6. Internal Control Myths
Internal control means different things to different people
Not a “cure-all” in the prevention and detection of possible fraudulent activities
Internal Controls – Myths and “Best Practices”
6
8. Focus Points – Control Environment
Is there “Tone at the Top”?
Are there standards of conduct concerning integrity and ethical values?
Is there an evaluation of individual and/or team performance against the standards of conduct?
Internal Controls – Myths and “Best Practices”
8
9. Focus Points – Control Environment
Are deviations from the expected standards of conduct identified and remediated both consistently and timely?
Does the board of directors or an appropriate level of oversight operate independently from management
Are there established lines of authority and reporting?
Internal Controls – Myths and “Best Practices”
9
10. Focus Points – Control Environment
Have performance measures, incentives and rewards been established?
Is there an evaluation process to evaluate competence and address short-comings?
Does the board of directors and management evaluate and adjust for excessive pressures?
Internal Controls – Myths and “Best Practices”
10
11. Examples– Control Environment
Organization has a policy on the importance of integrity and ethics throughout the company.
The BOD and senior management have formulated a set of policies on integrity and ethics.
These policies are regularly flashed on the firm’s internal portal, newsletters and incorporated into contracts with outsourced service providers.
Internal Controls – Myths and “Best Practices”
11
12. Examples– Control Environment
There is a formal training program to make employees aware of the importance of complying to the standards of conduct.
Management has a formal process to evaluate individuals against the policies and standards of conduct.
Management proactively identifies and addresses deviations against the company’s integrity and ethic policies.
Internal Controls – Myths and “Best Practices”
12
13. Examples– Control Environment
The BOD has a charter that is comprehensive and outlines the board’s oversight responsibilities.
The board consists of members with significant experience, with some members coming from outside organizations.
The board delegates certain responsibilities to its committees, with each committee having a well- defined charter.
Internal Controls – Myths and “Best Practices”
13
14. Focus Points – Risk Assessment
Has management designed and evaluated lines of reporting? (Complex lines of authority are best.)
Does the board of directors retain oversight responsibility for management’s development and performance of internal controls?
Do the operations objectives reflect management’s choices about structure, industry considerations, and performance?
Internal Controls – Myths and “Best Practices”
14
15. Focus Points – Risk Assessment
Is there a process in place to determine how to respond to risks and are the responses appropriate?
Does management ensure compliance with applicable accounting standards, regulations, laws, etc.?
What are the acceptable levels of variation relative to operational objectives and financial performance?
Internal Controls – Myths and “Best Practices”
15
16. Focus Points – Risk Assessment
Does the risk identification process include changes in the external environment, the business model and/or changes in leadership?
Does management’s fraud risk assessment also assess incentives, pressures, opportunities, attitudes and rationalizations?
Does management ‘s risk assessment consider various types of fraud?
Internal Controls – Myths and “Best Practices”
16
17. Examples – Risk Assessment
Operational personnel possess the necessary skills to identify risks associated with new technology.
Risks are identified and reviewed at the appropriate level.
Objectives within the company are clearly defined.
Internal Controls – Myths and “Best Practices”
17
18. Examples – Risk Assessment
Policies, procedures and controls support the fraud identification and remediation processes.
Risks are identified by senior management and reviewed by the head of quality assurance.
Risk assessments are reviewed by the BOD at least annually.
Internal Controls – Myths and “Best Practices”
18
19. Focus Points – Control Activities
Do control activities address and mitigate risks?
Do relevant business processes have and maintain current control activities?
Do control activities include a range and variety of controls, including both manual and automated controls, as well as preventive and detective controls?
Internal Controls – Myths and “Best Practices”
19
20. Focus Points – Control Activities
Do control activities address segregation of duties?
Do the control activities include technology general controls, including technology infrastructure?
Do control activities include controls that are designed and implemented to restrict technology access?
Internal Controls – Myths and “Best Practices”
20
21. Focus Points – Control Activities
Do control activities address responsibility and accountability and take correction action timely?
Are policies and procedures developed timely?
Are control policies and procedures re-assessed to determine their continued use or relevance?
Internal Controls – Myths and “Best Practices”
21
22. Examples – Control Activities
The company has developed control activities that link to the risks identified in the risk assessment process.
The company has controls over technology, including access controls, changes and infrastructure.
The company maintains policies and procedures that clearly outline expectations.
Internal Controls – Myths and “Best Practices”
22
23. Examples – Control Activities
Staff is formally trained on policies and procedures.
Consistency of remedial action taken in response to departures from approved policies and procedures.
Oversight of the BOD in determining compensation of executive officers.
Internal Controls – Myths and “Best Practices”
23
24. Focus Points – Information and Communication
Is a process in place to identify all information required to support internal control functions?
Does the information system process capture internal and external data and transform relevant data into information?
Does management consider the costs and benefits with the nature, quantity and precision of information that supports the company’s operational objectives?
Internal Controls – Myths and “Best Practices”
24
25. Best Practices – Information and Communication
Is internal control information communicated with personnel?
Are there separate communication lines used to enable anonymous or confidential communication?
Are the selections of communications relevant?
Internal Controls – Myths and “Best Practices”
25
26. Best Practices – Information and Communication
Is there a process in place to communicate timely information to external parties?
Are there open channels of communication to allow input from external sources?
Do the methods of communication consider the timing, audience and the nature of the communication?
Internal Controls – Myths and “Best Practices”
26
27. Examples – Information and Communication
Information policies are well developed, relevant, and quality information is generated to support all aspects of internal control.
Objectives and internal control responsibilities are clearly communicated, at least quarterly.
External communications in place such as a robust customer feedback and supplier partner programs.
Internal Controls – Myths and “Best Practices”
27
28. Examples – Information and Communication
Committee appointed for development or revision of information systems based upon strategic plans and overall strategy of the company.
Establishment of channels of communications for people to report suspected improprieties and/or suggestions for improvements.
Commitment of appropriate resources for the development of necessary information.
Internal Controls – Myths and “Best Practices”
28
29. Focus Points – Monitoring Activities
Is there a mix of ongoing and separate evaluations?
Is there a baseline understanding for ongoing and separate valuations?
Do the evaluators have sufficient knowledge and training?
Internal Controls – Myths and “Best Practices”
29
30. Focus Points – Monitoring Activities
Do the ongoing evaluations adjust to changing conditions?
Does manage adjust the scope and frequency of separate evaluations depending on risk?
Do the evaluations provide objective feedback?
Internal Controls – Myths and “Best Practices”
30
31. Focus Points – Monitoring Activities
How does management and the board of directors assess results of ongoing and separate evaluations?
How are deficiencies communicated to parties?
How does management track whether deficiencies are remediated timely?
Internal Controls – Myths and “Best Practices”
31
32. Examples – Monitoring Activities
Quality assurance conducts internal operational reviews with input and oversight of internal audit.
Personnel performing reviews receive formal training on new technology and processes.
Experienced senior management review internal operational reports.
Internal Controls – Myths and “Best Practices”
32
33. Examples – Monitoring Activities
Deficiencies are evaluated as to severity, responsibility and communicated to senior management.
Development of a tracking system for deficiencies and that they are remediated timely.
Deficiencies are also reported to the Board of directors or the appropriate level of oversight.
Internal Controls – Myths and “Best Practices”
33