Академический Документы
Профессиональный Документы
Культура Документы
Introduction
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) introduced the first comprehensive framework for internal control following a recommendation of the Report of the National Commission on Fraudulent Financial Reporting in 1987 (better known as the Treadway Commission). In making the recommendation, the Treadway Commission recognized that internal control is a complex, dynamic, and evolving concept and that research up to that point resulted in various interpretations and philosophies related to internal control. COSOs Internal ControlIntegrated Framework (hereinafter referred to as the COSO framework) was published in 1992 and constituted a unique framework through its recognition that five components of internal control are necessary for effective internal control. internal control is designed to assist the organization in achieving its objectives across operations, financial reporting, and compliance. the fundamental concepts of internal control apply to all organizations: large or small, for profit and not for profit, and governmental entities. management is responsible for effective internal control, with active oversight by boards and those in governance positions. the framework must be fundamentally sound to allow specific internal control processes to evolve with changes in business, technology, and risk.
In December 2011, COSO released for public comment an updated Internal ControlIntegrated Framework (Framework) that is intended to help organizations improve performance with greater agility, confidence, and clarity. This paper explains the proposed changes and their impact on CPAs and addresses the question of why change now.
aicpa.org/FRC
Copyright 19922012. Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.
The strength of the COSO cube is that it clearly depicts the objectives across the top and the components of internal control across the front (including the need to build internal control off a strong control environment). Perhaps most importantly, the control framework is intended to permeate all of the organization, whether structured by subsidiary, divisions, operating units, or departments: Everything begins with the setting of objectives. Internal control relates to the achievement of those objectives.
aicpa.org/FRC
The components of internal control are interactive with the setting of objectives and with each other (for example, the control environment influences the setting of objectives). Moreover, there is a logical flow in the sense that risks are associated with objectives; those risks are managed or mitigated through the control environment and control procedures. Effective communication facilitates the control processes, and all the processes require effective monitoring.
The updated COSO framework retains the cube as a model because of its strength in portraying the integration of internal control across objectives and throughout the organization. The major change to the COSO cube is that the broader term reporting replaces the term financial reporting as an objective.
Principles and Attributes. Seventeen principles are systematically derived from the 5 components of internal control to help users understand the fundamental concepts associated with each component. Supporting the 17 principles are 81 attributes, representing characteristics associated with the principles. Although the framework would expect each of the 5 components and 17 principles to be present and functioning, it would not require that all attributes be present. This is because it may be possible that certain attributes of a principle could come together in various ways to achieve the effective attainment of the underlying principle. A summary of the 17 principles is presented as an appendix, and examples of attributes are presented in selected examples that follow. Reporting. We have clearly moved into an era of instant information. The reporting objective recognizes that investors, owners, regulators, and other users demand more information from an organization and that organizations need effective internal control to ensure that the information is both timely and reliable, regardless of whether the information is operational, financial, graphical versus hard numbers, or prospective. The reporting objective reflects that increase in reporting opportunities and demands.
aicpa.org/FRC
Operations and compliance objectives. With increasing regulations designed to protect investors, it is not surprising that compliance objectives have taken on greater importance. At the same time, operations and performance data (part of reporting) have become more integrated. All organizations are under pressure to perform more effectively and efficiently. Organizations that do not have strong internal control in these areas will find it difficult to survive.
Compliance: Federal Regulations We are seeing more and more demand in the United States relative to reporting on internal control over compliance. There has been, over the last several years, a real increase in the amount of federal funds that are being disbursed into our economy, and with that comes reporting requirements by entities. Folks who receive certain levels of federal funds must go through an audit of compliance, which also includes reporting on internal control over compliance. Therefore, there are many auditees from very small nonprofit organizations to major national organizations who are required to maintain pretty strict internal control over compliance as a result of receiving federal funds. Therefore those organizations are going to be impacted by this as well. Comment by Charles Landes: February 2012 round table on COSO update.
Information Technology. IT has become ubiquitous across organizations and countries. We are interconnected no matter where we are at any moment. Applications are now developed for phones that will take sales orders, data and applications may reside in something now referred to as a cloud, and there is increased demand for instant and reliable information. The impact of IT is pervasive not only across our personal life but across all organizations, and the need to properly control IT has never been more important. The updated guidance explicitly recognizes the fundamental role that IT plays in every organization and is recognized as a specific control principle.
Evolving Nature of Controls The movement to a constantly connected workforce implementing decisions in an instant has changed the balance between preventive and detective controls. Although both still have their place in an internal control structure, the importance and value of preventive controls has grown significantly. Its useful to know that someone just stole $1 million dollars by processing fake invoices through your accounts payable system, but its better to stop it from happening in the first place.
Fraud risk assessment. Investors and other stakeholders expect organizations to protect from fraud the resources that have been entrusted to them. In 2006, a principle on fraud risk assessment was introduced in COSOs guidance for internal control over small businesses and is r etained here. Although some will, at first glance, look at this as an additional requirement in the COSO framework, it by no means represents such a requirement. Fraud is a significant risk that needs to be addressed in order to accomplish the organization s operations, reporting, and compliance risks. Moreover, when combined with the specific attributes, the COSO framework provides a systematic process in which to assess, mitigate, and control the risk of fraud. See figure 2 for the principle and attributes related to fraud risk assessment as covered in the exposure draft:
aicpa.org/FRC
Figure 2: Fraud Risk AssessmentPrinciple and Attributes1 Principle 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. Considers Various Ways That Fraud Can OccurThe assessment of fraud considers possible loss of assets, fraudulent reporting, and corruption resulting from the various ways that fraud and misconduct can occur. Considers Risk FactorsAn entitys assessment considers factors that influence the significance of the loss of assets and the related impact on operations, reporting, and compliance activities. Assesses Incentive and PressuresThe assessment of fraud risk considers incentives and pressures. Assesses OpportunitiesThe assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entitys reporting records, or committing other inappropriate acts. Assesses Attitudes and RationalizationsThe assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.
____________
1
All of the principles and attributes are taken from the exposure draft. See www.coso.org to download a copy of the exposure draft.
In essence, we believe that most CPAs will look at the fraud principles and related attributes and understand
the consistency of the COSO guidance with Statement on Auditing Standards No. 99, Consideration of Fraud in a Financial Statement Audit (AICPA, Professional Standards). Evolving nature of organizational relationships . Organizations are becoming increasingly boundaryless. Companies have integrated operations across the world; many organizations have increasingly strong supplychain relationships that require constant communication and coordination; joint ventures are ever more existent; and outsourcing takes place in production, customer support, and data processing. The updated COSO guidance has been significantly updated to address internal control issues across the evolving nature of organizational relationships. More detailed guidance. The nature of a framework is such that the framework is a conceptual design that is designed to stand the test of time. The COSO framework is such a framework. The components of internal control have remained and have proven to be sufficient as organizations, technology, and societal expectations have changed. However, COSO recognizes that there are significant changes in how companies are governed, how IT has changed the nature of control procedures, and how controls are monitored. COSO has incorporated four significant structural elements to the COSO framework that should ensure its relevance for coming decades: 1. 2. 3. The COSO framework recognizes changes in the nature of reporting. The principles are designed to be timeless and to provide more detailed guidance in implementing each of the components of the COSO framework. The attributes associated with each principle provide additional structure to implementing the principles but are designed to evolve over time and recognize that there are many options in implementing the attributes to achieve the objective underlying the principle. The detailed guidance is thoroughly updated to include current examples of internal control related to all three objectives.
4.
aicpa.org/FRC
As an example of how these elements come together, we examine the guidance related to the control environment with a specific principle that states the following:
Principle 5. The organization holds individuals accountable for their internal control responsibilities in
pursuit of objectives. The guidance identifies five separate attributes of a systematic process to accomplish the principle and, in each case, recognizes that organizations may take different approaches as long as the attribute is present. One of the attributes requires the organization to establish performance measures, incentives, and rewards. This attribute was added to address the potential dysfunctional aspects of compensation programs on controls and the potential override of controls. Detailed guidance is given in the following description of considerations to be addressed in implementing this attribute:
Success Measures Clear Objectives Considerations Consider all levels of personnel to support the achievement of the entitys objectives. Consider the multiple dimensions of expected conduct and performance of the organization, outsourced service providers and business partners (e.g., per service-level agreements), define objectives and related incentives and pressures. Define metrics to transform disparate data into meaningful information on performance. Communicate/reinforce the entitys objectives and how each area and level of the organization is expected to support the achievement of objectives. Identify and discuss events that the market has rewarded in the past and those that the market has punished. Communicate consequences (positive and negative) of not achieving or fully/partially achieving specific entity objectives. Identify and align performance measures with the significant sources of value creationand destructionfor the entity. Measure expected versus actual conduct and the impact of the deviations, both positive and otherwise. Assess the expected impact of performance on risk, operational improvement, and business performance. Adjust performance measures regularly based on a systematic and continuous evaluation of the potential impacts of risks as these evolve over time as well as the quantification of the associated rewards.
Defined Implications
Meaningful Metrics
Adjustment to Changes
aicpa.org/FRC
want to understand each of the principles and whether they are present and functioning within that system of internal control. Similarly, auditors can also use the principles and attributes to help them better understand and assess their clients system of internal control over financial reporting. As part of their risk assessment procedures, if the auditor believes that an applicable principle is missing, or controls are not operating effectively to achieve any of the principles, the auditor needs to evaluate the control deficiency and will also need to understand how that weakness in the system of internal control impacts the risks of material misstatements (whether due to error or fraud) in the financial statements. Additionally, because compliance audits usually require the auditor to test the design and operating effectiveness of internal control over compliance, these principles will also be very helpful in tailoring the auditors work program in order to understand, test, document, and report internal control deficiencies. ***** Few things are constant for 20 years. The COSO framework has absolutely stood the test of time, and correctly so, the COSO board has chosen the twentieth anniversary of the original framework to update its guidance. Although it is difficult to embrace change, we always note that most change is retrospectively viewed as better. Yes, revising the COSO framework is one more change in an almost overwhelming sea of change these days. We are confident that you will find the new document not only easier to use but one that stands ready to continue to evolve with changes in the environment. We urge all readers to let COSO know your thoughts on the proposed COSO framework. Once COSO issues a final document, the AICPA will be developing guidance to assist all CPAs in applying the updated COSO framework.
aicpa.org/FRC
1. 2. 3. 4. 5.
The organization demonstrates a commitment to integrity and ethical values. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The organization considers the potential for fraud in assessing risks to the achievement of objectives. The organization identifies and assesses changes that could significantly impact the system of internal control.
Risk Assessment
6. 7. 8. 9.
Control Activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of the other components of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
DISCLAIMER: This publication has not been approved, disapproved or otherwise acted upon by any senior technical committees of, and does not represent an official position of, the American Institute of Certified Public Accountants. It is distributed with the understanding that the contributing authors and editors, and the publisher, are not rendering legal, accounting, or other professional services in this publication. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Copyright 2012 by American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775. All rights reserved. For information about the procedure for requesting permission to make copies of any part of this work, please email copyright@aicpa.org with your request. Otherwise, requests should be written and mailed to the Permissions Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707-8110.
aicpa.org/FRC