COSO Internal

Control Framework
 Components of Internal Control
(SAS 78):
•The control environment
•Risk assessment
•Information & communication
•Monitoring
•Control activities
 Control Environment
•The control environment – sets the tone
for the organization and influences the
control awareness of its management and
employees.
 Control Environment
Elements of the control environment:
• Integrity and ethical values of
management
• Structure of the organization
• Participation of the organization’s board
of directors and the audit committee
• Management’s philosophy and operating
style
 Control Environment
• Procedures for delegating responsibility
and authority
• Management’s methods for assessing
performance
• External influences (examinations by
regulatory agencies)
• Organization’s policies and practices for
managing human resources
 Control Environment
Techniques used to gain understanding:
• Assess the integrity of organization’s
management
• Conditions conducive to management fraud
• Understand client’s business and industry
• Determine if board and audit committee are
actively involved
• Study organization structure (segregation of
duties)
 Risk Assessment
•Risk assessment – used to identify,
analyze and manage risks relevant to
financial reporting.
 Risk Assessment
• Changes in environment
• Changes in personnel
• Changes in IS / New IT’s
• Significant or rapid growth
• New products or services (experience)
• Organizational restructuring
• Foreign markets
• New accounting principles
 Information and Communication
•Information and communication –
consists of the records and methods used to
initiate, identify, classify, and record the
organization’s transactions and to account
for related assets and liabilities.
 Information and Communication
An effective AIS will:
• Identify and record all valid economic
transactions
• Provide timely, detailed information
• Accurately measure financial values
• Accurately record transactions
 Information and Communication
Auditors obtain sufficient knowledge of I.S.’s
to understand:
• Classes of transactions that are material
• Accounting records and accounts used
• Processing steps: initiation to inclusion in
financial statements
• Financial reporting process (including
disclosures)
 Monitoring
•Monitoring – is the process by which the
quality of internal control design and
operation can be assessed.

•Separate procedures (e.g. TOC’s)

•Ongoing activities (e.g. embedded audit
modules)
 Control Activities
•Control activities – are the policies and
procedures used to ensure that appropriate
actions are taken to deal with the
organization’s identified risks. Categories:
computer controls and physical controls
COSO
(Control Activities)
 Physical Controls
• Transaction authorization
Ø Example:
ØSales only to authorized customer
ØSales only if available credit limit
 Physical Controls
• Segregation of duties
Ø Examples of incompatible duties:
ØAuthorization vs. processing [e.g., Sales vs. Customer
Authorization]
ØCustody vs. recordkeeping [e.g., custody of inventory
vs. DP of inventory]
ØFraud requires collusion [e.g., separate various steps in
process]
 Physical Controls
• Supervision
Ø Serves as compensating control when lack of segregation
of duties exists by necessity
• Accounting records (audit trails)
• Access controls
Ø Direct (the assets)
Ø Indirect (documents that control the assets)
Ø Fraud
 Physical Controls
• Independent verification
Ø Management can assess:
ØThe performance of individuals
ØThe integrity of the AIS
ØThe integrity of the data in the records
 IT Controls
• General controls
Ø Not application-specific, i.e. apply to all systems
Ø Include controls over:
– IT governance
– IT infrastructure
– Security and access to operating systems and databases
– Application acquisition and development
– Program change procedures
• Applications controls
Ø Ensure validity, completeness, and accuracy of
financial transactions
 General Controls
• Access to Programs and Data
• Program Changes
• Computer Operations
• Program Development
 Application Controls
• Depends on the existence of business
processes using automated controls or IT
dependent controls.