COSO INTERNAL CONTROL FRAMEWORK

Overview of Internal Control

Second GAAS Standard of Field Work
Obtain a su!cient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement to design the nature, timing, and extent of further audit procedures.

The importance of ICs in auditing:

Also, SOX 404, AS #5, GAAS, etc.

Internal Control Dened

COSO* denition of internal control: The process e"ected by an entitys board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Reliability of nancial reporting E!ciency and e"ectiveness of operations Compliance with laws and regulations
* Committee of Sponsoring Organizations of the Treadway Commission

PAGE 1 OF 6!

COSO INTERNAL CONTROL FRAMEWORK

Internal Control Framework

Components of COSOs Internal Control-Integrated Framework
(the most commonly used framework for evaluating internal controls)

Figure 10-2 from Arens, Elder, and Beasley, Auditing and Assurance Services: An Integrated Approach, 11th ed

Control Environment

Tone at the top Actions, policies, and procedures reecting overall attitudes about internal control Some important control environment factors include:
!" " !" " ! !

PAGE 2 OF 6!

COSO INTERNAL CONTROL FRAMEWORK

Risk Assessment

This is managements risk assessment (not the auditor):

!" " !" " ! !

Control Activities

Adopted to provide reasonable assurance that entitys objectives will be achieved Particularly di!cult for smaller companies due to limited number of personnel

PAGE 3 OF 6!

COSO INTERNAL CONTROL FRAMEWORK

Control Activity Classications

1. adequate segregation of duties 2. proper approval and/or authorization of transactions and activities 3. design and use of adequate documents and records 4. physical controls over assets and records (e.g., reproof storage areas, access cards, inventory storerooms)

Segregation of Duties
Segregation of Duties
Asset Custody Accounting Transaction Authorization Operational Responsibility Related Asset Custody Recordkeeping Responsibility User Departments

5. independent checks (reviews) on performance

IT Duties

Helps to prevent opportunity to perpetrate/conceal errors or fraud

Important to prevent opportunity to perpetrate and conceal errors or fraud.

PAGE 4 OF 6!

Authorizations
COSO INTERNAL CONTROL FRAMEWORK

Authorizations

Authorizations

General authorization: authorizations based on approval of all transactions within limits of a certain policy

General authorization: authorizations based on approval of all transactions within limits of a certain policy

Specic authorization: case-by-case authorizations resulting from unwillingness to implement general authorization

Specic authorization: case-by-case authorizations Adequate Documents and Records resulting from unwillingness to implement general

Pre-numbered consecutively; ________________ assertion Prepared in timely manner; ________________ assertion Su!ciently simple and designed for multiple uses when possible Constructed to facilitate correct preparation

authorization

Independent Checks Independent Checks

Design of the input screen for computer-based systems
Segregation of Duties Approval and Authorization Adequate Documents Physical Controls

Careful and continuous review of other four control activities

Independence of person from other activity Easily implemented with computerized systems Independence of person from other activity

Careful and continuous review of other four control activities

Easily implemented with computerized systems

PAGE 5 OF 6!

COSO INTERNAL CONTROL FRAMEWORK

Information and Communication

Mechanisms for getting all the information to the nancial statements To understand this system, auditor must understand:
!" major classes of transactions ! how transactions are initiated !" how transactions are recorded" ! the accounting records that exist !" how system captures other events signicant to the nancial statements !" nature and details of the nancial reporting process followed

Monitoring of Controls

Periodic review and modication (if necessary) of controls to ensure controls are operating as intended Internal auditing department in larger organizations is an example
Performed by sta" independent of operations and accounting Report directly to high-level of organization Auditor might be able to rely on internal audit work (SAS 65, AS5)
!

PAGE 6 OF 6!