Академический Документы
Профессиональный Документы
Культура Документы
UNDERSTANDING
YOUR ORGANIZATION’S
INTERNAL CONTROL
SYSTEM (ICS)
INTERNAL CONTROL
INTEGRATED FRAMEWORK
(FRAMEWORK)
COSO 1992
INTERNAL CONTROL
OBJECTIVES
EFFECTIVENESS AND EFFICIENCY
OF OPERATIONS.
SAFEGUARDING OF ASSETS.
Internal Control Components
1. CONTROL ENVIRONMENT
2. RISK ASSESSMENT
Internal Control Components
3. CONTROL ACTIVITIES
4. INFORMATION AND
COMMUNICATION
5. MONITORING
THE CONTROL ENVIRONMENT
The control environment sets the
tone of an organization by
influencing the control
consciousness of people. The
attitude and actions of the board
and management regarding the
significance of control within the
organization. It is the foundation for
all other components of internal
control, providing discipline and
structure for the achievement of the
primary objectives of the system of
internal control.
THE CONTROL ENVIRONMENT FACTORS
• Integrity and Ethical Values
• Commitment to Competence
• Board of Directors
or Audit Committee
• The “tone at the top”
Management Philosophy
and Operating Style
• Organizational Structure
• Assignment of Authority ,Responsibility,
Accountability & People Development
• Human Resource Policies
and Practices
RISK ASSESSMENT
Every entity faces a variety of risks from external and
internal sources that must be assessed. A
precondition to risk assessment is establishment of
objectives, linked at different levels and internally
consistent. Risk assessment is the identification and
analysis of relevant risks to achievement of
objectives, forming a basis for determining how the
risks should be managed. Because economic,
industry, regulatory and operating conditions will
continue to change, mechanisms are needed to
identify and deal with the special risks associated with
change.
WHAT IS RISK?
Risk is the possibility of a potential
threat occurring that will have an
adverse impact on the achievement
of objectives.
Risk is measured in terms of
consequences, likelihood and
velocity* of risks.
*recently added by RM Experts
1. Risk identification
- related to the objectives of the organization
- comprehensive
- includes risks due to external and internal
factors
2. Risk evaluation
- estimating the significance of the risk
- assessing the likelihood of the risk occurrence
RISK ASSESSMENT
It implies;
4. Development of responses
- Four types of responses to risk must be
considered; transfer, tolerance, treatment or
termination; of these, risk treatment is the most
relevant because effective internal control is the
major mechanism to treat risk;
- the appropriate controls involved can be either
detective or preventive.
RISK ASSESSMENT
As governmental, economic, industry,
regulatory and operating conditions are in
constant change, risk assessment should
be an ongoing iterative process.
• IDENTIFICATION OF CRITICAL
SUCCESS FACTORS
• MANAGING CHANGE
Elements of Risk
Elements Description/Example
An event • From outside or
• Inside the organization
Measure the Risks and Summarize Results For Each Operating Unit
RISK ASSESSMENT
SOCIAL RISK
ECONOMIC RISK
TECHNOLOGY RISK
OPERATIONAL RISK
PROGRAMS/PROJECTS RISK
CONTINUITY RISK
REPUTATION RISK
HUMAN RESOURCES RISK
CYCLE TIME RISK
PARTNERING RISK
COMPLIANCE/REGULATORY RISK
POLITICAL RISK
GOVERNANCE RISK
COMMON RISK CATEGORIES
• COMPLIANCE
• ECONOMIC • PROGRAM RISK
• POLITICAL • CORRUPTION
• LAWS & • HR RISKS
STRATEGIC OPERATIONAL • IT/TECHNOLOGY
REGULATIONS
• SOCIAL • PARTNERING
• GOVERNANCE • CYCLE TIME
• FUNDING
• FOREIGN EXCHANGE
• NATURAL • LIQUIDITY
DISASTERS • POOR FINANCIAL
• TERRORISM HAZARD FINANCIAL MANAGEMENT
• EPIDEMICS • ACCOUNTING
PROBLEMS
What if the risk is not in the dictionary?
1. QUANTITATIVE
o Historical/Predictive Models
o Non-probabilistic
o Probabilistic
o Based on benchmark
2. QUALITATIVE
Qualitative Methods
Use when:
• Quantification is not possible
• Sufficient and credible data are not available
• Obtaining or analyzing data is not cost-effective.
2 Moderate 1 to 2 years
RESPONSE DESCRIPTION
Avoid/Terminate Exit or Eliminate the source of the risk.
Get out of the activity
Share/Transfer Find a reliable partner or insure the
risk.
Reduce/Treat Mitigate the likelihood or impact of the
risk in case it happens
Accept/Tolerate Do nothing to mitigate but monitor the
risk
Exploit/Take Do circumstances arise that offer
Opportunity positive outcome?
Factors indicative of increased risk
reporting for an organization:
• Changes in the organization’s regulatory or operating
environment
• Changes in personnel
• Organizational restructurings
CONTROL ACTIVITIES
• PHYSICAL CONTROLS
• SEGREGATION OF DUTIES
• DIRECT FUNCTIONAL OR
ACTIVITY MANAGEMENT
CONTROL ACTIVITIES
Examples of Types of Control Activities:
Authorization and approval procedures;
Segregation of duties (authorizing, processing,
recording, reviewing;
Control over access to resources and records;
Verifications;
Reconciliations;
Reviews of operating performance;
Reviews of operations, processes and activities;
Supervision (assigning, reviewing and approving,
guidance and training).
CONTROL ACTIVITIES
Information Technology Control Activities:
1. General Controls
General controls are the structure, policies
and procedures that apply to all or a large
segment of an entity’s information systems and
help ensure their proper operation They create
the environment in which application systems
and controls operate.
CONTROL ACTIVITIES
Major Categories of General Controls:
1. Entity-wide security program planning and
management;
2. Access controls;
• ORGANIZATIONAL COMMUNICATION
MONITORING
• MECHANISM TO EVALUATE
ONGOING ACTIVITIES AND REPORT
SERIOUS DEFICIENCIES
• REPORT REVIEW
UNMONITORED CONTROLS
TEND TO DETERIORATE
OVER TIME.
WHAT SHOULD BE MONITORED?
RISK INDICATORS
INTERNAL CONTROLS
MONITORING
BENEFITS:
- Identify and correct internal control
problems on a timely basis.
- Produce more accurate and more reliable
information for decision-making.
- Prepare accurate and timely financial
statements
- Be in a position to provide periodic
assurance on adequacy and effectiveness
of internal controls
From COSO Guidance on Monitoring
IMPLEMENTING MONITORING
Establishing a foundation:
- Proper tone at the top
- Effective organizational structure that
assigns monitoring roles to people with
appropriate capability, objectivity and
authority
- Starting point or “baseline” of known
effective internal controls from which
ongoing monitoring and separate
evaluations can be implemented.
From COSO Guidance on Monitoring
IMPLEMENTING MONITORING
Ongoing evaluations:
- Built into operational processes at
different levels of the organization.
Separate evaluations:
- Conducted periodically
- Depending on assessment of risks
and
- Effectiveness of ongoing evaluations,
and
- Other management considerations
(e.g., compliance requirements)
SUPERVISORY IMPARTIAL
SELF-REVIEW PEER REVIEW REVIEW REVIEW
IN
FO
MONITORING
RM
IO
AT
AT
IO
IC
CONTROL
N
UN
ACTIVITIES
&
MM
CO
M
CO
M
UN
&
RISK ASSESSMENT
IC
N
IO
AT
AT
IO
N
RM
CONTROL
FO
ENVIRONMENT
IN
INTERNAL CONTROL SYSTEM
INTERNAL
AUDIT
RELATIONSHIP OF OBJECTIVES
AND COMPONENTS
• ADDITIONAL CONSIDERATIONS
THE FRAMEWORK
• COMPONENTS
• CONTROL ENVIRONMENT
• RISK ASSESSMENT
• CONTROL ACTIVITIES
• INFORMATION AND
COMMUNICATION
• MONITORING ACTIVITIES
• LIMITATIONS OF INTERNAL
CONTROL
Purpose of the Framework
• The purpose of the Internal Control –
Integrated Framework (Framework) is to
help management better control the
organization and to provide a board of
directors’¹ with an added ability to
oversee internal control.
Throughout the Framework, the term “the entity and its subunits” refer collectively to the
overall entity, divisions, subsidiaries, operating units, and functions.
The COSO definition is intentionally broad for
two reasons:
COMPONENTS
AND
PRINCIPLES
OBJECTIVES, COMPONENTS AND PRINCIPLES
• OPERATIONS OBJECTIVES
• REPORTING OBJECTIVES
• COMPLIANCE OBJECTIVES
Safeguarding of Assets
• The operations category of objectives includes
safeguarding of assets, in other words,
protecting and preserving entity assets.
COMPONENTS
AND
PRINCIPLES
OBJECTIVES
1. OPERATIONS Executing orderly, economical, efficient, effective and
ethical operations
COMPONENTS
AND
PRINCIPLES
Component: Control Environment
Factors:
• Competency of the personnel
responsible for internal control
• Use of and dependence on technology
• Management’s responses to assessed
risks.
Organizational Boundaries
Must be 17 Principles
Risks Relate
Articulated and Supporting
To Objectives
Measureable Components
Points of Focus
COSO’s 17 PRINCIPLES OF INTERNAL CONTROL
The Framework Changes the Nature of
Operational Audits
TIMING/ PLACEMENT
- PREVENTIVE
- DIRECTIVE
- DETECTIVE
- CORRECTIVE/RECOVERY
EFFECT ON OBJECTIVES
- KEY CONTROLS
- FAIL-PROOF CONTROLS
DATA PROCESSING
AUTOMATED (SYSTEM-BASED) VS.
MANUAL (PEOPLE-BASED)
TIMING OF INTERNAL CONTROLS
DESCRIPTION EXAMPLES
DESCRIPTION EXAMPLES
TRAINING
BROAD IN NATURE
IT CONFIGURATION
STANDARDS
DETECTIVE CONTROLS
DESCRIPTION EXAMPLES
DESCRIPTION EXAMPLES
- KEY CONTROLS
- FAIL-PROOF CONTROLS
KEY CONTROLS
DESCRIPTION EXAMPLES
DESCRIPTION EXAMPLES
A BEHAVIOR-SHAPING
CONSTRAINT DESIGNED INTO
A PROCESS TO PREVENT
INCORRECT OPERATION BY
THE USER..
FAIL-PROOF CONTROLS: CALL CENTERS
GENERAL CONTROLS
- DATA CENTER OPERATIONS
- SYSTEMS SOFTWARE ACQUISITION
AND MAINTENANCE
- ACCESS SECURITY
- APPLICATION SYSTEMS DEVELOPMENT
AND MAINTENANCE
APPLICATION CONTROLS
- PROCESSING OF SPECIFIC APPLICATION,
e.g., RUNNING A PROGRAM TO PREPARE
CASH GRANTS PER MONTH.
CONTROLS CATEGORIES
USES EXAMPLES
1. STANDARDIZE PERFORMANCE - TIME AND MOTION STUDIES,
FOR INCREASING EFFICIENCY INSPECTIONS, WRITTEN
AND REDUCING COSTS. PROCEDURES OF WORK
SCHEDULES
USES EXAMPLES
4. PROVIDING FREE LIMITS TO USE - ORGANIZATION AND PROCEDURE
OF DELEGATED AUTHORITY MANUALS, POLICY DIRECTIVES
WITHOUT FURTHER TOP AND INTERNAL AUDIT
MANAGEMENT APPROVAL.
USES EXAMPLES
7. PERMIT TOP MANAGEMENT TO - MASTER BUDGET, POLICY
KEEP VARIOUS PLANS AND MANUALS, ORGANIZATIONAL
PROGRAMS IN BALANCE. MANUALS, AND THE USE OF
OVERSIGHT COMMITTEES AND
MANAGEMENT CONSULTANTS.
SEGREGATION OF DUTIES
PHYSICAL
AUTHORIZATION AND APPROVAL
MANAGEMENT
SUPERVISION
ORGANIZATION
ARITHMETIC AND ACCOUNTING
PERSONNEL
CRITERIA FOR INTERNAL CONTROL
MANAGEMENT TO
DEVELOP
ADEQUATE APPROPRIATE
CRITERIA? CRITERIA
EVALUATE CONTROLS
EVALUATING CONTROLS
ADEQUACY
EFFECTIVENESS
EFFICIENCY
ECONOMY
TIMELINESS
CONTROL CRITERIA
TIMING OF CONTROLS
IMPLEMENTATION OF CONTROLS
ADEQUACY
At the least, all key controls exist and are executed
effectively and efficiently.
EFFECTIVENESS
The control is able to prevent, detect or correct risks
as planned or intended (doing the right things to
manage risks)
DETERMINING WHETHER A
PARTICULAR INTERNAL CONTROL
SYSTEM IS “EFFECTIVE” IS A
SUBJECTIVE JUDGEMENT
RESULTING FROM AN ASSESSMENT
OF WHETHER THE FIVE
COMPONENTS ARE PRESENT AND
FUNCTIONING EFFECTIVELY.
EFFECTIVENESS OF
INTERNAL CONTROL
THEIR EFFECTIVE FUNCTIONING
PROVIDES THE REASONABLE
ASSURANCE REGARDING THE
ACHIEVEMENT OF ONE OR MORE
OF THE STATED CATEGORIES OF
OBJECTIVES.