COSO An Internal Control Framework CONTROLLING RISKS REACHING

COSO - An Internal Control Framework CONTROLLING RISKS REACHING GOALS Prepared by Michael Paul, CGFM

COSO - An Internal Control Framework • landmark report commissioned by the Committee on Sponsoring Organizations of the Treadway Commission (COSO). • Basis of State Comptroller’s guidance for chapter 647.

Why Internal Control? Managers need to meet objectives of their unit Risks exist to meeting those objectives Controls minimize those risks Managers, not accountants, are ultimately responsible for this.

OBJECTIVES, RISKS, CONTROLS: • Compliance with laws, regulations, policy and procedures • Accomplishment of mission • Reliability of information • Efficient and effective use of resources • Safeguarding of assets

OBJECTIVES, RISKS, CONTROLS • Compliance • Reliability COSO combines into • Accomplishment of mission • Effectiveness and efficiency of operations • Efficiency and effectiveness • Safeguarding of assets

OBJECTIVES, RISKS CONTROLS • Define the risks • Evaluate each risk – likelihood – cost of loss – duration and its side effects • Prioritize

OBJECTIVES, RISKS, CONTROLS • We have risk • We have identified it • Measured it • Prioritized it • How to diminish it? ACTION

Control worksheet (example)

COSO: 5 Control Elements • 1. C ontrol Activities* • 2. R isk Assessment • 3. I nformation & communication • 4. M onitoring • 5. Control E nvironment * what most people think IC means • INTERNAL CONTROLS

To create IC’s… • PPR Objectives: “CARES”- Compliance with rules, Accomplishment of mission, Reliability of information, Efficiency, Safeguarding assets • Risk: Define, Evaluate, Prioritize, Diminish • Controls: “CRIMES”- Control activities, Risk Assessment, Information & Communication, Monitoring, Control Environment • Across each function and units

The COSO NET apply to each function in each unit

ENVIRONMENT • Integrity & Ethical values • • Commitment to Competence Organizational structure • Assignment of authority and responsibility • Human resources practices • Board participation • Management style

RISK • Changes in operating environment • New personnel • New Information systems • Rapid growth • New technology, • New services, activities • Restructurings • New accounting procedures or rules

RISK INHERENT + CONTROL + DETECTION = RISK OF PROBLEM GOING UNDETECTED The item itself Controls malfunction Detection missed by auditors

Control Risk “Events” • Management and auditors thoroughly brainstorm scenarios of what could go wrong in each process. (fraud, waste, abuse, errors, etc. ) • Do these before you create controls … or try to assess if they are effective

ACTIVITIES* “Hard controls” • Transactions only as authorized by management • Periodic counts and reconciliation of records to assets; action on variances • All transactions are recorded for reporting & accountability • Physical controls over access to assets and records • Segregation of – Authorization – Asset Custody – Record keeping * what most people think IC means • Reports of budget or prior period vs. actual • EDP requires checks of accuracy, completeness and authorization of transaction • Activities not the whole picture…

MONITORING 3 ways: • Normal routine actions • Internal auditors • External audits and reviews

INFORMATION & COMMUNICATION • Enable us to capture & exchange info to conduct, manage and control operations • Accounting system: GL and sub-ledgers • Training & supervision • Procedure manuals • Feedback… Fraud Hot lines

Benefits of COSO • Big Picture - organization wide, efficiency, etc. • Soft Controls as well - trust, management style, understanding of procedures, etc. • Better Quality • Controls integrated with the rest of the business • Balance of cost vs. benefit

CAVEATS. . . • Don’t go wild. COSO is one way to approach IC. • Use it as new controls are added or as questions arise • COSO is a mind-set. Keep these ideas in mind as controls are addressed • COSO is used wholesale mostly in large corporate settings with internal audit departments, able to do a business-wide Control Self-Assessment.

So… • Don’t worry, be happy? . . Or • an ounce of prevention is worth a pound of cure

COSO AICPA: “This landmark report was commissioned by the Committee on Sponsoring Organizations of the Treadway Commission (COSO). It establishes a common definition of internal control that services the needs of different parties for assessing and improving their control systems. COSO's groundbreaking report includes: ·Executive Summary ·Framework ·Reporting to External Parties ·Evaluation Tools The Addendum to Reporting to External Parties is also included. It: "encourages management that reports to external parties on controls over financial reporting to also cover controls over safeguarding of assets against unauthorized acquisition, use, or disposition. " It defines such controls and provides a suggested form of report. Five Evaluation Tools are now available on disk, one for each of the internal control components identified in Integrated Framework for Internal Control. Columnar MS Word templates contain internal control risks, objectives, components and elements with spaces and columns for management or other evaluators to record their assessments, observations and conclusions. “Everyone in your firm or company who works with internal controls should have his or her own copy. ” https: //www. cpa 2 biz. com/CS 2000/Products/CPA 2 BIZ/Publications/Sub+1/Internal+Control+-+Integrated+Framework. htm