Internal Control, Fraud, and the New COSO Framework

Similar documents
COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

COSO Internal Control Integrated Framework (2013)

Impact of New Internal Control Frameworks

Enterprise Risk Management

Internal Control Integrated Framework. May 2013

Internal Control Questionnaire and Assessment

COSO Framework 2013 & SOX Compliance. Roxanne L. Halverson, CISM, CGEIT Atlanta ISACA Geek Week August 19, 2013

Internal Controls: Documentation and Testing What the Auditor Is Looking For

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

Guide to Internal Control Over Financial Reporting

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP

7/22/2014. From Treadway To the Cube ( ) So, Who is COSO? What Does COSO Do?

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITY TO CONSIDER FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

Table of Contents: Chapter 2 Internal Control

Fraud Prevention and Deterrence

INTERNATIONAL STANDARD ON AUDITING 240 THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

The Updated COSO Internal Control Framework. Frequently Asked Questions

February Sample audit committee charter

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

WHITE PAPER INTERNAL CONTROL WITH ADRA

Communicating Internal Control Related Matters Identified in an Audit

Audit Quality Thematic Review

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

Internal Controls and Fraud Detection & Prevention. Harold Monk and Jennifer Christensen

Enterprise Risk Management: COSO, New COSO, ISO Review of ERM

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

GAO. Government Auditing Standards Revision. By the Comptroller General of the United States. United States General Accounting Office.

Internal Controls Best Practices By Jennifer Downs, CPA Benefit Audit Group, LLC

Summary of Internal Control-Integrated Framework by COSO:

ORDINANCE AN ORDINANCE ESTABLISHING INTERNAL CONTROL STANDARDS AND ESTABLISHING A MATERIALITY THRESHOLD

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS

Internal Controls and Risk Management Report

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

COSO 2013 Internal Control Framework

The Advanced Certificate in Performance Audit for International and Public Affairs Management. Workshop Overview

CITY OF BURLINGTON COSO FRAMEWORK & COMPLIANCE

Internal Financial Controls

[300] Accounting and internal control systems and audit risk assessments

Financial Services Group

Fraud Control Theory

The auditors responsibility to consider fraud in an audit of financial statements

The Updated COSO Internal Control Framework

A LAYPERSON S GUIDE INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR)

Transmittal Letter Objectives and Scope Approach Financial System Permitting Application... 9

TransAlta Corporation Energy Trading Compliance Program Assessment

[RELEASE NOS ; ; FR-77; File No. S ]

Fraud Issues in Local Government

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

RISK ASSESSMENT CHECKLIST

Internal Control Guide for Managers

The Auditor s Responsibilities Relating to Fraud in an Audit of Financial Statements

February Audit committee performance evaluation

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability

Fundamental Principles of Financial Auditing

The Role of Internal Audit in Risk Governance

AUDITOR INDEPENDENCE, AUDIT COMMITTEE QUALITY AND INTERNAL CONTROL

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Consideration of Fraud in a Financial Statement Audit

Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and J-SOX

Sharon Kurek, CPA, CFE Director of Internal Audit

PRUDENTIAL FINANCIAL, INC. CORPORATE GOVERNANCE PRINCIPLES AND PRACTICES

2016 Audit service S plan North Simcoe Muskoka Local Health Integration Network

INTERNATIONAL STANDARD ON AUDITING 200 OBJECTIVE AND GENERAL PRINCIPLES GOVERNING AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

EURIBOR - CODE OF OBLIGATIONS OF PANEL BANKS

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

ACCA P1 Internal Control. incorporated into Combined code, it was last revised in 2005 and still present as a standalone document.

Control Environment Questionnaire

Lauren Sundararajan, CFE, Internal Audit Manager

INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS

How To Understand The Role Of An Internal Audit

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Compliance Audits Effective for compliance audits for fiscal periods ending on or after June 15, Earlier application is permitted.

) ) ) ) ) ) ) ) ) ) ) ) OBSERVATIONS ON AUDITORS' IMPLEMENTATION OF PCAOB STANDARDS RELATING TO AUDITORS' RESPONSIBILITIES WITH RESPECT TO FRAUD

How To Comply With The Law Of The Firm

Audit Quality Assurance Policies. Auditor-Controller/Treasurer-Tax Collector. Financial Reporting and Audits Division. Audit Unit

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

FRAUD RISK & INTERNAL AUDIT

Josephine Mathias. Kenneth J. Horowitz Phone: Ext

GAO DEFENSE CONTRACT AUDITS. Actions Needed to Improve DCAA's Access to and Use of Defense Company Internal Audit Reports

AUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS

LGMA Qld Governance and Corporate Planning Village Forum

Fraud and Role of Information Technology. September 2008

STANDING ADVISORY GROUP MEETING

Consideration of Fraud in a Financial Statement Audit

Audit Committee Oversight of Foreign Operations. November 2014

Internal Audit Framework

Communicating Internal Control Related Matters Identified in an Audit

Report on Inspection of Deloitte AS (Headquartered in Oslo, Kingdom of Norway) Public Company Accounting Oversight Board

On the Setting of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal

Enterprise Risk Management Best Practices. From Assessment to Ongoing Compliance. Wiley Corporate F&A

Oklahoma Workers Compensation Commission

GAO. Government Auditing Standards Revision. By the Comptroller General of the United States. United States Government Accountability Office

Enterprise Risk Management Program at HCA. ERM Roundtable. February 25, 2005 HCA. David Hughes, CPA, CIA AVP, ERM Office

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Is There Anyway to Prevent Fraud? Bill Gady, CGA CPA Partner

STATE OF WEST VIRGINIA HIGHER EDUCATION POLICY COMMISSION

Transcription:

Internal Control, Fraud, and the New COSO Framework Presented By: Zach Chalifour, CPA November 19, 2014 Click HERE to listen to webinar. Internal Control, Fraud, and the New COSO Framework Presented By: Zach Chalifour, CPA November 19, 2014 1

Housekeeping How to ask questions Technology questions 888.387.6851 CPE Eligibility About Your Presenter Zach Chalifour, CPA Senior Manager James Moore, CPAs 2

Internal Control, Fraud, and the New COSO Framework Presented By: Zach Chalifour, CPA November 19, 2014 Agenda Internal Control Overview Internal Control Defined Limitations COSO Internal Control Integrated Framework Principles and Points of Focus Fraud Update The GAO Green Book Transition and Impact of New COSO Framework Questions 3

Internal Control Internal Controls Defined Committee of Sponsoring Organizations (COSO) Definition - Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting. 3. Compliance with applicable laws and regulations. 4

Internal Control: Daily Application Internal Controls are a process to accomplish a goal/objective not just an additional requirement for the sake of doing more work. Consider controls used on a daily basis in our personal lives: Locking our cars and homes Review personal credit card statement charges Check expiration dates on food Looking both ways when crossing the road Controls Goal: Same second-nature feeling Internal Control Limitations Inherent limitations to Internal Controls They are affected by people and technology Internal controls are only as good as the people performing them Opportunities for Error Collusion Reasonable, not absolute, assurance Importance of understanding benefit of controls Costs vs. Benefits Preventative vs. Detective Controls 5

The New COSO Framework - Overview COSO Background COSO (Committee of Sponsoring Organizations) of the Treadway Commission released original guidance, Internal Control Integrated Framework, in 1992. The document was recognized as leading framework for designing, implementing and conducting internal control and assessing the effectiveness of internal control. 6

Overview of Changes What Has Not Changed Core definition of internal control Three categories of objectives and five components of internal control Each of five components are required for effective internal control Role of judgment in designing, implementing, and conducting internal control, and in assessing effectiveness What Has Changed Changes in business and operating environments considered Operations and reporting objectives expanded Fundamental concepts underlying the 5 component outlined in 17 principles Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added Certain key areas of concern are specifically addressed such as fraud and the role of technology. Overview of the Framework New COSO Outlines: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness 7

New COSO Framework Internal Control Definition of Internal Control: Internal Control is a process, affected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. New COSO Framework Objectives Categories of Objectives: Operations Reporting Previously Financial Reporting. Now includes other types of reporting such as non-financial and internal reporting. Compliance 8

New COSO Framework Components Five Components of Internal Control: 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring Activities New COSO Framework Principles Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 9

New COSO Framework Requirements for Effectiveness Each principle must be present and functioning for the related component to be considered present and functioning. Present relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives Functioning relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives Auditor Assessment: Design and Implementation Additional Requirements for Effective Internal Control Each principle is suitable to all entities All principles are presumed relevant except in rare situations Components operate together when all components are present and functioning Internal control deficiencies aggregated across components do not result in one or more major deficiencies A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives 10

Role of Internal Controls The Framework does not prescribe controls to be selected, developed, and deployed for effective internal control Not one-size-fits-all Management judgment based on factors unique to the entity A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management s assessment of whether components and relevant principles are present and functioning Internal Control Integrated Framework 11

Internal Control Principles 5 Components 17 Principles 83 Points of Focus Points of Focus are an evaluation tool and may not all be applicable to each principle. Documentation related to internal control must address each of the 17 principles and whether they are present and functioning, but does not have to touch on each Point of Focus. Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 12

Control Environment Principle 1 Control Environment Component (Principle 1) Demonstrates a commitment of integrity and ethical values Points of Focus: Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in timely manner Control Environment Principle 2 Exercises oversight responsibility Establishes oversight responsibilities Retains oversight for the system of internal control Applies relevant expertise Operates independently Provides oversight 13

Control Environment Principle 3 Establishes structure, authority and responsibility Considers all structures of the entity Establishes reporting lines Defines, assigns, and limits authorities and responsibilities Control Environment Principle 4 Demonstrates commitment to competence Establishes policies and practices Evaluates competence and addresses shortcomings Attracts, develops and retains individuals Plans and prepares for succession 14

Control Environment Principle 5 Enforces accountability Enforces accountability through structures, authorities and responsibilities Establishes performance measures, incentives and rewards Evaluates performance measures, incentives and rewards for ongoing relevance Considers excessive pressures Evaluates performance and rewards or disciplines individuals Risk Assessment 6. Specifies relevant objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 15

Risk Assessment *source: Fraud-Related Internal Controls - ACFE Risk Assessment Principle 6 Specifies suitable operations objectives Reflects management s choices Considers tolerances for risk Includes operations and financial performance goals Forms a basis for committing of resources 16

Risk Assessment Principle 6 Specifies suitable external financial reporting objectives Complies with applicable accounting standards Considers materiality Reflects entity activities Risk Assessment Principle 6 Specifies suitable external non-financial reporting objectives Complies with externally established standards and frameworks Considers the required level of precision Reflects entity activities 17

Risk Assessment Principle 6 Specifies suitable internal reporting objectives Reflects management s choices Considers the required level of precision Reflects entity activities Risk Assessment Principle 6 Specifies suitable compliance objectives Reflects external laws and regulations Considers tolerances for risks 18

Risk Assessment Principle 7 Identifies and analyzes risk Includes entity, subsidiary, division, operating unit, and functional levels Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified Determines how to respond to risks Risk Assessment Principle 8 Risk Assessment Component (Principle 8) The organization considers the potential for fraud in assessing risks to the achievement of objectives Point of Focus: Considers various types of fraud Assesses incentives and pressures Assesses opportunities Assesses attitudes and rationalizations 19

Risk Assessment Principle 8 Fraud is more than misappropriation of assets or fraudulent financial reporting. Non-financial data can be modified to enhance safety reporting, show milestones needed for pay raises or to allow unauthorized use or disposal of assets. The presence of anti-fraud controls is effective at reducing fraud loss, but the risk cannot be completely eliminated. ACFE Report To The Nations ACFE 2014 Report Organizations lose an estimated 5% of revenues annually Median loss = $145,000 Detection of frauds: Tips 42% External audit 3% 20

Fraud Detection (2014 Report to the Nations, ACFE) Anti-Fraud Controls (2014 Report to the Nations, ACFE) 21

Primary Internal Control Weaknesses (2014 Report to the Nations, ACFE) Behavioral Red Flags (2014 Report to the Nations, ACFE) 22

Risk Assessment Principle 9 Identifies and analyzes significant change Assesses changes in the external environment Assesses changes in the business model Assesses changes in leadership Internal Control Examples: Risk Assessment Changes that may cause new risks: Changes in operating environment; New personnel; New or revamped information systems; Rapid growth; New technology; New business models, products, or activities; Corporate restructurings; Expanded foreign operations; and New accounting pronouncements or other financial reporting requirements. 23

Control Activities 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures Control Activities Principle 10 Selects and develops control activities Integrates with risk assessment Considers entity-specific factors Determines relevant business processes Evaluates a mix of control activity types Considers at what level activities are applied Addresses segregation of duties 24

Point of Focus Example 11 Control Activities Component (Principle 11) The organization selects and develops general control activities over technology to support the achievement of objectives. Points of Focus: Determines dependency between use of technology and GITC Establishes relevant technology infrastructure Establishes relevant security management process control activities Establishes relevant technology acquisition, development and maintenance process control activities Control Activities Principle 12 Deploys through policies and procedures Establishes policies and procedures to support deployment of management s directives Establishes responsibility and accountability for executing policies and procedures Performs in a timely manner Takes corrective action Performs using competent personnel Reassesses policies and procedures 25

Internal Control Examples: Control Activities Control Development Considerations: The type of control (i.e., manual or automated) and the frequency with which it operates; The complexity of the control; The risk of management override; The degree of judgment required to operate the control; The competence of the personnel who perform the control; Any changes in key personnel who perform the control; The nature and materiality of misstatements that the control is intended to prevent or detect; The degree to which the control relies on the effectiveness of other controls (e.g., general technology controls); and The evidence of the operation of the control from prior years. Segregation of Duties* *Source: Fraud-Related Internal Controls - ACFE 26

Information & Communication 13. Uses relevant information 14. Communicates internally 15. Communicates externally Information & Communication Principle 13 Uses relevant information Identifies information requirements Captures internal and external sources of data Processes relevant data into information Maintains quality throughout processing Considers costs and benefits 27

Information & Communication Principle 14 Communicates internally Communicates internal control information Communicates with the board of directors Provides separate communication lines Selects relevant method of communication Information & Communication Principle 15 Communicates externally Communicates to external parties Enables inbound communications Communicates with the board of directors Provides separate communication lines Selects relevant method of communication 28

Monitoring Activities 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Monitoring Activities Principle 16 Conducts ongoing and/or separate evaluations Considers a mix of ongoing and separate evaluations Considers rate of change Establishes baseline understanding Uses knowledgeable personnel Integrates with business processes Adjusts scope and frequency Objectively evaluates 29

Monitoring Activities Principle 17 Evaluates and communicates deficiencies Assesses results Communicates deficiencies to parties responsible for corrective action and to senior management and the board of directors Monitors corrective actions Additional Resource: The GAO Green Book 30

The Green Book Standards for Internal Control in the Federal Government Published by the United State Government Accountability Office (GAO) Publisher of GAGAS, or the Yellow Book Last published in 1999 New edition published September 10, 2014 The Green Book Green Book vs. COSO Same 5 Components as COSO Same 17 Principles as COSO 47 Attributes vs. 83 Points of Focus Attributes geared toward application governmental environment 31

The Green Book Harmonization with COSO Example COSO (Principle 2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Green Book (Principle 2) The oversight body should oversee the entity s internal control system. Transition and Impact of New COSO Model 32

Impact of New COSO Model New COSO Framework issued 5/14/13 Effective upon issuance Transition period through 12/15/14 No specific requirements, but standards encourage transition as soon as feasible Process/Plan in place Not necessarily changes to controls Mapping existing controls to model Consideration as part of 9/30/14 and subsequent audits Awareness of New COSO Model Updates/Assessments Performed under New Model Implementation Considerations Most common areas of weakness or lacking in controls: Risk Assessment Monitoring Focus on Key Objectives Then most important/relevant controls Focus on Higher-risk Areas Controls to mitigate higher risks are much more important than low-risk areas Consider Overlapping Risks and Objectives May present opportunity for efficiency 33

Internal Controls Start with Education Individuals must understand and believe in internal controls Those Charged with Governance Management/Department Heads Accounting All Other Departments Staff Accounting All Other Departments Education Opportunities Orientation and Training External Speakers (i.e. auditors) Resources COSO Framework http://www.coso.org/ic.htm (for purchase) Green Book http://www.gao.gov/greenbook/overview Your Auditors Google 34

Questions Zach Chalifour, CPA Senior Manager James Moore, CPAs www.jmco.com Zach.Chalifour@jmco.com 386.257.4100 ext. 4468 www.linkedin.com/in/chalifour 35

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information