Internal Control, Fraud, and the New COSO Framework Presented By: Zach Chalifour, CPA November 19, 2014 Click HERE to listen to webinar. Internal Control, Fraud, and the New COSO Framework Presented By: Zach Chalifour, CPA November 19, 2014 1
Housekeeping How to ask questions Technology questions 888.387.6851 CPE Eligibility About Your Presenter Zach Chalifour, CPA Senior Manager James Moore, CPAs 2
Internal Control, Fraud, and the New COSO Framework Presented By: Zach Chalifour, CPA November 19, 2014 Agenda Internal Control Overview Internal Control Defined Limitations COSO Internal Control Integrated Framework Principles and Points of Focus Fraud Update The GAO Green Book Transition and Impact of New COSO Framework Questions 3
Internal Control Internal Controls Defined Committee of Sponsoring Organizations (COSO) Definition - Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting. 3. Compliance with applicable laws and regulations. 4
Internal Control: Daily Application Internal Controls are a process to accomplish a goal/objective not just an additional requirement for the sake of doing more work. Consider controls used on a daily basis in our personal lives: Locking our cars and homes Review personal credit card statement charges Check expiration dates on food Looking both ways when crossing the road Controls Goal: Same second-nature feeling Internal Control Limitations Inherent limitations to Internal Controls They are affected by people and technology Internal controls are only as good as the people performing them Opportunities for Error Collusion Reasonable, not absolute, assurance Importance of understanding benefit of controls Costs vs. Benefits Preventative vs. Detective Controls 5
The New COSO Framework - Overview COSO Background COSO (Committee of Sponsoring Organizations) of the Treadway Commission released original guidance, Internal Control Integrated Framework, in 1992. The document was recognized as leading framework for designing, implementing and conducting internal control and assessing the effectiveness of internal control. 6
Overview of Changes What Has Not Changed Core definition of internal control Three categories of objectives and five components of internal control Each of five components are required for effective internal control Role of judgment in designing, implementing, and conducting internal control, and in assessing effectiveness What Has Changed Changes in business and operating environments considered Operations and reporting objectives expanded Fundamental concepts underlying the 5 component outlined in 17 principles Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added Certain key areas of concern are specifically addressed such as fraud and the role of technology. Overview of the Framework New COSO Outlines: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness 7
New COSO Framework Internal Control Definition of Internal Control: Internal Control is a process, affected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. New COSO Framework Objectives Categories of Objectives: Operations Reporting Previously Financial Reporting. Now includes other types of reporting such as non-financial and internal reporting. Compliance 8
New COSO Framework Components Five Components of Internal Control: 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring Activities New COSO Framework Principles Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 9
New COSO Framework Requirements for Effectiveness Each principle must be present and functioning for the related component to be considered present and functioning. Present relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives Functioning relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives Auditor Assessment: Design and Implementation Additional Requirements for Effective Internal Control Each principle is suitable to all entities All principles are presumed relevant except in rare situations Components operate together when all components are present and functioning Internal control deficiencies aggregated across components do not result in one or more major deficiencies A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives 10
Role of Internal Controls The Framework does not prescribe controls to be selected, developed, and deployed for effective internal control Not one-size-fits-all Management judgment based on factors unique to the entity A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management s assessment of whether components and relevant principles are present and functioning Internal Control Integrated Framework 11
Internal Control Principles 5 Components 17 Principles 83 Points of Focus Points of Focus are an evaluation tool and may not all be applicable to each principle. Documentation related to internal control must address each of the 17 principles and whether they are present and functioning, but does not have to touch on each Point of Focus. Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 12
Control Environment Principle 1 Control Environment Component (Principle 1) Demonstrates a commitment of integrity and ethical values Points of Focus: Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in timely manner Control Environment Principle 2 Exercises oversight responsibility Establishes oversight responsibilities Retains oversight for the system of internal control Applies relevant expertise Operates independently Provides oversight 13
Control Environment Principle 3 Establishes structure, authority and responsibility Considers all structures of the entity Establishes reporting lines Defines, assigns, and limits authorities and responsibilities Control Environment Principle 4 Demonstrates commitment to competence Establishes policies and practices Evaluates competence and addresses shortcomings Attracts, develops and retains individuals Plans and prepares for succession 14
Control Environment Principle 5 Enforces accountability Enforces accountability through structures, authorities and responsibilities Establishes performance measures, incentives and rewards Evaluates performance measures, incentives and rewards for ongoing relevance Considers excessive pressures Evaluates performance and rewards or disciplines individuals Risk Assessment 6. Specifies relevant objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 15
Risk Assessment *source: Fraud-Related Internal Controls - ACFE Risk Assessment Principle 6 Specifies suitable operations objectives Reflects management s choices Considers tolerances for risk Includes operations and financial performance goals Forms a basis for committing of resources 16
Risk Assessment Principle 6 Specifies suitable external financial reporting objectives Complies with applicable accounting standards Considers materiality Reflects entity activities Risk Assessment Principle 6 Specifies suitable external non-financial reporting objectives Complies with externally established standards and frameworks Considers the required level of precision Reflects entity activities 17
Risk Assessment Principle 6 Specifies suitable internal reporting objectives Reflects management s choices Considers the required level of precision Reflects entity activities Risk Assessment Principle 6 Specifies suitable compliance objectives Reflects external laws and regulations Considers tolerances for risks 18
Risk Assessment Principle 7 Identifies and analyzes risk Includes entity, subsidiary, division, operating unit, and functional levels Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified Determines how to respond to risks Risk Assessment Principle 8 Risk Assessment Component (Principle 8) The organization considers the potential for fraud in assessing risks to the achievement of objectives Point of Focus: Considers various types of fraud Assesses incentives and pressures Assesses opportunities Assesses attitudes and rationalizations 19
Risk Assessment Principle 8 Fraud is more than misappropriation of assets or fraudulent financial reporting. Non-financial data can be modified to enhance safety reporting, show milestones needed for pay raises or to allow unauthorized use or disposal of assets. The presence of anti-fraud controls is effective at reducing fraud loss, but the risk cannot be completely eliminated. ACFE Report To The Nations ACFE 2014 Report Organizations lose an estimated 5% of revenues annually Median loss = $145,000 Detection of frauds: Tips 42% External audit 3% 20
Fraud Detection (2014 Report to the Nations, ACFE) Anti-Fraud Controls (2014 Report to the Nations, ACFE) 21
Primary Internal Control Weaknesses (2014 Report to the Nations, ACFE) Behavioral Red Flags (2014 Report to the Nations, ACFE) 22
Risk Assessment Principle 9 Identifies and analyzes significant change Assesses changes in the external environment Assesses changes in the business model Assesses changes in leadership Internal Control Examples: Risk Assessment Changes that may cause new risks: Changes in operating environment; New personnel; New or revamped information systems; Rapid growth; New technology; New business models, products, or activities; Corporate restructurings; Expanded foreign operations; and New accounting pronouncements or other financial reporting requirements. 23
Control Activities 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures Control Activities Principle 10 Selects and develops control activities Integrates with risk assessment Considers entity-specific factors Determines relevant business processes Evaluates a mix of control activity types Considers at what level activities are applied Addresses segregation of duties 24
Point of Focus Example 11 Control Activities Component (Principle 11) The organization selects and develops general control activities over technology to support the achievement of objectives. Points of Focus: Determines dependency between use of technology and GITC Establishes relevant technology infrastructure Establishes relevant security management process control activities Establishes relevant technology acquisition, development and maintenance process control activities Control Activities Principle 12 Deploys through policies and procedures Establishes policies and procedures to support deployment of management s directives Establishes responsibility and accountability for executing policies and procedures Performs in a timely manner Takes corrective action Performs using competent personnel Reassesses policies and procedures 25
Internal Control Examples: Control Activities Control Development Considerations: The type of control (i.e., manual or automated) and the frequency with which it operates; The complexity of the control; The risk of management override; The degree of judgment required to operate the control; The competence of the personnel who perform the control; Any changes in key personnel who perform the control; The nature and materiality of misstatements that the control is intended to prevent or detect; The degree to which the control relies on the effectiveness of other controls (e.g., general technology controls); and The evidence of the operation of the control from prior years. Segregation of Duties* *Source: Fraud-Related Internal Controls - ACFE 26
Information & Communication 13. Uses relevant information 14. Communicates internally 15. Communicates externally Information & Communication Principle 13 Uses relevant information Identifies information requirements Captures internal and external sources of data Processes relevant data into information Maintains quality throughout processing Considers costs and benefits 27
Information & Communication Principle 14 Communicates internally Communicates internal control information Communicates with the board of directors Provides separate communication lines Selects relevant method of communication Information & Communication Principle 15 Communicates externally Communicates to external parties Enables inbound communications Communicates with the board of directors Provides separate communication lines Selects relevant method of communication 28
Monitoring Activities 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Monitoring Activities Principle 16 Conducts ongoing and/or separate evaluations Considers a mix of ongoing and separate evaluations Considers rate of change Establishes baseline understanding Uses knowledgeable personnel Integrates with business processes Adjusts scope and frequency Objectively evaluates 29
Monitoring Activities Principle 17 Evaluates and communicates deficiencies Assesses results Communicates deficiencies to parties responsible for corrective action and to senior management and the board of directors Monitors corrective actions Additional Resource: The GAO Green Book 30
The Green Book Standards for Internal Control in the Federal Government Published by the United State Government Accountability Office (GAO) Publisher of GAGAS, or the Yellow Book Last published in 1999 New edition published September 10, 2014 The Green Book Green Book vs. COSO Same 5 Components as COSO Same 17 Principles as COSO 47 Attributes vs. 83 Points of Focus Attributes geared toward application governmental environment 31
The Green Book Harmonization with COSO Example COSO (Principle 2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Green Book (Principle 2) The oversight body should oversee the entity s internal control system. Transition and Impact of New COSO Model 32
Impact of New COSO Model New COSO Framework issued 5/14/13 Effective upon issuance Transition period through 12/15/14 No specific requirements, but standards encourage transition as soon as feasible Process/Plan in place Not necessarily changes to controls Mapping existing controls to model Consideration as part of 9/30/14 and subsequent audits Awareness of New COSO Model Updates/Assessments Performed under New Model Implementation Considerations Most common areas of weakness or lacking in controls: Risk Assessment Monitoring Focus on Key Objectives Then most important/relevant controls Focus on Higher-risk Areas Controls to mitigate higher risks are much more important than low-risk areas Consider Overlapping Risks and Objectives May present opportunity for efficiency 33
Internal Controls Start with Education Individuals must understand and believe in internal controls Those Charged with Governance Management/Department Heads Accounting All Other Departments Staff Accounting All Other Departments Education Opportunities Orientation and Training External Speakers (i.e. auditors) Resources COSO Framework http://www.coso.org/ic.htm (for purchase) Green Book http://www.gao.gov/greenbook/overview Your Auditors Google 34
Questions Zach Chalifour, CPA Senior Manager James Moore, CPAs www.jmco.com Zach.Chalifour@jmco.com 386.257.4100 ext. 4468 www.linkedin.com/in/chalifour 35