Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) has updated the internal control
framework that many organizations use to assess internal
control over financial reporting to address changes in the
business, operating and regulatory environment since it
issued its original framework in 1992. We believe that the
structure and rigor of COSOs 2013 Internal Control
Integrated Framework (the 2013 framework) will increase
transparency and accountability in an organizations process
of designing and implementing a system of internal control.
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 1
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 2
Control environment
Risk assessment
Control activities
Monitoring activities
Reporting2
While the 2013 Framework retains the Reporting objective from the
original framework, it was expanded to include additional types of
reporting, such as internal and non-financial reporting.
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 3
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 4
What is different?
1. Control environment
2. Risk assessment
3. Control activities
Principles in
the framework
4. Information and
communication
5 Monitoring
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 5
Otherenhancementstothe2013frameworkinclude:
Transition
While the fundamental concepts of the original framework
havent changed, organizations should consider whether
any changes are needed in their internal controls, their
documentation of those controls or their annual assessment
process. At a minimum, organizations adopting the 2013
framework will need to evaluate whether their existing
system of internal control addresses the elements of the
2013 framework and update their existing documentation to
demonstrate compliance with the 17 principles. The following
discussion, and the questionnaire in Appendix A, are intended
to help organizations making the transition.
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 6
Summary
Transitioning to COSO 2013 will require incremental effort,
more for some organizations than others. Organizations
should get an early start so that the transition can be
thoughtful and the benefits of an effective system of internal
control can be fully realized. As always, we would be pleased
to discuss the evaluation of internal control over financial
reporting with you, and provide our advice where appropriate.
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 7
Principles 10 through 12 The organization should consider whether it has identified and implemented control activities
that are designed to address the identified financial reporting risks. Such controls include automated controls that are
supported by relevant IT general controls.
Principle 13 In evaluating the design of controls at the process/transaction level, management should consider whether
(1) it has identified the information necessary to support the operation of controls as intended and (2) whether it has
adequate controls in place to obtain or generate quality information to support the functioning of the controls.
As a result, organizations should generally consider each of the above for controls that address financial reporting risks at the
process/transaction level (i.e., for controls that address risks for each relevant assertion, related significant accounts or
disclosures and underlying processes) as part of the evaluation of their design and operation.
Control Environment
The control environment is the set of standards, processes and structures that provide the basis for carrying out internal
control across the organization. The board of directors and senior management establish the tone at the top regarding the
importance of internal control and expected standards of conduct.
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 1
Yes
No
Reference
1.2
1.3
1.4
1.5
1.6
1.7
Are those in top management hired from outside made familiar with
the importance of high ethics and controls?
1.8
1.9
1.10
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 2
Yes
1.11
1.12
No
Reference
Other
Principle 2: The board of directors demonstrates independence from management and exercises oversight of
the development and performance of internal control.
2.1
2.2
2.3
2.4
2.5
Does the audit committee have a charter outlining its duties and
responsibilities? Does the audit committee have adequate resources
and authority to discharge its responsibilities
2.6
2.7
2.8
Does the board of directors or the audit committee stay abreast with
current internal control practices in the entity as well as the industry,
and is it aware of recent regulations and changes that affect the overall
system of internal control at the organization?
Other
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 3
Yes
No
Reference
Principle 3: Management establishes, with board oversight, structures, reporting lines and appropriate
authorities and responsibilities in the pursuit of objectives.
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
Are the contractual terms with outsourced service providers clear and
concise with regard to the organizations objectives and expectations
of conduct and performance, competence levels and expected
information and communication flow?
3.9
3.10
Other
Principle 4: The organization demonstrates a commitment to attract, develop and retain competent
individuals in alignment with objectives.
4.1
4.2
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 4
Yes
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
No
Reference
Other
Principle 5: The organization holds individuals accountable for their internal control responsibilities in the
pursuit of objectives.
5.1
Does the organizations structure and tone at the top help establish
and enforce individual accountability for performance of internal
control responsibilities? Does it communicate and reinforce the
accountability for responsible conduct of all personnel?
5.2
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 5
Yes
5.3
5.4
5.5
5.6
5.7
5.8
No
Reference
Other
Risk Assessment
Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entitys objectives
and forming a basis for determining how risks should be managed. In this context, risk assessment involves identifying and
analyzing risks that the organizations external financial statements are not fairly presented in accordance with the
requirements of the applicable financial reporting framework. As part of this process, management considers possible changes
in the external environment, such as changes in the applicable financial reporting standards and within its own processes and
procedures, that may impede its ability to achieve its objectives.
Yes
No
Reference
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and
assessment of risks relating to objectives.
6.1
Are the external financial reporting objectives consistent with the relevant
financial reporting framework and appropriate in the circumstances?
6.2
6.3
Relevant assertions
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 6
Yes
6.4
No
Reference
6.5
6.6
6.7
Other
Principle 7: The organization identifies risks to the achievement of its objectives across the entity and
analyzes risks as a basis for determining how the risks should be managed.
7.1
7.2
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 7
Yes
7.3
7.4
7.5
7.6
No
Reference
Other
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 8
Yes
No
Reference
Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of
objectives.
8.1
8.2
8.3
8.4
Does the assessment of fraud risk consider the opportunities for willful
violations of laws or governmental regulations that could have a
material direct or indirect impact on external financial reporting?
8.5
Does the assessment of fraud risk consider the various ways that
fraudulent financial reporting could occur? For example:
Management bias
8.6
Does the assessment of fraud risk consider how management and other
personnel might engage in or justify inappropriate actions?
8.7
Other
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 9
Yes
No
Reference
Principle 9: The organization identifies and assesses changes that could significantly impact the system of
internal control.
9.1
9.2
9.3
Other
Control Activities
Control activities are the actions established by policies and procedures to help ensure that management directives to mitigate
risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various
stages within business and financial reporting processes, and over the technology environment.
Yes
No
Reference
Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable levels.
10.1
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 10
Yes
10.3
10.4
10.5
10.6
10.7
10.8
Has the organization considered the precision (i.e., the degree to which
controls, if operating effectively, would prevent or detect
misstatements in the financial statements that could be material) of the
controls when evaluating the extent to which they address the identified
risks? For example, have they considered the following:
10.9
10.10
10.11
10.12
10.13
No
Reference
Other
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 11
Yes
No
Reference
Principle 11: The organization selects and develops general control activities over technology to support the
achievement of objectives.
11.1
11.2
Has the organization identified each system that performs a role in the
processing of transactions underlying significant accounts or
disclosures and established IT general controls over those systems?
11.3
11.4
Do policies and procedures exist and are they followed with regard to
obtaining and implementing patches to the operating system, database
and application software?
11.5
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 12
Yes
Entity networks
Internet/intranet sites
No
Reference
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 13
Yes
11.6
11.7
11.8
11.9
No
Reference
Other
Principle 12: The organization deploys control activities through policies that establish what is expected and
procedures that put policies into action.
12.1
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 14
Yes
12.2
No
Reference
12.3
12.4
Does the organization have formal policies and procedures in place that:
Other
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 15
No
Reference
Principle 13: The organization obtains or generates and uses relevant, quality information to support the
functioning of internal controls.
13.1
13.2
13.3
13.4
13.5
13.6
Other
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 16
Yes
No
Reference
Principle 14: The organization internally communicates information, including objectives and responsibilities
for internal control, necessary to support the functioning of internal control.
14.1
14.2
14.3
Are there written job descriptions and reference manuals that describe
the duties of personnel, including their internal control responsibilities?
14.4
14.5
14.6
14.7
14.8
14.9
14.10
14.11
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 17
Yes
14.12
No
Reference
Other
Principle 15: The organization communicates with external parties regarding matters affecting the
functioning of internal control.
15.1
15.2
15.3
15.4
15.5
Other
Monitoring
Monitoring consists of the activities used to ascertain whether each of the five components of internal control, including
controls to address the principles within each component, is present and functioning. Findings are evaluated and deficiencies
are communicated in a timely manner, with serious matters reported to senior management and to the board of directors.
Yes
No
Reference
Principle 16: The organization selects, develops and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.
16.1
16.2
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 18
Yes
16.3
No
Reference
The levels of risk throughout the entity (e.g., the level of risk by
location, by business unit, by business process)
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
Other
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 19
Yes
No
Reference
Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner
to those parties responsible for taking corrective action, including senior management and the board of
directors, as appropriate.
17.1
17.2
17.3
17.4
Are the results of the internal audit activities reported to the following,
as appropriate (and in accordance with the relevant reporting
requirements):
a) Senior management
b) Board of directors or audit committee
c) Independent auditors
17.5
17.6
17.7
17.8
Other
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 20
Control environment: The set of standards, processes, and structures that provide the basis for carrying out
internal control across the organization
Principle 1: The organization demonstrates a commitment to integrity and ethical values.
Points of Focus:
1. Sets the tone at the top The board of directors and management at all levels of the entity demonstrate through their
directives, actions and behaviors the importance of integrity and ethical values to support the functioning of the system
of internal control.
2. Establishes standards of conduct The expectations of the board of directors and senior management concerning the
integrity and ethical values are defined in the entitys standards of conduct and understood at all levels of the
organization and by outsourced providers and business partners
3. Evaluates adherence to standards of conduct Processes are in place to evaluate the performance of individuals and
teams against the entitys expected standards of conduct
4. Addresses deviations in a timely manner Deviations from the entitys expected standards of conduct are identified
and remedied in a timely and consistent manner.
Control reference
Documents reviewed:
Description of deficiency
Control reference
Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes | 1