Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda:
• Basics of Internal Controls – what are they?
• COSO framework
• Practical applications to your current processes
Facilitator:
Laura Williams
1
Internal Control Basics
2
Connect
How can we
Controls
manage risk?
3
Internal Control
4
Internal Control
5
Identifying Key Controls
• Financial misstatements
• Business loss
• Loss of funds or materials
• Incorrect or untimely
management information
• Fraud or collusion
• Tarnished reputation with the
public
• Program Sustainability
compromised
• Missed goals
6
COSO Framework
What are the five integrated components of internal control?
7
Updated COSO Framework
8
Updated COSO Framework
At all levels of
The COSO “cube” the organization
5 integrated
components
9
COSO cube – 5 Integrated Components
1. Control Environment
• The set of standards, processes, and
structures that provide the basis for carrying
out internal control
• Comprises integrity and ethical values of
the organization
Control Environment
Fraud Controls, including Controls Over Management Override
Monitoring
Controls
Financial
Information Statement Financial
Transactions
Systems Close Statements
Process
11
COSO cube – 5 Integrated Components
12
COSO cube – 5 Integrated Components
Difference between
Compliance v. Integrity Strategy:
14
COSO cube – 5 Integrated Components
2. Risk Assessment
• Involves a dynamic and iterative process
for identifying and assessing risks
• Risk: the possibility that an event
will occur and adversely affect the
achievement of objectives.
Risk Management
A process applied in
a strategic setting
and across the entity,
designed to identify
and manage risks to
stay within risk
appetite/tolerance
level, to provide Risk Assessment
reasonable assurance An element of internal control within
about achieving the risk management process that
entity goals and enables management to identify
objectives. and assess key risks to achieving its
objectives; this forms the basis on
which control activities are
determined.
16
COSO cube – 5 Integrated Components
Risk assessment
should occur at the business process level as well as the entity level.
17
COSO cube – 5 Integrated Components
Risk Mapping
Consider the organization’s risk tolerance and risk appetite related to the risk
response
IV
III 1
Impact
II 2
Impact (I)
A B C D E F
18
COSO cube – 5 Integrated Components
Risk Strategies
Mitigation
Transfer
Avoidance Improve controls to
Shift responsibility to
Do not proceed! reduce
an external party
likelihood/impact
Creation
Acceptance Seek risk activities
strategically to
Accept the risk!
maximize
opportunities
19
COSO cube – 5 Integrated Components
3. Control Activities
• The actions established through policies
and procedures that help ensure
management’s directives to mitigate risks
are carried out.
• Performed at all levels within the entity
Types: Examples:
• Preventive and detective • Approvals & Authorizations
and corrective • Embedded verifications
• Compensating • Reconciliations
• Manual and automated • Independent Reviews
• Asset security
• Segregation of duties
20
COSO cube – 5 Integrated Components
Preventive Control
Prevents the
occurrence of a
negative event in a
proactive manner
Examples:
• Approval for
purchase > $5,000 Detective Control
• Passwords for Detect the occurrence of a negative
access to Banner event after the fact in a reactive
• Petty cash held in manner
lockbox
• Security and Examples:
surveillance systems • Supervisor review & approval
• Pre-numbered • Report run showing user activity
checks • Reconcile petty cash
• Physical inventory count
• Review missing/voided checks
21
COSO cube – 5 Integrated Components
Control Activities
• If a weakness or limitation exists within the control
environment, a compensating control may be relied upon to
mitigate the risk
• Can be preventive or detective
• Example: A unit does not have the staff resources to establish
an adequate segregation of duties. Potential compensating
controls could include:
o Automation of certain transaction data that cannot be altered
by the staff
o Manager review of detailed summary reports of the transactions
initiated by the staff
o Peer staff and/or manager selects a sample of transactions and
vouches back to supporting documentation
22
COSO cube – 5 Integrated Components
Control Activities
Require action to
be taken by
employees, e.g., Built into network
• Obtain Manual infrastructure
supervisor’s Control and software
approval for applications,
overtime e.g.,
• Reconcile bank Automated • Passwords
accounts Control • Data entry
• Match receiving validation
to POs checks
• Batch controls
23
COSO cube – 5 Integrated Components
24
COSO cube – 5 Integrated Components
Information &
Communication
Things to communicate:
• Initiatives
• Goals
• Changes
• Opportunities
• Feedback
• Questions
• Answers
• Policies
• Procedures
• Standards
• Expectations
25
COSO cube – 5 Integrated Components
5. Monitoring Activities
• Evaluations used to ascertain whether
components of internal control are
present and functioning
• Ongoing evaluations:
• Built into business processes
Findings are
• Provide timely information evaluated
against relevant
• Separate evaluations: criteria
• Conducted periodically
• Vary in scope and frequency Deficiencies are
• Dependent on assessment of communicated
to the Board and
risks, effectiveness of ongoing
Sr. Management
evaluations, other management
considerations
26
COSO cube – 5 Integrated Components
• Identify
• transactions to be tested
• key controls
• applicable standards to test the
transactions (i.e., criteria to judge
compliance effectiveness)
• Determine
• appropriate type of testing
• extent of testing
• Create test plan
• Conduct tests for effectiveness
• Document testing and results
• Assess test results
• Communicate findings, recommendations
27
COSO cube – 5 Integrated Components
Monitoring/Validating Controls
Monitoring/Validating Controls
Deficiency in Operation – A
properly designed control does
not operate as intended, or the
person performing the control
does not possess the necessary
authority or qualification to
perform the control effectively.
29
COSO cube – 5 Integrated Components
Monitoring/Validating Controls
Documentation should be maintained for:
• The evaluation of internal control at the
entity and process levels
• What testing has been performed
• Identified deficiencies
31
Practical Implications
32
Connect
How can we
Controls
manage risk?
33
Identifying Key Controls
First, must …
34
Identifying Key Controls
35
Identifying Key Controls
36
Identifying Key Controls
Segregate Duties
• Don’t make one employee responsible for all parts of a process
Restrict Access
• Don’t provide access to systems, information, assets, etc. unless
needed to complete assigned responsibilities
Independently verify
• Check others’ work
37
Identifying Key Controls
• Focused
• Integrated
• Accurate
• Simple
• Accepted
• Cost Effective
38
Key Points
• No silver bullet
Controller’s Office:
• Laura Williams, Compliance Manager, laurawilliams@uncc.edu, x7-5002
• Phil Maher, Business Process Analyst, pmaher1@uncc.edu, x7-5781
• Greg Verret, Business Process Analyst, gverret@uncc.edu, x7-5782
Internal Audit:
• Tom York, Director, teyork@uncc.edu, x7-5693
• Tommy Earnhardt, Staff Auditor, trearnha@uncc.edu, x7-5694
External sites:
• PwC summary on why the COSO Update deserves your attention:
http://www.pwc.com/en_US/us/10minutes/assets/pwc-10minutes-update-
coso-committee-sponsoring-organizations-treadway-commission.pdf
40