Transcription of Internal Control–Integrated Framework
1 Internal control integrated Framework0 September 2012 Internal control integrated FrameworkTable of Contents Project Overview Updates to Internal control - integrated Framework1 Overview of Internal control over External Financial Reporting: ACompendium of Approaches and Examples Public Exposure ProcessProject Overview2 Project OverviewOriginalFramework(today)COSO s Internal control integrated Framework (1992 Edition)Changes in business,operating, and regulatoryInternal and non-financial reportingFundamental conceptsrelating to effectiveWhy Update What Works3 Enhancementsto ease use andapplicationUpdatedFrameworkCOSO sInternal control integrated Framework (Draft, 2013 Edition)operating, and regulatoryenvironmentsUpdates Contextfinancial reportingobjectivesExpands Applicationrelating to effectiveinternal controlFormalizes PrinciplesUnderlying ComponentsProject TimetableAssess & SurveyStakeholdersDesign &BuildPublic Exposure &AssessFinalize42010201120122013 Project ParticipantsCOSOB oard of DirectorsPwCAuthor and Project Leader5 COSO Advisory Council AICPA AAA FEI IIA IMA Public Accounting Firms Regulatory observers Others (IFAC, ISACA, others)
2 Stakeholders Over 700 stakeholders in originalFramework responded to global surveyduring 2011 Over 200 stakeholders commented onproposed updates to original Frameworkduring first quarter of 2012 Additional public exposure of proposedpublications during fourth quarter of 2012 Project Deliverables: Internal control -IntegratedFramework Consists of three volumes: Executive Summary Framework and Appendices6 Illustrative Tools: Assessing Effectiveness of a System ofInternal control Sets out: Definition of Internal control Requirements for effectiveness Categories of objectives Components of Internal controlProject Deliverables: Internal control over ExternalFinancial Reporting: A Compendium Approaches and Examples illustratehow principles are applied inpreparing financial statements7 Considers changes in business,operating, and regulatoryenvironments during past two decades Is relevant for variety of entities public, private, not-for-profit, andgovernment Is consistent with the updatedFrameworkUpdates to Internal control integrated Framework8 Updates to Internal control integrated FrameworkInternal control - integrated Framework First published in 1992 Gained wide acceptancefollowing financial control9following financial controlfailures of early 2000 s Most widely used Framework inthe US Also widely used around theworldOriginal COSO CubeFundamental concepts of Internal control are timeless Geared to achievement of objectives operations, reporting.
3 And compliance A process ongoing tasks and activities Effected by people actions taken at every level of the organization Able to provide reasonable assurance but not absolute assurance10 Able to provide reasonable assurance but not absolute assurance Adaptable to entity structure flexible in application Five components of Internal control requirements to achieve effective internalcontrol control Environment Risk Assessment control Activities Information and Communication Monitoring ActivitiesUpdates intended to ease use and applicationWhat is not is Retains the core definition ofinternal control2. Retains the five components ofinternal control1. Formalizes fundamental conceptsunderlying the five components changes in business,11internal control3. Retains the requirement of fivecomponents for an effective ofsystem of Internal control4. Retains important role of judgmentin designing, implementing, andconducting Internal control , and inassessing effectiveness of changes in business,operating, and regulatoryenvironments3.
4 Expands financial reportingobjective to include other importantforms of reporting4. Provides additional approaches andexamples relevant to operations,compliance, and non-financialreporting objectivesRequirements for effective Internal control Retains concept that effective Internal control provides reasonable assuranceregarding achievement of objectives Effective Internal control requires that: Each of the five components of Internal control and relevant principles are present andfunctioning12functioning The five components are operating together in an integrated manner When a component or relevant principle is deemed not present and functioning, orwhen components are deemed not operating together, a major deficiency exists When a major deficiency exists, the entity cannot conclude that it has met therequirements for effective Internal controlAn effective system of Internal control reduces, to an acceptablelevel, the risk of not achieving an EnvironmentUpdate formalizes fundamental concepts embedded in theoriginal Framework as commitment to integrity and ethical values2.
5 Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountability13 Risk AssessmentControl ActivitiesInformation &CommunicationMonitoring Activities6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant change10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures13. Uses relevant information14. Communicates internally15. Communicates externally16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficienciesChanges in the updates to the for governance oversightUpdate considers changes in business, operating, andregulatory environments14 Globalization of markets and operationsChanges in business modelsDemands and complexity in laws, rules,regulations, and standardsExpectations for competencies andaccountabilitiesUse of, and reliance on, evolving technologiesExpectations relating to preventing anddetecting fraudUpdated COSO CubePublic exposure of updated Framework : Summary of publicresponses to on-line survey Interest across geographies approximately 50% of respondents from North Americaand 50% from international regions Concurrence that the updated Framework .
6 Will help strengthen systems of Internal control15 Will help strengthen systems of Internal control Provides important considerations of effective Internal control through formalization ofconcepts introduced in the original Framework Appropriately expands the reporting objective Divergent views exist for instance, the updated Framework : May set a higher threshold for attaining effective Internal control May impose additional burden on entities reporting on Internal control Should incorporate aspects of ERM- integrated Framework , , objective settingPublic exposure of updated Framework : Summary ofrevisions arising from comment letters Definition of Internal control Removes modifiers ( , reliablefinancial reporting) from categories of objectives Assessing Effectiveness Clarifies that effective Internal control requires (i) each of the five components andrelevant principles are present and functioning and (ii) the five components are16relevant principles are present and functioning and (ii) the five components areoperating together Modifies classification of Internal control deficiencies into two tiers.
7 (i) major deficiency,which precludes effective Internal control , and (ii) Internal control deficiency Clarifies that points of focus (formerly attributes) are important considerations indetermining whether a principle is present and functioning Removes presumption that points of focus are present and functioning, and clarifies useof judgment in identifying and considering relevant points of focus Principles Clarifies descriptions of several principlesPublic exposure of updated Framework : Summary of otherconsiderations arising from comment letters Objective Setting Retains five components of Internal control Retains view that specifying objectives is part of Internal control but establishingobjectives is not17 Objectives Retains operations, reporting, and compliance objective categories, and expandsdescriptions Retains view that safeguarding of assets primarily relates to operations objectives, andrecognize its consideration within reporting and compliance Retains view that strategic objectives is not part of Internal control Structure and Layout Retains view that the Framework comprises all chaptersPublic exposure of updated Framework .
8 Summary of otherconsiderations arising from comment letters (continued) Enterprise Risk Management (ERM) Retains distinction between ERM and Internal control Retains view that strategy-setting, strategic objectives, and risk appetite are aspects ofERM and not part of the updated Framework18 Retains definition of risk appetite and application of risk tolerance Smaller Entities and Governments Includes excerpts from COSO s Guidance for Smaller Public Entities (Appendix C) Appendix C includes considerations relevant for smaller entities Technology Expands discussion in the points of focus and in several chapters Excludes discussion on specific technologies and associated risks due to rapid pace ofchange of technologyOverview of Illustrative Tools for Assessing Effectiveness ofa System of Internal control Tools include collection of Templates and Scenarios that can assist users whenassessing the effectiveness of a system of Internal control based on the requirementsset forth in the updated Framework Templates help management present a summary of assessment results and itsdetermination of whether components and principles are present and functioning19determination of whether components and principles are present and functioning Scenarios illustrate how Templates can be used to support an assessment ofeffectiveness of a system of Internal control , including.
9 Is a component and relevant principles present and functioning? Are the five components present, functioning and operating together in an integratedmanner? Illustrative Tools do not replace or modify the updated FrameworkOverview of Internal control over External20 Financial Reporting: A Compendium ofApproaches and ExamplesOverview of ICEFR Compendium Types of external financial reports financial statements for external purposes andother external financial reporting derived from an entity s financial and accountingbooks and records Suitable objectives financial reporting rules and standards form the basis uponwhich management specifies suitable objectives for the entity and subunits21which management specifies suitable objectives for the entity and subunits Judgment proper application of suitable objectives to the entity s transactionsmitigates risk of material misstatement. Overlapping objectives operations, compliance and non-financial reportingobjectives may overlap or support the external financial reporting objective Deficiencies in Internal control material weakness and significant deficiency reflectdefinitions established by regulators for Internal control over financial reporting Smaller entities principles are suitable and presumed relevant for all entities, andsmaller entities may apply these principles using different approachesOverview of ICEFR Compendium (continued) Selected Approaches and Examples illustrate various aspects of applying theprinciples in an ICEFR context.
10 Approaches and Examples are intended to assist users in understanding how theupdated Framework can be applied when preparing financial statements for externalpurposes and other external financial reporting22purposes and other external financial reporting Definitions, components, principles, and points of focus are consistent with the updatedFramework Stakeholders should refer to the updated Framework for comprehensive discussion ofan effective system of Internal control Compendium supplements and can be used in concert with the updated Frameworkwhen considering ICEFR23 Public Exposure ProcessPublic exposure of proposed COSO documents COSO released for public comments its proposedInternal control over ExternalFinancial Reporting: Compendium of Approaches and Examples In conjunction with releasing the ICEFR Compendium,COSO made available therevised version of its previously exposed updatedFramework,which incorporatesrevisions arising from consideration of public comment letters24revisions arising from consideration of public comment letters Internal control integrated Framework : Framework and Appendices Internal control integrated Framework :Executive Summary COSO also made available itsIllustrative Tools for Assessing Effectiveness of aSystem of Internal control Public comment period began on September 18, 2012 and ends on November 20,2012 Please more informationCOSO seeks public comments Proposed ICEFR Compendium Will it be useful in applying the updated Framework to your entity s external financialreporting objectives?
