Transcript
Slide 1
What is COSO? Well COSO stands for the Committee of
Sponsoring Organizations of the Treadway Commission. This committee was
voluntarily established in 1985 by five financial professional
associations to examine the factors that lead up to fraudulent financial
information. From this study the group developed the COSO framework
which is a methodology for evaluating an organization’s internal control
structure. This group is dedicated to improving the quality of financial
information through better business ethics, solid internal control
framework and corporate governance. COSO is the only internal control
framework that is referred to by the SEC rules.
Slide 2
COSO’s definition of
internal controls is … “A process, effected by an entity's
board of directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives.”
Slide 3
An internal control structure is
essentially safeguards in the form of policies and procedures
established by management to provide reasonable assurance that the
objectives of the organization is met. This structure is internal to the
organization and is designed, implemented and monitored by management.
It is important that you take note here. Internal Controls are
management’s responsibility and not the auditor or the SEC.
Slide 4
There are five basic categories of
internal controls:
Accurate accounting records
Safeguard of assets
Effective and Efficient Operations
Management Policies
Compliance with applicable laws and regulations
Accounting records must be based upon reliable and verifiable
information. People are making big dollar decisions based upon that
information and they are relying upon it to be correct. In order for a
business to continue doing business they must have access to their
assets or resources such as cash, equipment, reputation, etc. Good
internal controls protect those assets from theft and damage. Internal
controls are also important in optimizing operations by reducing
duplication of effort or waste. These controls also must be effective at
ensuring management policies and procedures are followed.
Slide 5
And finally internal controls are
important in ensuring that employees and managers follow all applicable
laws and regulations. One such law is the Foreign Corrupt Practices Act
of 1977. This act requires publicly traded companies to keep accurate
records and have an adequate system of internal controls.
Slide 6
Now that we have looked at the basic
categories of internal control lets look at the five basic components.
Control Environment
Risk Assessment
Control activities
Information and communication
Monitoring
Slide 7
This slide shows the control environment
as an umbrella that protects the other four components. With out a solid
control environment the other components of internal control are either
severely weakened or completely eliminated.
Slide 8
So what is the control environment? The
control environment is essentially the overall attitude of top
management. You can say management sets the stage with their actions,
policies and procedures. They set a tone for the rest of the
organization. The control environment is the soul of management’s
philosophy and operating style. We refer to this as the “tone at the
top”. Essentially if management is secretive and underhanded with how
they treat employees and customers, you can be sure that the entire
organization reflects that thinking. However, an organization whose top
management stresses the importance of integrity and transparency and
sets a good example for their subordinates will have an organization
that displays these qualities.
Slide 9
A good control
environment has a clear organizational structure. Good organizational
structures show clear lines of authority and responsibility. When
everyone knows what they are responsible and accountable for the
organization runs much smoother. There is also a commitment to
competence. Organizations that hire individuals with little to no
experience into key control positions such as safety officer and
internal auditor are demonstrating that they have little regard for the
importance of the position. In fact it suggests a desire to weaken the
position.
Another important characteristic of a
good control environment is the existence of an audit committee. More
specifically the existence of an audit committee who is comprised of
individuals external to the organization.
And of course we can’t forget integrity
and strong ethical values. Although this goes without saying…management
needs not only to behave with integrity and ethical values they should
also reiterate to their subordinates the importance of integrity and
sound ethical values.
Slide 10
The next component on
our list is risk assessment. It is important that management routinely
assess their organization for possible risks that could sink or cripple
the organization. Once risks are identified they can be minimized or
eliminated. You yourself conduct risk assessment everyday. For instance
when you look both ways before crossing the street you are essentially
assessing whether there is a risk of being run over should you cross the
street at this point in time.
Slide 11
The next component on our list is control
activities or policies and procedures designed and implemented by top
management. You can break control activities down into five categories.
Segregation of duties
o This is where authorization, recording and physical control of assets
are divided amongst different individuals so that no one person controls
two or more of these duties for a given asset.
o For instance, one person should open the mail and separate out the
checks, another should record the checks and another person should make
the deposit. Good segregation of duties reduces potential theft of the
checks.
Proper procedures for authorization
o This outlines clearly who has the authority to make certain decisions
o For instance, clear procedures for credit approval
Adequate documents and records
o It is important that complete documentation is maintained to support
transaction records.
o For instance, invoices with clear and understandable information need
to be available to support a claim against the organizations assets or
resources. In other words someone with little to no previous knowledge
about the transaction should be able to look at the supporting
documentation and be able to understand the transaction and its business
purpose. What do I mean by business purpose? I mean that the use of the
resources are important and necessary to the operations of the company.
Physical control over assets and records
o Essentially this category has to do with securing resources so that
they are available for future use.
o For instance, a safe or vault secures cash from theft so that it can
be available for use by the company tomorrow and the next day after
that, etc.
Finally Independent checks on performance
o To ensure that all the controls that have been designed and
implemented are actually functioning as designed…someone needs to check
or monitor these controls.
o For instance, managers need to check employees work for completeness
and accuracy.
Slide 12
The second to last component is
information and communication. The dissemination of general and critical
information is essential to the well being of an organization. In order
for a company to react to immediate opportunities and threats there
needs to be a reliable system that can quickly communicate information
to the appropriate people.
As with general information, an
entity’s accounting information and communication system must be able to
identify, assemble, classify, analyze, record, and report the entity’s
transactions to the decision makers. These decision makers need
confidence in this system in order to make the best decisions for the
organization.
Slide 13
Good accounting information and
Communication systems have seven control objectives
1. the information can be validated
2. transaction authorization is complete
3. the elements of the transaction are complete…for instance all source
documents are available to support the transaction
4. classification follows the organizations guidelines
5. the information is timely for any relevant decisions
6. the information has correct valuation
7. and finally the information is posted and summarized into useful
reports
Slide 14
The final component of internal controls
is monitoring. Management needs to regularly check internal controls to
assure themselves that the controls are still functioning as designed.
It is also important that internal controls are routinely evaluated and
modified as appropriate for changes in business conditions.
|