DOCSLIB.ORG

COSO Internal Control Framework Summary with RF Examples Component Principles Point(S) of Focus Examples

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
COSO Internal Control Framework Summary with RF Examples Component Principles Point(S) of Focus Examples COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples Management attitude, values and control, 1.1 Tone at the Top consciousness of personnel; Importance of integrity and ethical values 1.2 Mission Statement Identifies organization's purpose 1. Demonstrate commitment to integrity and ethical Expectations of Board and Sr. Mgmt values concerning integrity and ethical values are defined and understood by all levels of 1.3 Standards of conduct organization, aw well as outside sources with processes in place to evaluate performance against expected conduct Unethical, immoral, etc. activities 1.4 Address deviations timely addressed appropriately and timely Board of Directors, Supervisory Board, 2.1 Oversight structure defined etc. Appropriate decisions to achieve 2.2 Applies relevant expertise objectives 2. Exercise oversight of the internal control program 2.3 Operates independently Independent from organization Oversees management design, 2.4 Oversight of the internal control program implementation, operation of the internal control program Document the "Who, What, Where, 3.1 Internal Control Program documented When, Why" of the internal control program Control Environment 3. Establish structure, reporting, authority, 3.2 Reporting lines established Reliably report quality information responsibilities Provides ownership of the control 3.3 Assign responsibility and delegation of authority program and ensures segregation of duties Appropriate policies and procedures 4.1 Establishes Policies and practices ensure all applicable risk has been addressed Organization has identified competence 4.2 Addresses competence gaps gaps and either established mitigating 4. Demonstrate commitment to competent activities or fills the gaps personnel 4.3 Retains competent employees Organization is identifying areas of 4.4 Succession planning possible retirements and developing capable employees to assume those roles 5.1 Enforces accountability 5.2 Establishes performance measures 5.3 Evaluates performance measures Difficult economies can place undue 5. Enforce accountability pressure on employees; the organization 5.4 Aware of outside pressures has identified those positions that are susceptible to outside pressures and established appropriate controls 5.5 Evaluates performance COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples 6. Identification and assessment of risks related to: Management identifies strategic goals 6.1 Reflects managements choices and objectives Company defined risk appetite and risk 6.2 Considers risk appetite tolerance; based on organizational risk and ERO risk - Operations Objectives Financial goals and operational goals are 6.3 Includes operations/financial goals identified and communicated to personnel Resources are reviewed and committed to meet organizational objectives; 6.4 Basis to commit resources controls are designed as a benefit to the organization All financial standards and reporting 6.5 Complies with accounting standards expectations are met When identifying risk, materiality is taken -External Financial Reporting Objectives 6.6 Considers materiality into consideration and appropriate controls designed 6.7 Reflects entity activities Operational reports meet Standard and 6.8 Complies with external Standards and frameworks governmental expectations 6.9 Considers level of precision -External non Financial Reporting Objectives Reports clearly and appropriately identify 6.10 Reflects entity activities organizational activities and evidence compliance Management identifies reporting goals 6.11 Reflects managements choices and objectives 6.12 Considers level of precision -Internal Reporting Objectives Clearly reflects and reports organizational 6.13 Reflects entity activities activities 6.14 Reflects external laws and regulations Risk Assessment -Compliance Objectives Company defined risk appetite and 6.15 Considers risk appetite controls are designed with a cost benefit in mind Entire organization involved in identifying 7.1 Includes entity, division, operating unit and risk and risk levels; all levels of employees functional levels are empowered to identify risk within their area 7.2 Analyzes internal and external factors 7. Risks identified throughout the organization, and All levels of management are involved in determines how to address the risks. 7.3 Involves appropriate levels of management identifying the risks for their areas of responsibility Identified risks are ranked in order, with a 7.4 Risk ranks identified risks defined, documented methodology 7.5 Identifies mitigation activities Examples of fraud: Asset 6.21 Considers various types of fraud misappropriation, sharing passwords to avoid license fees, etc. Considers outside pressures and ensures 6.22 Assesses incentives and pressures appropriate incentives are provided, 8. Considers the potential for fraud especially in a difficult economy Organization is aware of possible fraud 6.23 Assesses opportunities opportunities and looking for new possible fraud attempts 6.24 Assesses attitudes Aware of the "pulse" of the organization Organization is aware of external changes 6.25 Assess external changes and ensures that all areas of the change are identified and addressed Business model is reviewed to ensure it is 9. Identify and assess changes that could impact still appropriately addressing value 6.26 Assess changes in the business model internal control creation, costs, revenue, etc. and filtered through all applicable controls Changes to leadership initiate a review of 6.27 Assesses changes in leadership all areas to determine new leadership impact COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples 10.1 Controls address risk raised by Standards, Rules of Procedure and organizational risk assessment. Controls identify key activities and provide strategy by providing time frames 10.2 Controls address entity objectives and identify and appropriate secondary controls the timeframe Ensure controls exist to mitigate all risk raised by the Requirement/RoP/risk; identifying all inputs needed, what the 10.3 Design appropriate types of controls control produces, who owns the process, etc.; utilize Flashcards to identify and/or 10. Design appropriate control activities strengthen key controls Designed at functional level, entity level or both; ensure that all personnel 10.4 Ensure all functions/levels are included involved in the control are included in the identification/design of the control Control activities related to handling any assets or process designed so that no one 10.5 Consider Segregation of Duties individual controls all key aspects of the event; if not possible, insert reviews at key points of the activity/process An automated process includes both manual and technology-enabled 11.1 Controls for application system(s) information processes; it would include controls for: completeness, accuracy, validity For automated processes there are two types of controls: general and application specific. General controls: security mgmt., Control Activities logical/physical access, configuration 11.2 Appropriate types of controls mgmt., segregation of duties, contingency planning. Application specific controls: input, processing, output, master file, interface, data management 11. Design control activities for automated processes Controls for automated process infrastructure to support completeness, 11.3 Controls for application system infrastructure accuracy and validity of information; this would include reconciliation of the data. Controls to guard against unauthorized access; information safeguarded against improper modification/destruction; 11.4 Design of security management ensuring information nonrepudiation and authenticity; information is readily available, i.e., password controls, unique IDs, limited access, review logs, etc. Each control is assigned to a position, thus ensuring when personnel are absent, all 12.1 Document responsibilities applicable controls assigned to the position are performed consistently Determine appropriate implementation 12.2 Outline how the control is to be implemented (i.e., OJT, formalized training, etc.) 12. Implement controls Determine if only initial training is needed 12.3 Ensure appropriate training or periodic training Review policies and procedures to determine if any changes are needed due 12.4 Periodic review of policies and procedures to: organizational changes, technology changes, personnel changes, etc. COSO Internal Control Framework Summary with RF Examples Component Principles Point(s) of Focus Examples What is needed to perform the activity 13.1 Identifies information requirements and where do you go to get it? All sources, internal and external, are 13.2 Identifies external and internal sources of data identified; external sources are vetted Data is reviewed for relevancy; data obtained from outside your control is 13.3 Utilizes relevant data 13. Uses quality information validated to ensure accuracy and sufficiency Uses validated data; data obtained 13.4 Maintains quality outside of your control is validated to ensure quality The control doesn't cost more than the 13.5 Considers costs and benefits benefit of the control Internal customers are identified and the 14.1 Communicates internal information means to communicate the information are established 14.2 Communicates at all levels of the organization Escalates information as needed, timely 14. Communicates
Load more

Recommended publications
  • Tone-At-The-Top-December-2019.Pdf
    ® TONE at the TOP Providing senior management, boards of directors, and audit committees Issue 96 | December 2019 with concise information on governance-related topics. The Governance Benchmark There is a significant disconnect between our assessments of governance and true governance effectiveness. It’s time to determine why our governance evaluations are often wrong and what we can do to fix the problem. We have entered an age of nonstop performance measurement. Throughout the world, teams of managers, auditors, and consultants are using disciplined, data- driven approaches such as Six Sigma, Kaizen, and Lean to evaluate business performance. The reason is simple: The Measurement Challenge Running a company without measurement is like trying to improve your golf game without keeping score. You’ll It is difficult to measure corporate governance. It probably get results, but they are unlikely to be what you encompasses all of the systems by which organizations wanted. As management guru Peter Drucker pointed out, are directed and controlled, and some of those systems if you can’t measure it, you can’t improve it. That’s why are difficult to quantify. Governance is more than policies we use standards, benchmarks, evaluation forms, and and procedures. It’s about how we make decisions, scorecards to evaluate virtually every aspect of business establish objectives, and monitor their achievement. performance — with one very significant exception. It’s about working relationships and how we motivate, discipline, and reward behaviors. What’s more, effective Most companies still don’t measure their overall system of governance is constantly under construction. Regulations corporate governance.
    [Show full text]
  • Corporate Compliance and Business Conduct Program
    CORPORATE COMPLIANCE AND BUSINESS CONDUCT PROGRAM 2020 ANNUAL REPORT CONTENTS Introduction Monitoring and Auditing Welcome from the CECO . .1 Confidential Reporting ...................................9 Xcel Energy’s Vision, Mission and Values ...................1 Anti-Retaliation........................................10 Purpose .............................................2 Allegations of Wrongdoing ..............................10 Significant Allegation Process ............................10 Oversight Investigation Data .....................................10 Tone at the Top........................................3 Audit Services . 10 Investigations Governance...............................3 Board of Directors .....................................4 Incentives and Discipline Audit Committee ......................................4 Positive Discipline .....................................12 Governance, Compensation and Nominating Committee (GCN) . 4 Incentives............................................12 Chief Ethics and Compliance Officer.......................4 Quarterly Connections..................................12 Director of Corporate Compliance .........................4 Violating the Code of Conduct............................12 CCBC Council.........................................4 Investigations Governance Committee .....................5 Due Diligence VP Oversight Team ....................................5 Conflict of Interest Disclosure ............................13 Compliance Tools......................................5
    [Show full text]
  • Accounting Fraud at Xerox Corporation: Ethical Considerations1
    Accounting Fraud at Xerox Corporation: Ethical Considerations1 Amy Butala Eastern Michigan University Zafar U. Khan Eastern Michigan University Management at Xerox Corporation faced with strategic mistakes and tough economic environment resorted to creative accounting to meet financial targets and Wall Street expectations. This case presents a brief history of Xerox Corporation, followed by Xerox’s corporate culture in the 1980s & 90s, and the SEC investigation. The focus of the case is the actions of an assistant treasurer that top management used to guide Xerox through tough economic times and help make financial results appear more favorable. A teaching note is included. The case may also be used for exploring strategic issues or accounting issues and the mechanics of GAAP violations. Keywords: Xerox, Accounting Fraud, Ethical Issues, Code of Ethics, Professional Behavior XEROX HISTORY Xerox Corporation (Xerox) was founded in 1906 in Rochester, New York as The Haloid Company. It started making and selling photographic paper. Chester Carlson made the first xerographic image in his lab in Astoria, Queens, New York City in 1938 and was granted a patent for his electro-photography technology, which was later, changed to xerography (for the ancient Greek words for “dry and “writing”). In 1942 Carlson perfected a process for transferring electrostatic images from a photoconductive surface to paper. In 1948 the word “Xerox” was trademarked. Haloid commercialized xerography in1949 with the Model A copier and the Xerox Copyflo in 1956. By that time xerographic products represented 40% of sales. The company name was changed to Haloid Xerox in 1958. In 1959 the first simplified office photocopier was developed, called the Xerox 914, bringing the company major recognition.
    [Show full text]
  • Call for Papers Accounting Ethics and Tone at the Top Centre for Accounting Ethics, University of Waterloo Journal of Business Ethics Special Issue Symposium
    Call for Papers Accounting Ethics and Tone at the Top Centre for Accounting Ethics, University of Waterloo Journal of Business Ethics Special Issue Symposium Dates: 18-20 April, 2013 Location: Toronto, Canada Symposium Link: http://accounting.uwaterloo.ca/ethics/EthicsSymposium.htm Guest Editors: Sally Gunz, Centre for Accounting Ethics, School of Accounting and Finance, University of Waterloo, Canada Linda Thorne, Schulich School of Business, York University, Canada Organizing Committee, Centre for Accounting Ethics University of Waterloo, Canada: Sally Gunz Theresa Libby Linda Robinson Scope of Special Issue: The theme of this Issue and its supporting Symposium is an intentional challenge to the academic accounting ethics discipline. There is a growing literature exploring issues of tone at the top particularly as it impacts governance. An understanding of managerial values and intent goes to the heart of the services the accounting profession provides and this is reflected in at least two distinct streams in the literature. The challenge laid down by this Symposium and call for papers is to consider tone at the top in its broadest sense; to identify those questions to date unexplored and to investigate the interactions between existing paradigms. The role of tone at the top and its interaction with accounting has a long history. The first recommendation of the Treadway Commission for the public company in 1987 addressed ‘the tone set by top management’ (NCFFR, 1987). It was one of three key elements the Commission identified ‘within the company of overriding importance in preventing fraudulent financial reporting’ with the other two being Internal Audit and Audit Functions and the Audit Committee (p.
    [Show full text]
  • Internal Audit of Tone-At-The-Top and WFP's Leadership Arrangements
    Internal Audit of Tone-at-the-Top and WFP’s Leadership Arrangements Office of the Inspector General Internal Audit Report AR/20/01 January 2020 Office of the Inspector General | Office of Internal Audit Contents Page I. Executive Summary 3 II. Context and Scope 6 III. Results of the Audit 8 Annex A – Summary of Observations 27 Annex B – Definitions of Audit Terms: Ratings and Priority 29 Annex C – Acronyms 32 Report No. AR/20/01 – January 2020 Page 2 Office of the Inspector General | Office of Internal Audit I. Executive Summary Tone-at-the-Top and WFP’s Leadership Arrangements 1. As part of its annual work plan, the Office of Internal Audit conducted an audit of Tone-at-the-Top in WFP that focused on the period 1 October 2018 to 30 September 2019. The audit team conducted the fieldwork from 14 to 25 October 2019 at WFP Headquarters in Rome, Italy. The audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing. One of internal audit’s key responsibilities is to assess the adequacy and effectiveness of the internal control environment directly impacted by tone-at-the- top and culture, and the conduct that arises from employees acting out and exhibiting their interpretation of the values of that culture. 2. The culture of an organization drives how it conducts business and executes its strategies. Tone-at-the-Top is one of four points of focus for the Control Environment of an organization applying the COSO1 Internal Control Framework. This Framework states: In ‘setting the Tone-at-the-Top’ the board of directors and management at all levels of the entity demonstrate through their directives, actions and behaviours the importance of integrity and ethical values to support the functioning of the system of internal controls.
    [Show full text]
  • Transparency Report 2020
    Transparency Report 2020 January 2021 kpmg.co.im © 2021 KPMG LLC, an Isle of Man limited liability company and a member firm of the KPMG network of independent member firms 0 affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. Document Classification: KPMG Confidential Contents 1. Message from our Senior Partner 2 2. Who we are 4 2.1 Our businesses 5 2.2 Our strategy 5 3. Our structure and governance 6 3.1 Legal structure 7 3.2 Name, ownership and legal relationships 7 3.3 Responsibilities and obligations of member firms 7 3.4 Governance structure 8 4. System of quality control 9 4.1 Tone at the top 11 4.2 Leadership responsibilities for quality and risk management 11 4.3 Association with the right clients 12 4.4 Clear standards and robust audit tools 14 4.5 Recruitment, development and assignment of appropriately qualified personnel 21 4.6 Commitment to technical excellence and quality service delivery 23 4.7 Performance of effective and efficient audits 25 4.8 Commitment to continuous improvement 27 5. Financial information 31 6. Partner and Director remuneration 33 7. Network arrangements 35 7.1 Legal structure 36 7.2 Responsibilities and obligations of member firms 37 7.3 Professional Indemnity Insurance 37 7.4 Governance structure 37 7.5 Area Quality & Risk Management Leaders 37 8. Statement by the Board of KPMG Isle of Man on the effectiveness of quality controls and independence 38 Appendix 1 Key legal entities and areas of operation 40 Appendix 2 Board of KPMG LLC 42 Appendix 3 EU Public interest entity listing at 30 September 2020 44 Appendix 4 The KPMG Values 46 Appendix 5 Quality in our Tax Practice 48 © 2021 KPMG LLC, an Isle of Man limited liability company and a member firm of the KPMG network of independent member firms 1 affiliated with KPMG International Limited, a private English company limited by guarantee.
    [Show full text]
  • Leading with Integrity
    Leading with Code of Integrity Conduct Dear Sprint team , Success is only meaningful when it is achieved the right way, with the right values. It’s more important than ever that we act with integrity, put our customers first and adhere to high ethical standards in our business conduct. I’m proud that we’re known as a trustworthy company, which requires each of us to do the right thing every day. The Sprint Code of Conduct outlines our ethical and legal responsibilities as employees, as well as our interactions with customers, competitors and suppliers. One of our most valuable assets is our reputation for honesty and fairness, and I appreciate your commitment to uphold this responsibility. By creating an environment of trust and understanding, we also are respecting each other. When in doubt, don’t hesitate to speak up, ask questions and take action. Thank you for everything you do to take pride in your work and help Sprint stand out as an ethical leader. Page 2 Ethics Helpline: 913-794-1666 or 800-788-7844 Table of Contents Leading with Integrity – Employee Privacy 12 Investments and Financial Opportunities 22 The Way We Do Business Employee Relations and Discrimination 12 Investments in Competitors 22 Investments in Other Companies 23 Harassment 13 Initial Public Offerings or 23 Workplace Safety 13 Foundation of Integrity 4 Preferential Allocations Safety and Health 13 Sprint Code of Conduct 4 Procurement 23 Drugs and Alcohol 14 Making Ethical Decisions 4 Violations and Consequences 5 Integrity with Our Customers Integrity in Our Communities
    [Show full text]
  • CODE of ETHICS Sept 2014 FINAL
    CODES OF CONDUCT: HOW TO ESTABLISH THE RIGHT TONE It is important that nonprofit leaders maintaining high standards, this attitude maintain the highest ethical standards for could be observed and mirrored by their organizations. Given today’s employees and volunteers. difficult business climate and greater scrutiny of nonprofits, an organization’s B. Duty of Obedience reputation for integrity and good stewardship are more critical than ever. The first expectation that the directors must meet and set for others is the duty One basic step an organization can take of obedience. As part of the duty of to establish and maintain high ethical obedience, directors, officers, employees standards is to adopt a code of conduct, and volunteers must act in a manner also known as a code of ethics. The consistent with the code of conduct, as purpose of the code is to set forth the well with as the provisions of the organization’s values and to make clear organization’s articles of incorporation, that everyone involved in the bylaws, and the organization’s tax- organization is expected to act in exempt status. They should be familiar accordance with those values. with the organization’s mission and strive to uphold that mission at all times. A. The Tone at the Top Finally, they must comply with all federal, state and District of Columbia The first step is for the Board to laws as they apply to the organization. establish an appropriate “tone at the top.” The “tone at the top” refers to the C. Contents of the Code ethical climate created in an organization by its leadership.
    [Show full text]
  • Setting the Tone at the Top
    New standards Setting the tone at the top 30 March 2017 10 questions for audit committees In a matter of months, the biggest changes in accounting for more than a decade will come into effect, but our research shows that the vast majority of companies aren’t ready. Progress varies by geography and by industry. But overall, it’s clear that a considerable amount of work still needs to be done. You, as an audit committee member, have a crucial part to play. Regulators are expecting high-quality implementation, and your role is to set the right tone at the top Mark Vaessen and oversee implementation. Partner KPMG International Urgency calls for action For companies with December year ends, the new revenue and financial instruments requirements are effective in less than nine months, so it’s time to step up your efforts on the implementation of these mandatory requirements. Management will implement the new requirements, but the audit committee is tasked with the crucial oversight role: to evaluate management’s progress, challenge the judgements and assess the controls. You need to be on top of the judgements I regularly speak with regulators and clients about the challenges of implementation. My key recommendation is not to underestimate the sheer volume nor the complexity of new judgements and estimates that the new standards introduce – whether in the context of the new expected credit loss model under IFRS 9, or in determining how many performance obligations a customer contract contains and how much revenue to allocate to each performance obligation under IFRS 15.
    [Show full text]
  • The Tone at the Top Ten Ways to Measure Effectiveness
    The tone at the top Ten ways to measure effectiveness Deloitte Forensic Center 1 in 4 to 1 in 20.”1 (The Importance of Ethical Culture, If an entity’s “tone at the top” could be measured and Increasing Trust and Driving Down Risks, p 8, Ethics correlated with higher earnings quality and lower rates of Resource Center, 2010) financial reporting fraud and other serious wrongdoing, Research and the evolution of practices suggest that evaluating the tone at the top is well established in what directors would not want to measure that tone? certain entities, but there are still many entities that do not do it. Also, the evaluation methods used may be If similar techniques could be used to identify a division, able to be improved in many cases. a subsidiary, or a geographic area where employees 1 The Importance of Ethical Culture, Increasing Trust and Driving Down believe management is paying lip service to compliance Risks, p. 8, used with permission of the Ethics Resource Center. and ethics but did not “walk the talk” in their day-to- day actions, what compliance and risk management executives would not want to know where that was occurring and take remedial action before serious “The findings also indicate that tone wrongdoing could affect the entity as a whole? at top perceptions and audit A supplemental research report for the 2009 National committee quality are positively Business Ethics Survey states that, “In stronger as opposed to weaker cultures, pressure [to commit associated with earnings quality.” misconduct] is reduced from 16 to 4 percent…; rates of misconduct are roughly halved from 77 to 40 percent; Professors James E.
    [Show full text]
  • Internal Controls: the Key to Accountability*
    Internal Controls: The Key to Accountability* *connectedthinking Internal Controls: The Key to Accountability By John A. Mattie, Paul F. Hanley, and Dale L. Cassidy About the Authors John A. Mattie is PricewaterhouseCoopers' National Education & Nonprofit Practice Leader. He has over 25 years of diversified audit and consulting experience with particular expertise serving public and private research universities as well as independent schools and other types of not-for-profit organizations. Previously, John led PricewaterhouseCoopers' education consulting practice. His current role combines his audit and consulting leadership skills. Paul F. Hanley is a PricewaterhouseCoopers audit partner who specializes in serving colleges, university, not-for-profit and government organizations. He is one of the Firm’s top national technical consultants, especially concerning issues affecting public colleges and universities. Dale L. Cassidy is a director in PricewaterhouseCoopers’ Education Advisory Services practice. He specializes in advising colleges and universities about risk and control issues, such as those raised by the Sarbanes-Oxley Act of 2002. The authors have written numerous publications including: The upcoming second edition of Understanding Financial Statements: A Strategic Guide for Independent College and University Boards, which is expected to be published by the Association of Governing Boards of Universities and Colleges (AGB) in 2005 Meeting the Challenges of Alternative Investments, published by PricewaterhouseCoopers in 2004
    [Show full text]
  • Investigations, Inspections, and Audits in the Post-SOX Environment
    Nebraska Law Review Volume 86 Issue 1 Article 3 1-2007 Investigations, Inspections, and Audits in the Post-SOX Environment Thomas C. Pearson Shidler College of Business, University of Hawaii Gideon Mark New York City Follow this and additional works at: https://digitalcommons.unl.edu/nlr Recommended Citation Thomas C. Pearson and Gideon Mark, Investigations, Inspections, and Audits in the Post-SOX Environment, 86 Neb. L. Rev. (2007) Available at: https://digitalcommons.unl.edu/nlr/vol86/iss1/3 This Article is brought to you for free and open access by the Law, College of at DigitalCommons@University of Nebraska - Lincoln. It has been accepted for inclusion in Nebraska Law Review by an authorized administrator of DigitalCommons@University of Nebraska - Lincoln. Thomas C. Pearson* and Gideon Mark** Investigations, Inspections, and Audits in the Post-SOX Environment TABLE OF CONTENTS I. Introduction to Audited Financial Information and Related Litigation ..................................... 44 II. The Impact of SOX on Financial Information and Its R eliability ............................................ 53 A. Significant Improvements in Accountability from SO X .............................................. 54 B. SOX' Significant Ripple Effects .................... 64 III. Investigations, Inspections, and Audits of Financial Inform ation ........................................... 70 A. Internal Investigations of Financial Reporting and D isclosure ......................................... 70 B. SEC's Informal Inquiries and Enforcement
    [Show full text]