Transcript Document

Updated
COSO
Framework &
Green Book
Effective Dates
 COSO:

Updated Framework will supersede original
Framework at the end of the transition period
(December 15, 2014)
 Green

Book:
GAO's 2014 revision will be effective beginning
with fiscal year 2016
What is COSO?
 COSO
(Committee of Sponsoring
Organizations) of the Treadway Commission





American Accounting Association (AAA)
American Institute of Certified Public
Accountants (AICPA)
Financial Executives International (FEI)
Institute of Management Accountants (IMA)
The Institute of Internal Auditors (IIA)
What is the Green Book?
 Standards
for Internal Control in the Federal
Government



Government Accountability Office (GAO)
Comptroller General of the United States
“May also be adopted by state, local, and quasigovernmental entities as a framework for an
internal control system”
OK so why should I care?
 Auditors
are required to gain an
understand of control framework:


COSO Internal Control Framework
The Green Book
 Federal

Grants & Single Audit
The new “Super Circular” adds additional
emphasis on internal controls
Link to the Yellow Book

2011 Yellow Book –

¶A.04 discusses that in addition to the COSO
framework – Standards for Internal Control in the
Federal Government (aka the Green Book)
provides definitions and fundamental concepts
pertaining to internal control at the federal level
and may be useful to auditors at other levels of
government. The related “Internal Control
Management and Evaluation Tool” based on
federal internal control standards, provides a
systematic, organized, and structured approach
to assessing the internal control structure.
7
Internal Controls (200.303)
Topic
•Strong Emphasis on
Internal Controls
•Mentioned 103 times in
the 12/26/2013 Federal
Register notice
Uniform Guidance
Synopsis
•References “Standards
for Internal Controls in
the Federal
Government”, issued
by the Comptroller
General (also known as
the “Green Book”) and
“Internal Control
Integrated Framework”,
issued by the
Committee of
Sponsoring
Organizations of the
Treadway Commission
(COSO)
What Does This Mean?
•While OMB has clarified
in an FAQ that there is
no expectation that we
have to explicitly follow
these referenced
guidelines (as long as
we have effective
internal controls in
place), it is unclear
what the audit
community will expect.
Internal Controls (200.303)

The non-Federal entity must:

(a) Establish and maintain effective internal
control over the Federal award that provides
reasonable assurance that the non-Federal entity
is managing the Federal award in compliance
with Federal statutes, regulations, and the terms
and conditions of the Federal award. These
internal controls should be in compliance with
guidance in “Standards for Internal Control in the
Federal Government” issued by the Comptroller
General of the United States or the “Internal
Control Integrated Framework”, issued by the
Committee of Sponsoring Organizations of the
Treadway Commission (COSO).
Components of Internal
Control
Update principles of effective
internal control
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1.
2.
3.
4.
5.
Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
6.
7.
8.
9.
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Update principles of effective
internal control (continued)
Control Environment
1. The organization demonstrates a commitment to
integrity and ethical values.
2. The board of directors demonstrates independence
from management and exercises oversight of the
development and performance of internal control.
3. Management establishes, with board oversight,
structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to
attract, develop, and retain competent individuals in
alignment with objectives.
5. The organization holds individuals accountable for
their internal control responsibilities in the pursuit of
objectives.
How Various Controls Effect Principles, e.g.,
Control Environment
Component
Principle
Controls
embedded
in other
components
may effect
this principle
1. A CPA firm demonstrates a commitment to integrity and ethical
values
Information
Technology staff
tests for data
breaches of
personally
identifiable
information
continuously
Control
Environment
Management obtains
and reviews data
and information
underlying potential
deviations captured
in reports generated
immediately upon
occurrence
Information &
Communication
Risk manager
separately evaluates
Control Environment,
considering
employee behaviors
and whistleblower
hotline results and
reports thereon
Monitoring Activities
Update principles of effective
internal control (continued)
Risk Assessment
6. The organization specifies objectives with
sufficient clarity to enable the identification and
assessment of risks relating to objectives.
7. The organization identifies risks to the
achievement of its objectives across the entity
and analyzes risks as a basis for determining
how the risks should be managed.
8. The organization considers the potential for
fraud in assessing risks to the achievement of
objectives.
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control.
How Various Controls Effect Principles, e.g.,
Component
Risk Assessment
Principle
Controls
embedded
in other
components
may effect
this principle
The Controller identifies risks to the achievement of the objectives across
the office and analyzes risks as a basis for determining how the risks
should be managed.
As part of the
meetings with senior
staff on goals and
objectives, risks are
noted and potential
controls against those
risks are brainstormed
and initiated if
approved by the audit
committee. Risk
Assessment
The result of the
brainstorming is
communicated to
staff as part of semiannual reviews
Information &
Communication
A dashboard of risks
is established and is
updated with each
batch cycle.
Employee reviews
are completed timely.
Monitoring Activities
Update principles of effective internal
control (continued)
Control Activities
10. The organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.
11. The organization selects and develops general
control activities over technology to support the
achievement of objectives.
12. The organization deploys control activities
through policies that establish what is expected
and procedures that put policies into place.
How Various Controls Effect Principles, e.g.,
Component
Control Activities
Principle
Controls
embedded
in other
component
s may effect
this principle
The Controller selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
Every two years, the
Controller rotates duties
among the divisional
managers not only to
provide them with a
broader experience but
also to lower the risk of
financial reporting fraud.
Staff enjoys the rotation
as they are not working
the same job repeatedly.
Control Activity
A report is developed
predicting payables
over the next 30 days
and disseminated to
fiscal officers. The
payables are
compared to
encumbrances.
Information &
Communication
The Comptroller
reviews payables
that are unusual, or
above $5,000 or
infrequent.
Monitoring Activities
Update articulates principles of
effective internal control (continued)
Information &
Communication
13. The organization obtains or generates and uses
relevant, quality information to support the
functioning of internal control.
14. The organization internally communicates
information, including objectives and
responsibilities for internal control, necessary to
support the functioning of internal control.
15. The organization communicates with external
parties regarding matters affecting the
functioning of internal control.
Update principles of effective internal
control (continued)
Monitoring Activities
16. The organization selects, develops, and
performs ongoing and/or separate evaluations
to ascertain whether the components of internal
control are present and functioning.
17. The organization evaluates and communicates
internal control deficiencies in a timely manner
to those parties responsible for taking corrective
action, including senior management and the
board of directors, as appropriate.
How Various Controls Effect Principles, e.g.,
Component
Monitoring Activities
Principle
Controls
embedded
in other
components
may effect
this principle
The Controller selects, develops, and performs ongoing and / or separate
evaluations to ascertain whether the components of internal control are
present and functioning.
The quality assurance division
reports are also transmitted to
the division where the
problem occurred. Corrective
action is taken. If no
corrective action is
accomplished, the employee’s
personnel file contains the
issue and if repeated, could
be grounds for termination.
Control Activity
Statistical reports on
uses of personally
identifiable activity are
reported to employees
on a monthly basis.
All employees are
trained semi-annually
on when / how / who
can access PII
Information &
Communication
Reports on detections of
improper use of
personally identifiable
information by employees
are escalated to a senior
review board that
investigates all activities
and reacts to breaks in
accordance with state
law.
Monitoring Activities
COSO & Green Book
 Required


5 elements of control
17 principles
 Points


to address when implementing:
of focus (not required)
COSO – 87
Green Book – 47 (attributes)
Example Attribute
 Component

– Risk Assessment
Principle- “Management should identify,
analyze, & respond to risk relate to objectives”

Attributes to Principle:



Identification of Risks
Analysis of Risks
Response to Risks
Documentation Requirements
 If
management determines a principle is
not relevant, management supports that
determination with documentation that
includes the rationale of how, in the
absence of that principle, the associated
component could be designed,
implemented, and operated effectively.
Documentation Requirements
 Control

Management develops and maintains
documentation of its internal control
system.
 Control

Environment
Activities
Management documents in policies the
internal control responsibilities of the
organization.
Documentation Requirements
 Monitoring



Management evaluates and documents
the results of ongoing monitoring and
separate evaluations to identify internal
control issues.
Management evaluates and documents
internal control issues and determines
appropriate corrective actions for internal
control deficiencies on a timely basis.
Management completes and documents
corrective actions to remediate internal
control deficiencies on a timely basis.
Control Considerations - CE

Establishment of formal Code of Conduct




Communicates appropriate ethical and moral
behavior, penalties, and how to communicate
when becoming aware of any potential issue.
Conflicts of interest – including dealing with
suppliers
Establishment of formal Code of Conduct
Proper hiring & Training program
(commitment to excellence)

Including P&P for hiring, training, promoting,
discipline, termination
Control Considerations - CE
 Key
areas of authority & responsibility are
defined & communicated
 Establishment of Internal audit function
 Establishment of fraud/ethics hotline

Properly designed and report to proper
levels of the government.
Control Considerations - RA
 Brainstorm
– included appropriate levels
of the organization (always include IT)




This means “not” just finance/business
Identify risk associated with compliance,
operation, & reporting
Should not be a once and done approach
Should consider both entity-wide and
activity-level objectives; and
internal/external risk
Control Considerations - RA
 Maintain



list of items from (brainstorming)
Assess likelihood and significance
(benchmark to your entities risk appetite)
Identify corresponding control to address
those (significant/likely or combination )
Update list with additional areas identified
while performing monitoring activities
Control Considerations - RA
 Principle
8 - The organization considers the
potential for fraud in assessing risks t
 Added emphasis on fraud
 Resources: “Managing the Business Risk of
Fraud: A Practical Guide” the achievement of
objectives
IT’S FREE!!!!
http://www.acfe.com/
uploadedfiles/acfe_we
bsite/content/docume
nts/managingbusiness-risk.pdf
Currently in the process
of revision.
Control Considerations - CA
Control Considerations - CA
 Don’t

forget IT
General Controls
 Password(s)
 Segregation
of Duties
 Approvals
 Change
Management Controls
Control Considerations - MA
 Ongoing
monitoring – regular
management and supervisory activities,
comparisons, reconciliations, and other
routine actions
 Separate evaluations – can be
conducted by management or others
such as internal auditors or management
consultants
Control Considerations – I/C
 Established
communication exist to
provide appropriate information to
individuals related to their responsibility
and role in internal controls process.
 Communication channels exist for
employees and management to report
issue up the chain to ensure appropriate
action is taken.
 Appropriate information is generated to
support internal controls.
Large vs Small Entity

OV4.04 The 17 principles apply to both large and
small entities. However, smaller entities may have
different implementation approaches than larger
entities. Smaller entities typically have unique
advantages, which can contribute to an effective
internal control system. These may include a
higher level of involvement by management in
operational processes and direct interaction with
personnel. Smaller entities may find informal staff
meetings effective for communicating quality
information, whereas larger entities may need
more formal mechanisms—such as written reports,
intranet portals, or periodic formal meetings—to
communicate with the organization.