COSO Internal Control s Framework Understanding COSO 2013 Key Principles for Auditing Internal Controls Based on Executive’s Guide to COSO Internal Controls By Robert Moeller 11/14/2018 COSO Internal Control s Framework

Objectives of this AGA Seminar Session To discuss the importance of internal controls for all manual and IT systems and processes To reintroduce the original 1992 COSO internal controls framework Describe the new, recently revised COSO Internal Controls Framework Outline COSO’s 17 internal control principles and why they are important for establishing internal controls. Using COSO internal controls in operational and financial internal audits. 11/14/2018 COSO Internal Controls Framework

Early Definitions of Internal Control -- A common internal and external audit expression, but there was no consistent definition. -- Things changed with financial scandals of the 1970’s, resulting in the FCPA and other attempts to better define the concept. -- After SEC moves to better define the process, the AICPA, IIA, FEI. AAA. And IMA pitched in. -- They formed the Committee of Sponsoring Organizations (COSO) of the Treadway Commission that released a definition or framework to define internal control in 1992. 11/14/2018 COSO Internal Controls Framework

COSO 1992 Definition of Internal Control Internal control is a process affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: -- Effectiveness and efficiency of operations -- Reliability of financial reporting -- Compliance with applicable laws and regulations. 11/14/2018 COSO Internal Controls Framework

Original 1992 Framework COSO Internal Controls 11/14/2018 COSO Internal Controls Framework

The 1992 COSO Framework Today COSO internal controls became a Sarbanes-Oxley requirement and has been accepted world-wide IT processes have changed considerably since 1992 – the original framework dates to the days of mainframe systems and no Internet Many changes and greater complexities in business operations with increased globalization of markets and operations Increased laws, rules and standards Original framework gave little attention to fraud detection, risk management, or enterprise governance. COSO is a Framework, not a standard or requirement. Serving as a measure for building effective internal control processes, the 1992 COSO Internal Controls framework was finally revised in 2014 11/14/2018 COSO Internal Controls Framework

December, 2014 Implementation Requirement The New, Revised COSO Internal Controls Framework Authored by PwC under direction of COSO Board Draft framework released in 2012 followed with extensive reviews Final release in May, 2013 with 3 companion elements. December, 2014 Implementation Requirement 11/14/2018 COSO Internal Control s Framework

COSO Internal Controls Framework The Revised COSO Internal Controls Framework Looks similar but with subtle changes. 11/14/2018 COSO Internal Controls Framework

The Revised COSO Framework What has Changed Emphasis on financial and nonfinancial controls Addresses internal and external financial reporting Focus on 17 internal control principles including the: Control Environment Risk Assessment Internal Control Activities Information and Communication Needs Internal Control Monitoring Activities Needs to better consider the three-dimensioned nature of overlapping internal controls Emphasis on Governance, Risk and Compliance (GRC) concepts. 11/14/2018 COSO Internal Controls Framework

COSO’s 17 Internal Control Principles Going beyond the general concepts in the original 1992 framework, an entity should demonstrate that they have effective internal controls in place for each of 17 identified principles areas. Each of these Principles should be operating and in place for the GRC internal control elements shown on the top of the COSO cube. The principles apply to all levels of business units from the overall entity to separate departments, as shown on the right side of the cube. 11/14/2018 COSO Internal Controls Framework

COSO Internal Control Relationships 11/14/2018 COSO Internal Controls Framework

COSO’s 17 Internal Control Principles The Control Environment 1. Commitment to integrity and ethical values 2. Independent board of directors oversight 3. Structures, reporting lines, authorities and responsibilities 4. Attract, develop and retain competent people 5. People held accountable for internal control 11/14/2018 COSO Internal Controls Framework

COSO’s 17 Internal Control Principles Risk Assessment 6. Clear objectives specified 7. Risks identified to achievement of objectives 8. Potential for fraud considered 9. Significant changes identified and assessed 11/14/2018 COSO Internal Controls Framework

COSO’s 17 Internal Control Principles Control Activities 10. Control activities selected and developed 11. General IT controls selected and developed 12. Controls developed through policies and procedures 11/14/2018 COSO Internal Controls Framework

COSO’s 17 Internal Control Principles Information and Communication 13. Quality information obtasined, generated and used 14. Internal control information internally communicated 15. Internal information externally communicated 11/14/2018 COSO Internal Controls Framework

COSO’s 17 Internal Control Principles Monitoring Activities 16. Ongoing and/or separate evaluations conducted 17. Internal control deficiencies evaluated and communicated. 11/14/2018 COSO Internal Controls Framework

COSO’s 17 Internal Control Principles and the ISACA Professional … COSO is more than financial reporting controls … Relate these principles, as appropriate, to IT securitz and internal control issues … Ascertain that all SOX intenal control reviews are consistent with these principles 11/14/2018 COSO Internal Controls Framework

The COSO Framework from a Different Perspective . 11/14/2018 COSO Internal Controls Framework

GRC Governance Elements An Important Part of COSO Internal Controls 11/14/2018 COSO Internal Controls Framework

COSO Internal Controls and Internal Audit Internal auditors should take a hard look at their existing audit processes to determine that internal controls are adequately authorized, installed and tested COSO’s 17 Principles are important. Make certain they are installed and effective as part of virtually all operational and financial internal audit reviews The COSO framework is integrated over three dimensions. Internal audit should plan audits that are not just focused on one narrow area or objective but should broaden audit scopes to reflect the COSO framework. I 11/14/2018 COSO Internal Controls Framework

COSO Internal Controls and Other Standards The revised internal controls does not impact COSO ERM (Enterprise Risk Management). The two frameworks will continue to exist in a parallel manner. The COSO internal control framework ’s 17 Principles are important. Make certain they are installed and effective as part of virtually all operational and financial internal audit reviews COBIT maps very well to the revised COSO framework. Consider using COBIT for internal control assessments. 11/14/2018 COSO Internal Controls Framework

COSO Internal Controls Framework 11/14/2018 COSO Internal Controls Framework

COSO Implementation Requirements Per COSO, enterprises should transition their applications and documentation to the 2013 framework “as soon as possible” Time is now short as the 1992 framework will be considered superseded after December 15, 2014 Compliance with the revised COSO framework is tied to an entity’s Sarbanes-Oxley internal control assertions Whether large or small, the new COSO framework will mean at least some additional work for internal auditors, their audit committees, and senior management. 11/14/2018 COSO Internal Controls Framework

Other COSO Implementation Issues The revised internal controls framework is closely aligned with ITIL Service Management best practices. The revised COSO framework presents a better fit to appropriate ISO standards. There have been no changes to the COSO Enterprise Risk Management (ERM) framework with the revised COSO Internal Controls. . 11/14/2018 COSO Internal Controls Framework

Updated COSO Framework Importance for Audit Professionals ... March 26 ISACA Press elease described the importance of integrating COSO with COBIT 5 ... The IIAs Career Compass March newsletter discussed the Importance of Rising to the Challenge for the new COSO framework Bottom Line ... Get up to Speed 11/14/2018 COSO Internal Control s Framework

Remember! COSO Enterprise Risk Management Framework Objectives Risk Components Entity & Unit Level Components

Questions and Comments Robert Moeller rmoelle@ameritech.net 11/14/2018 COSO Internal Controls Framework