6
17 Principles of Internal Control I. COSO Internal Control Principles A. The most recent COSO model (released as an exposure draft in 2011) includes 17 control principles that are organized around the five fundamental components of an internal control system. Note: The good news is that, as COSO notes, these principles are largely redundant with previous principles found in COSO documents, and, in some cases, with one another. Much of the "new" COSO content is found other CPAexcel lessons. B. Control environment — 5 principles 1. The organization demonstrates a commitment to integrity and ethical values. Specifically, management: a. Sets and demonstrates (through actions) an ethical "tone at the top"; b. Establishes and adheres to standards of conduct; c. Attends to ethical failures quickly and effectively. 2. The board of directors demonstrates independence of management, and oversees the development and monitoring of internal control including: a. Clear board of directors oversight responsibilities and independence; b. Evidence and application of relevant expertise. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives, including integrating organizational structures and services including outsourced service providers. 4. Competence The organization demonstrates a commitment to attract, develop, and retain competent individuals consistent with achieving organizational objectives, including: a. Establishing policies and procedures to attract, develop, and retain competent individual; b. Assessing competencies, creating development plans to achieve needed skills and competencies, and addressing deficiencies in skills and competencies through training, hiring or outsourcing; c. Planning and preparing for turnover and succession. 5. Accountability The organization holds individuals accountable for their internal control responsibilities including:

CPAexcel COSO - 17 Principles of IC

Embed Size (px)

DESCRIPTION

CPAexcel COSO - 17 Principles of IC

Citation preview

Page 1: CPAexcel COSO - 17 Principles of IC

17 Principles of Internal Control

I. COSO Internal Control Principles

A. The most recent COSO model (released as an exposure draft in 2011) includes 17 control principlesthat are organized around the five fundamental components of an internal control system.

Note:The good news is that, as COSO notes, these principles are largelyredundant with previous principles found in COSO documents, and, insome cases, with one another. Much of the "new" COSO content is found

other CPAexcel lessons.

B. Control environment — 5 principles ­­

1. The organization demonstrates a commitment to integrity and ethical values.Specifically, management:

a. Sets and demonstrates (through actions) an ethical "tone at the top";

b. Establishes and adheres to standards of conduct;

c. Attends to ethical failures quickly and effectively.

2. The board of directors demonstrates independence of management, and oversees thedevelopment and monitoring of internal control including:

a. Clear board of directors oversight responsibilities and independence;

b. Evidence and application of relevant expertise.

3. Management establishes, with board oversight, structures, reporting lines, and appropriateauthorities and responsibilities to achieve objectives, including integrating organizationalstructures and services including outsourced service providers.

4. Competence ­­ The organization demonstrates a commitment to attract, develop, andretain competent individuals consistent with achieving organizational objectives, including:

a. Establishing policies and procedures to attract, develop, and retain competentindividual;

b. Assessing competencies, creating development plans to achieve needed skills andcompetencies, and addressing deficiencies in skills and competencies through training,hiring or outsourcing;

c. Planning and preparing for turnover and succession.

5. Accountability ­­ The organization holds individuals accountable for their internal controlresponsibilities including:

Page 2: CPAexcel COSO - 17 Principles of IC

a. Enforcing accountability through structures, authorities, and responsibilities;

b. Establishing and evaluating performance measures, incentives, rewards anddisciplinary actions for individuals;

c. Monitoring and considering the potential for excessive performance pressures,including unrealistic performance (e.g., earnings) targets, and an excessive concernwith short­term (e.g., quarterly earnings) targets.

C. Risk Assessment — 4 objectives ­­ (Note that many of these principles are also found in theCPAexcel Risk Management Policies and Procedures lesson.)

1. Objectives ­­ The organization specifies objectives with sufficient clarity to enable theidentification and assessment of risks that threaten the achievement of objectives. In sodoing, the organization should consider:

a. The precision of risk tolerance levels, e.g., can we quantify the risk? To within whatrange?

b. Materiality in relation to risk assessment. How big of a risk poses a threat toobjectives (a loss of $10,000? $100,000? $1,000,000?);

c. Risks related to the organization's ability to comply with standards, frameworks, lawsand regulations;

d. Risks related to operational and financial performance goals;

e. Risks in committing resources.

2. Assessment ­­ The organization identifies risks to the achievement of its objectives acrossthe entity and analyzes risks as a basis for determining how the risk should be managed. Inso doing, the organization should:

a. Involve appropriate levels of management in risk assessment;

b. Consider and include entity, subsidiary, division, operating unit, and functional levels;

c. Analyze internal and external factors;

d. Estimate risk importance;

e. Develop appropriate risk responses.

3. Fraud ­­ The organization considers the potential for fraud in assessing risks to theachievement of objectives. In so doing, it:

a. Considers fraud risk factors and threats;

b. Assesses the potential fraud influences of incentives and pressures;

c. Assesses opportunities that may exist in the organization for fraudsters to commitfraud;

d. Assesses attitudes and potential rationalizations that might be used to justifyfraudulent actions.

4. Change Management ­­ The organization identifies and assesses changes in the externalenvironment, business model and organizational leadership that could impact the system of

Page 3: CPAexcel COSO - 17 Principles of IC

internal control.

D. Control Activities — 3 Principles ­­

1. Risk Reduction ­­ Organizational control activities mitigate (i.e., reduce) the risks to theachievement of objectives to acceptable levels. In so doing, the organization:

a. Integrates controls with risk assessments;

b. Uses risk reduction analyses to determine which business processes require a controlfocus;

c. Considers how the environment, complexity, nature and scope of operations influencerisk reduction and control activities;

d. Evaluates a mix of potentially control activity types, including manual and automated,and, preventive and detective controls;

e. Segregates incompatible activities and implements alternative controls wheresegregation is impossible.

2. Technology Controls ­­ The organization selects and implements general controls overtechnology which support the achievement of its objectives. These activities include:

a. Management understanding and determining the dependencies between businessprocesses, automated controls, and technology general controls;

b. Management establishing controls to ensure the completeness, accuracy, andavailability of technology and processing;

c. Restricting technology access rights to authorized users;

d. Establishing relevant security management process controls;

e. Establishing relevant technology acquisition, development, and maintenance processcontrols.

3. Policies ­­ The organization's control activities inform policies that establish stakeholderexpectations. Established procedures ensure the implementation of these policies. Theseactivities include:

a. Establishing policies and procedures that support the achievement of management'sdirectives;

b. Establishing responsibility and accountability for executing policies and procedures;

c. Employing competent personnel to perform control activities in a timely manner, and,to take corrective action to investigate and act on control problems and issues;

d. Management periodically reassessing and revising policies and procedures to addresschanging conditions.

E. Information and Communication — 3 principles ­­

1. Quality ­­ Relevant, high­quality information supports the internal control processes. Thisactivity includes organizational processes that:

Page 4: CPAexcel COSO - 17 Principles of IC

a. Identify the information required to support internal control processes;

b. Capture internal and external courses of data;

c. Transform relevant data into information;

d. Produce information that is relevant, timely, current, accurate, verifiable, protected,and retained;

e. Consider the costs and benefits of information in relation to organizational objectives.

2. Internal ­­ Internal communication supports internal control processes. This includes:

a. Organizational processes communicate required information to enable all personnel tounderstand and execute their internal control responsibilities;

b. Communication between management and the Board of Directors supports theachievement of organizational objectives;

c. Separate communication lines, such as a whistle­blower hotline, exist as a fail­safemechanism to enable anonymous, confidential communication;

d. Internal communication methods are sensitive to the timing, audience, and nature ofthe communication.

3. External ­­ Communication with outsiders supports internal control processes.Organizational processes

a. Communicate relevant and timely information to external parties, includingshareholders, partners, owners, regulators, customers, financial analysts, and others;

b. Enable inbound communications. Communication channels support the receipt ofinformation from customers, suppliers, external auditors, regulators, financial analystsand others;

c. Separate communication lines, such as a whistle­blower hotline, exists as a fail­safemechanism to enable anonymous, confidential communication;

d. Communicate relevant information resulting from assessments conducted by externalparties (e.g., reviews of internal control) to the board of directors;

e. Ensure that external communication methods are sensitive to the timing, audience,and nature of the communication and to legal, regulatory and fiduciary requirements.

F. Monitoring Activities — 2 Principles ­­

1. Ongoing and Periodic ­­ Ongoing and separate evaluations evaluate internal controlfunctioning. These activities include:

a. Considering the mix of ongoing and separate evaluations;

b. Benchmarking — considering the design and state of the existing system of internalcontrol to establish a baseline understanding for ongoing and separate evaluations;

c. Developing and selecting ongoing and separate evaluations through managementconsideration of the rate of change of business activities and processes;

d. Ensuring that personnel have sufficient knowledge to conduct evaluations;

e. Integrating ongoing evaluations with business processes and adjusting, as needed, tochanging conditions;

Page 5: CPAexcel COSO - 17 Principles of IC

f. Providing periodic, separate evaluations for objective feedback;

g. Adjusting the scope and frequency of evaluations based on risk assessments.

2. Address Deficiencies ­­ Parties responsible for taking corrective action, including seniormanagement and the board of directors, receive timely communication of internal controldeficiencies. These activities include:

a. Assessment of the results of ongoing and separate evaluations, as appropriate, bymanagement and the board of directors;

b. Communication of deficiencies to those responsible for acting upon them, and tomanagement at least one level above the identified problem;

c. Communication of deficiencies to senior management and the board of directors, asappropriate;

d. Tracking by management whether deficiencies are corrected on a timely basis.

Page 6: CPAexcel COSO - 17 Principles of IC

FlashcardsFlashcard #1 (FC2564)

Define inbound communications. Communications outsiders to the organization,including customers, suppliers, external auditors,regulators, financial analysts and others.

Flashcard #2 (FC2563)

Define organizational policies. The organization's control activities that establishstakeholder expectations regarding conduct andoperations.

Flashcard #3 (FC2562)

Define risk assessment materiality. The determination of how large of a risk poses athreat to objectives.

Flashcard #4 (FC2561)

Define risk assessment precision. Whether, and the extent to which, risk can bequantified.

Flashcard #5 (FC2560)

Define accountability in the context of designinginternal control.

Holding individuals accountable for their internalcontrol responsibilities.

Flashcard #6 (FC2559)

Define competence in the context of designing internalcontrol.

A commitment to attract, develop, and retaincompetent individuals consistent with achievingorganizational objectives.


Relacion Entre Coso i y Coso II Rrrrrr

Relacion Entre Coso i y Coso II Rrrrrr

Documents
Definicion Segun Coso II y Coso III

Definicion Segun Coso II y Coso III

Documents
COSO I y COSO II. COSO ICOSO II MEYCOR COSO AG - Solución integral

COSO I y COSO II. COSO ICOSO II MEYCOR COSO AG - Solución integral

Documents
COSO DefinED

COSO DefinED

Documents
COSO - sfmagazine.com · COSO ’92 and COSO ERM and what it requires as well. Interestingly, the agency has no point person on COSO per se or COSO ERM or risk management in general.“The

COSO - sfmagazine.com · COSO ’92 and COSO ERM and what it requires as well. Interestingly, the agency has no point person on COSO per se or COSO ERM or risk management in general.“The

Documents
COSO Guidance

COSO Guidance

Documents
Frukostseminarium COSO

Frukostseminarium COSO

Leadership & Management
Coso I Y Coso Ii

Coso I Y Coso Ii

Documents
COSO 2013: Getting Internal Control Under Controlnysica.com/uploads/3/4/8/5/34855847/coso_2013...• COSO 2013 IC definition: Internal control is a process, effected by an entity’s

COSO 2013: Getting Internal Control Under Controlnysica.com/uploads/3/4/8/5/34855847/coso_2013...• COSO 2013 IC definition: Internal control is a process, effected by an entity’s

Documents
Cibera coso

Cibera coso

Documents
Coso i y Coso II 1 1

Coso i y Coso II 1 1

Documents
Exposicion COSO

Exposicion COSO

Documents
INTOSAI COSO

INTOSAI COSO

Documents
Control Coso

Control Coso

Documents
GRC_tecnicas - COSO

GRC_tecnicas - COSO

Documents
COSO Auditoria

COSO Auditoria

Documents
cibera coso

cibera coso

Art & Photos
COSO Enterprise Risk Management …...Framework now? 1 Who is COSO and what is the COSO ERM Framework? Introducing COSO COSO recognises the growing expectation of organisations to

COSO Enterprise Risk Management …...Framework now? 1 Who is COSO and what is the COSO ERM Framework? Introducing COSO COSO recognises the growing expectation of organisations to

Documents
11CONTROLMA4KU68INTERNAL COSO

11CONTROLMA4KU68INTERNAL COSO

Documents
09CONTROLMA4KU68INTERNALCONTROL COSO

09CONTROLMA4KU68INTERNALCONTROL COSO

Documents
Presentacion coso

Presentacion coso

Education
2013 COSO Internal Control Framework Update - Chapters Site Archive/2013... · Agenda – 2013 COSO IC Framework Topic Minutes The update process 5 What is not changing / What is

2013 COSO Internal Control Framework Update - Chapters Site Archive/2013... · Agenda – 2013 COSO IC Framework Topic Minutes The update process 5 What is not changing / What is

Documents
Coso Final.doc

Coso Final.doc

Documents
informe coso

informe coso

Documents
Coso, New Coso, Iso 31000

Coso, New Coso, Iso 31000

Documents
COSO Framework

COSO Framework

Documents
InternalControlQuestionnaire coso

InternalControlQuestionnaire coso

Documents
Los efectos de la ley Sarbanes-Oxley. Del al Del COSO IC ...pdfs.wke.es/1/1/1/9/pd0000021119.pdf · mente el modelo COSO ERM incorpora una visión del portfolio de riesgos, en los

Los efectos de la ley Sarbanes-Oxley. Del al Del COSO IC ...pdfs.wke.es/1/1/1/9/pd0000021119.pdf · mente el modelo COSO ERM incorpora una visión del portfolio de riesgos, en los

Documents
Wiley CPAexcel Exam Review 2014 Study Guide, Auditing and Attestation

Wiley CPAexcel Exam Review 2014 Study Guide, Auditing and Attestation

Business
Cumple coso!

Cumple coso!

Documents