White Paper. Effective and Practical Deployment of COSO: Entity Level Control and Lessons Learned. July 10, 2008 THE ROBERTS COMPANY, LLC

Similar documents
Practical Approach to Internal Controls for Pre & Post IPOs in Hong Kong & China

COSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

9/17/2017. An Overview of COSO s New Framework and Implementation Guidance SPEAKER. Laura Harden, CPA History

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

Community Bankers Conference

PART 6 - INTERNAL CONTROL

FDICIA Reporting for Financial Institutions. Reporting Changes Under Part 363 and SAS 130

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

CAAS 104 Cost Audit and Assurance Standard on Knowledge of Business, its Processes and the Business Environment

29 th Regional Conference of WIRC

Strengthening Control and integrity: A Checklist for government Managers

An Overview of the 2013 COSO Framework. August 2013

Guide to Internal Controls

Compliance Risk Management

Cost Auditing Standard Cost Auditing Standard on Knowledge of Business, its Processes and the Business Environment

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Internal Controls. June-20-17

9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in

Audit Training-of-Trainers Workshop, November 2014, Vienna Components of internal control within organization

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

FREQUENTLY ASKED QUESTIONS ABOUT INTERNAL CONTROL OVER FINANCIAL REPORTING

Introductions. An Overview of the COSO 2013 Framework. Christian Peo Sharon Todd. An Overview of the 2013 COSO Framework.

Internal Financial Controls New perspectives as per Companies Act 2013 and CARO 2016

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

Internal Control Questionnaire and Assessment

The most commonly applied model for designing and auditing internal

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

COSO Internal Control Integrated Framework Proposed Update

38 Years of Excellent Client Service New COSO Model and How Internal Controls Help to Reduce Opportunity for Fraud

Internal Control Questionnaire and Assessment

Heads Up. Control Integrated Framework. COSO Enhances Its Internal. In This Issue: Enhancements in the 2013 Framework

Internal Auditing 101 with Panel Discussion. VGFOA Virginia Beach May 2013

COSO Framework Update Webcast. May 23, 2013

Present and functioning: Fine-tuning your ICFR using the COSO update

COSO Updates and Expectations. IIA San Diego Chapter January 8, 2014

2013 COSO Internal Control Framework Update. September 5, 2013

CHAPTER II THEORETICAL FOUNDATION. ensure the effectiveness and efficiency of a company s operation. Operational audit is

[RELEASE NOS ; ; FR-77; File No. S ]

Anti-Fraud Programs and Control Policy

On the Revision of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal Control

Internal Control Systems

DAVITA INC. AUDIT COMMITTEE CHARTER

Implementation Guide 2130

α β 19 November 2003 Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C.

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

Business Benefits by Aligning IT best practices

1. Corporate management (including the CEO) must certify monthly and annually their organization s internal controls over financial reporting.

Case #1.1 Waste Management: The Matching Principle

Essential IT Considerations for Sarbanes-Oxley Act

EFFICIENT USE OF AUDIT COMMITTEES

Introduction to Risk and Control

IDI Internal Control System

Creating Business Value Through Optimized Compliance Practices

AUDITING. Auditing PAGE 1

Internal Audit and SOX Best Practices

Is your ERP ready for COSO 2013?

Negotiating in a Sarbanes-Oxley World

Internal Control at OSU COSO & Enterprise Risk Management. Oregon State University Board of Trustees Executive & Audit Committee Educational Session

Internal Control in Higher Education

Washington Metropolitan Area Transit Authority Board Action/Information Summary

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8 th Edition

Speech by SEC Staff: Remarks before the 2007 AICPA National Conference on Current SEC and PCAOB Developments

Internal Audit Charter

COSO 2013: Updated internal control framework

The Ins and Outs: Audits Under FDICIA. Jennifer Gureckis and Kaylyn Landry BerryDunn February 27, 2018

Implementation Tool for Auditors

Kentucky State University Office of Internal Audit

AN ASSESSMENT OF THE COSTS AND BENEFITS ASSOCIATED WITH THE IMPLEMENTATION OF SARBANES OXLEY SECTION 404 IN A SOUTH AFRICAN CONTEXT

IT Audit at Brown. A collaboration between the Information Technology and Internal Audit Teams

The Bulletin. The Updated COSO Internal Control Framework: Frequently Asked Questions. Volume 5, Issue 3. What Hasn t Changed? So Why Change?

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

SOX FOR NPO S Focus on Control. Stephen L. Kuptz, CPA

Committee for Senior Business Administrators. Segregation of Duties

International Standards for the Professional Practice of Internal Auditing (Standards)

Report on Inspection of Deloitte LLP (Headquartered in Toronto, Canada) Public Company Accounting Oversight Board

RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS. Article 1 Scope and Purpose

BIG LOTS, INC. AMENDED AND RESTATED AUDIT COMMITTEE CHARTER

Evaluating Internal Controls

STANDING ADVISORY GROUP MEETING

RELEVANT TO ACCA QUALIFICATION PAPERS F8 (INT), P7 (INT) AND FOUNDATION LEVEL PAPER FAU (INT)

A Discussion About Internal Controls February 2016

BUSINESS CPA EXAM REVIEW V 3.0. For Exams Scheduled After March 31, 2017

Private Company Services. Private companies: are your internal controls supporting your business strategy?*

What s New in Government Internal Control Standards? Going Green

Internal Controls: Providing an Effective Control Environment. Why This Session Is Needed. Lesson Overview & Module Objectives

Assistance Options to New Applicants and Sponsors in connection with Internal Controls over Financial Reporting

Risk management. Risk management system

Institute of Chartered Accountants of India. Standards on Auditing

SARBANES-OXLEY INTERNAL CONTROL PROVISIONS: FILE NUMBER 4-511

npliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for

Section 404 of the Sarbanes-Oxley

Business development companies

METROPOLITAN TRANSPORTATION AUTHORITY

AUDIT COMMITTEE CHARTER

Agenda 11/26/13. Updated COSO Framework

Transcription:

THE ROBERTS COMPANY, LLC Compliance Services: IT and Business Processes 3394 Holly Oak Lane, Escondido, CA 92027 TEL: 760.550.2160 * FAX 760.839.2160 E-mail: robertputrus@therobertsglobal.com http://www.therobertsglobal.com/ White Paper Effective and Practical Deployment of COSO: Entity Level Control and Lessons Learned July 10, 2008 Prepared for: White Paper Prepared by: Robert Putrus, PE, CMC Principal THE ROBERTS COMPANY, LLC 3394 Holly Oak Lane Escondido, California 92027 760.550.2160 THE ROBERTS COMPANY, LLC 3394 Holly Oak Lane Escondido, California 92027 Telephone: 760.550.2160 Fax: 760.839.2160 www.therobertsglobal.com

July 10, 2008 White Paper Page 2 of 8 Effective and Practical Deployment of COSO: Entity Level Control and Lessons Learned By: Robert Putrus, PE, CMC, CFE Introduction The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is the most commonly used framework for evaluating and assessing a company s internal controls and governance. It establishes a broad definition of internal control extending to all objectives of an organization. However, the key is how to effectively deploy COSO when interpreting the results and implementing remediation. The purpose of assessing the internal controls of the company governance is to obtain sufficient knowledge of the control environment to understand the management s and the governing body s attitudes, awareness and actions concerning the factors of the control environment. Entity level controls and corporate governance are included within the scope of Sarbanes-Oxley Act Sec. 404. The overall assessment of internal control at the entity level ultimately comes down to two important questions: 1. Has management created a control environment in which people are motivated to comply with controls rather than to ignore or circumvent them? 2. Has the company installed the necessary control mechanisms to monitor and correct noncompliance, and are the mechanisms functioning effectively? For the purpose of this article, internal control is defined as a process, affected by an entity s board of directors, management and other personnel, which is designed to provide reasonable assurance regarding the achievement of objectives. Objective of the Corporate Governance and Entity Level Assessment The assessment of internal controls at the entity level for companies when using COSO has to address, endorse and bring to the forefront two important issues: 1. Management should create a control environment in which people are encouraged to comply with controls rather than ignore or circumvent them. 2. Companies must install the necessary control mechanisms to monitor and correct noncompliance, and ensure the mechanisms are functioning effectively.

July 10, 2008 White Paper Page 3 of 8 To obtain sufficient knowledge of the control environment within the company and to understand management s and the governing body s attitude, awareness and actions concerning the factors of the control environment: Within the framework of SOX Compliance efforts, the company will obtain sufficient knowledge of its governing body attitude, awareness and actions concerning the following actors: 1. Integrity and ethical values 2. Commitment to competence 3. Governing body/audit Committee 4. Management philosophy and operating style 5. Organizational structure 6. Methods of assigning authority and responsibility 7. Personnel, business and process policies and practices Best Practice in Deploying COSO Framework This article provides a summary based on observations and recommendations reflecting the current status of the company to go through the entity level assessment and compliance. The following steps should be considered: 1. The assessment of the entity level control should be performed by the entity/staff performing the internal audit through a series of interviews discussing the condition of the internal control environment within the company and its management awareness. The company s audit committee should remain updated during this process on the status of effectiveness of the company control environment. 2. Company management response and necessary documents should establish the basis in substantiating the arrived to conclusions and recommendations with respect to internal control effectiveness and any recommended remedial actions. The interviews are based on either good faith representation of the facts or management is required to substantiate the presence and the operating effectiveness of the controls. 3. Conduct the assessment project in two phases. The first phase is presenting an interim progress report to the company s audit committee for review and recommendations. The second phase represents the final assessment and conclusion of the internal controls. 4. It is recommended that the audit committee approve the implementation of the recommendations stated in the progress report. 5. The company must be committed to implement a program of periodic monitoring of the control activities and their compliance to the company policy and procedures.

July 10, 2008 White Paper Page 4 of 8 Guidelines to Improve Entity Level Controls and Compliance To maximize the COSO framework, it is critical to understand that compliance is a continual process, not a one-time initiative. Therefore, the following are some recommended enablers to ensure compliance maintenance: 1. Implement a semi-annual audit of entity control, effective tone at the top and a strong internal control environment to increase external auditor reliance on management s efforts. 2. Use audit experts rather than pushing responsibilities onto other internal resources for an effective and independent design of internal controls and adequately test the controls and processes of high impact. 3. Use information technology to embed controls within information systems, increase compliance efficiency and improve control structures. 4. Maintain documentation to effectively transfer ownership of controls to business unit personnel and effective change management. 5. Ensure that the organization s compliance and ethics program are followed through periodic and independent monitoring and auditing. 6. Have and publicize a process, which may include mechanisms that allow for anonymity or confidentiality, whereby company employees and agents may report or seek guidance regarding improper conduct without fear of retaliation. Recommendation for Project Approach and Methodology The evaluation of a company s entity level Internal controls should consider the COSO conceptual framework, which will quantify and report on the effectiveness of the company internal controls. The evaluation consists of: 1. Adopting the five components of COSO framework. 2. Identifying the control activities within each component of COSO framework. 3. Providing a description for each of the control activities. 4. For a multi-national corporation, developing a cross-reference table between entity level control activities and the Foreign Country Securities Rules. 5. Documenting all of the above in a spreadsheet using a risk base control matrix. 6. Meeting and interview company personnel to familiarize them with the adopted methodology, and provide explanations and capture their responses. 7. Answering each of the control activities with effective, ineffective or N/A

July 10, 2008 White Paper Page 5 of 8 8. Company management providing evidence and management comments for each control activity. 9. Producing hardcopy evidence of control activities for each related activity and permanently retained. 10. Assessing whether any remediation is required for a given control activity. 11. Examining the effectiveness of each of the control activities by the internal audit team. 12. Making recommendations to the company senior management team, board of directors and audit committee where a control activity is deemed ineffective. 13. Approving the remediation action by the board of audit committee and board of directors. 14. Developing a management report encompassing the results of the entity evaluation of internal controls for the company. Internal Controls Testing Method The recommended testing method for internal control effectiveness is examination. The following are the commonly understood definitions of the testing methods: 1. Inquiry: Inquiry of a control s effectiveness does not, by itself, provide sufficient evidence of whether a control is operating effectively. 2. Observation: Observation of the control provides a higher degree of assurance. 3. Examination: Examination of evidence to determine whether controls are in place. 4. Re-performance: Re-performance of the specific application of the control provides the highest degree of assurance. Maintain and Improve Entity Level Controls and Compliance For subsequent years, the entity level internal control documentations must be monitored, reviewed and updated as follows: 1. On a periodic basis, monitor and review the internal controls and report to the audit committee, which will take adequate and timely actions to correct any identified deficiency. 2. Review previously completed risk control matrix and determine what changes, if any, the company has made in the entity s internal control. 3. If there are changes in any particular control activity, the original findings should be updated to reflect the current status and be re-examined. 4. Used information technology to embed controls within information systems, increase compliance efficiency and improve control structures

July 10, 2008 White Paper Page 6 of 8 5. When updating a particular control activity, the staff responsible should sign and date each section when he or she has completed the updated review of that section. 6. Ensure segregation of duty is maintained, monitored and tested. Segregation of duties is an internal control activity to help prevent or decrease the occurrence of undetected innocent errors or intentional fraud. This is done by ensuring that no single individual has control over all phases of a transaction: authorization, custody, and record keeping. When there is a good segregation of duties, there has to be collusion between two or more employees for irregularities to occur without detection. 7. If segregation of duty is at question, the company will design and institute a proper compensating control. Compensating control is a control designed to catch the failure of specific controls that were put in place to prevent or detect an undesirable situation. Conclusion Companies that are seeking effective internal controls certification and compliance must start at the top level of the organization by evaluating internal control environment at the entity level, which has a pervasive impact on the organization. Consideration should be given to each of the five COSO internal control dimensions: control environment, risk assessment, control activities, information and communication, and monitoring. On a periodic basis companies ought to monitor and review the internal controls and report the status of effectiveness to the audit committee, which will take adequate and timely action to correct any identified deficiencies. COSO Dimensions The COSO framework includes the following five components of internal controls: Control Environment sets the tone of an organization and influences the control consciousness of its people. It is the foundation for all other components of internal control and provides discipline and structure. Risk Assessment is the entity s identification and analysis of relevant risks to the achievement of its objectives and forms a basis to determine how the risks should be managed.

July 10, 2008 White Paper Page 7 of 8 Information and Communication Systems support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities. Control Activities are the policies and procedures that help ensure that management s directives are carried out. Monitoring is a process that assesses the quality of internal control performance over time. 1. Robert Putrus, PE, CMC, CFE is the Principal of THE ROBERTS COMPANY, LLC (WWW.THEROBERTSGLOBAL.COM). He has an advanced M.B.A., M.Sc., Computer Engineering, M.Sc., and Systems Engineering, and B.Sc., Electrical Engineering. Robert is also a certified Professional Engineer (P.E.), Certified Management Consultant (CMC), and Certified Fraud Examine (CFE). He can be reached at 760.550.2160, e-mail: robertputrus@therobertsglobal.com.

July 10, 2008 White Paper Page 8 of 8 Summary Profile: Robert Putrus: Robert Putrus, PE, CMC, CFE - Mr. Putrus is a seasoned professional and executive with over 20 years of experience in information, engineering, and manufacturing management for a variety of companies ranging from middle market to Fortune 100. He has developed and founded new professional practices and companies and managed professional staffs of service organizations. Also, he has negotiated, proposed, engineered, implemented, and managed major programs for a variety of industries taking these opportunities through the full sales cycle and project execution. Mr. Putrus has written numerous article and white papers in professional journals. He was quoted in numerous publications. Mr. Putrus served as the President of Institute of Management Consultants- San Diego Chapter in 2005 and 2006. Also, he served on the Board of Directors for Junior Achievement San Diego and Imperial County regions. His experience covers a variety of executive level of information technology and management functions such as: Internal control review, evaluation and testing Sarbanes-Oxley Section 404 Compliance ROI and Implementation of high impact enterprise initiatives ERP selection, implementation, program management, project management, planning, implementation Business process re-engineering Supply chain management, information systems management Risk consulting services SAS 70. SAS 99 Computer integrated manufacturing (CIM) Information systems outsourcing Facilitation of management workshops, manufacturing information and supplier performance assessments Development and implementation of computer integrated manufacturing (CIM), information systems EDUCATION: Advanced M.B.A., Michigan State University, 1988. M.Sc. Computer Engineering, Wayne State University, 1985. M.Sc. Control Systems Engineering, University of Technology, 1978. B.Sc. Electrical Engineering, University of Technology, 1976. CERTIFICATION: Certified Fraud Examiner (CFE) Professional Engineer (P.E.) - Licensed Engineer Certified Management Consultant (CMC)

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback