SlideShare ist ein Scribd-Unternehmen logo

SOX 2016 - PART I - COSO 2013

Lorri Jongeneel, CPA
Lorri Jongeneel, CPA
1 von 10
Downloaden Sie, um offline zu lesen
Communication Interpretation SOX 2016
PART 1 – COSO 2013 2                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     SOX 2016 PCAOB release No. 2015-003 provided a graph reflecting an increase of deficiencies in audits of ICFR, from 15% in 2010 to 39% in 2013. On 8.8.15, at the American Accounting Association Annual Meeting, the PCAOB stated that “…ICFR audit deficiencies continue to be the most frequent inspection findings…” and PCAOB Release No. 2015-007 observations included common Part I findings related to risk assessment deficiencies as follows: “In a firm inspection report, a Part I Finding is an auditing deficiency identified by Inspections staff that is of such significance that it appeared to the Inspections staff that a firm, at the time it issued its report, had not obtained sufficient appropriate audit evidence to support (1) its opinion that the financial statements were presented fairly, in all material respects, in accordance with the applicable financial reporting framework and/or (2) its opinion about whether the issuer had maintained, in all material respects, effective internal control over financial reporting (“ICFR”). In other words, in these audits, the auditor issued an opinion without satisfying its fundamental obligation to obtain reasonable assurance about whether the financial statements were free of material misstatement and/or the issuer maintained effective ICFR.” PCAOB news releases (10.1.15) highlight three general areas of concern: ICFR, assessing and responding to risks of material misstatement and accounting estimates, including fair value measurements. Financial crisis and global economic factors include the high pace of mergers and acquisitions, higher–yielding investment returns in a low interest rate environment and industry effects from oil price fluctuations. The underlying business question is one of judgment and cost: • Has your management team provided value by implementing and maintaining transparent and comprehensive documentation and controls that auditors, regulators and other stakeholders can independently follow? • Do you have an independent Internal Audit Department (“IAD”) with open lines of communication to management and the Audit Committee? • Is there a transparent organizational structure to reflect financial reporting and the related control environment? • Is IAD or external audit independence limited by incentives to maintain relationships over objective reporting? • Does IAD provide value by providing transparent audit programs and workpapers and do they pose relevant questions to external auditors, in order to provide efficient and effective audits. • Are internal and external auditors comfortable making probing inquiries to executive management? The 2013 revision of the recommended COSO framework provides an opportunity to re-think improvements to existing control structure or to implement a more robust environment.
PART 1 – COSO 2013 3                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     This document has three parts. It is not intended to be comprehensive of all risks and controls, but sufficient to provide an illumination and examples of internal control (“IC”). Part I reflects an interpretation of controls for the COSO 2013 requirements incorporating the 17 principles within the five components of risk, applied to a personal experience. Part II highlights audit responsibilities. Part III observations and further examples of communication breakdown that public entities and auditors struggle with to identify and manage Internal Controls over Financial Reporting (“ICFR”). Simplified, ICFR are the responsibility of management. External consultants or IAD’s manage the framework in order to independently report gaps, remediation and deficiencies for management certifications and as part of the Board and Audit Committee oversight and on behalf of stakeholders. External Auditors are responsible to assess the design and effectiveness of ICFR on behalf of stakeholders. Comments and discussions are a welcome part of progress through open communication. PART I – COSO 2013: 17 Principles within 5 COSO components On 7.1.15, I cycled alone from Vancouver, BC to the Mexican border in 21 days. It’s not the first time, nor am I the first person to accomplish this endeavor. In the same vein, the 2013 COSO framework enhanced or clarified the 1992 framework in order to address the current and increasingly complex, global, technology-driven business environments. ICFR is not new and yet communication and documentation remains a challenge. The same control can apply to more than one principle and component, which is more clearly represented within a matrix summarizing the framework. Please accept the caveat that this journey is a simplified metaphor in which to apply the COSO 2013 framework to corporate governance and ICFR. Effective internal control applies all seventeen principles within the five components. You will see that an understanding of audit requirements is linked to a robust ICFR framework.
PART 1 – COSO 2013 4                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     CONTROL ENVIRONMENT (1): 1. Commitment to integrity and ethical values. Control 1.1 - Policies and procedures are documented with transparent controls addressing end-to-end processing of entity operations, in sufficient detail to be independently verified. This includes corporate governance (including implementation /modification of stock option plans, salary and bonus arrangements) as well as IT general and application controls. The CFO and CEO (or others responsible for quarterly and annual 302 and 404 certifications, respectively) sign off on policies and procedures and control matrices (and any modifications to reflect current operations) that clearly and comprehensively summarize ICFR. Control 1.2 – Code of Conduct, Code of Ethics (including Whistleblower Policy, independent of management) is presented to all employees and contractors to read and sign before access is provided to entity records. Control 1.3 – IAD has unrestricted read-only access to all IT applications and business unit /function servers, including financial statement chart of accounts. 2. Board independence and oversight over management development and execution of internal control. Control 2.1 - Policies and procedures are documented with evidence of process owners and subsequent Board approval, and evidence of regular, dated, review for any modifications to reflect current operations. Control 2.2 – IAD documents an annual internal audit plan, with evidence of Board approval. Control 2.3 - Board reviews audit programs and audit reports with management response and maintains documented queries to and responses from management and IAD on the results. Control 2.4 - Board member background and expertise is documented, including affiliations and relationships or transactions with the entity, and includes a sufficient number of independent members. Control 2.5 – Audit Committee and Board members have sufficient independence that necessary and often probing questions are raised, as documented in meeting minutes and other documented correspondence that is retained. Control 2.6 - The Audit Committee includes at least one financial expert and operates under a charter that outlines their duties and responsibilities and includes adequate resources and authority to discharge such responsibilities.
PART 1 – COSO 2013 5                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     3. Management establishes structure, reporting lines and appropriate authorities and responsibilities in pursuing objectives. Control 3.1 - Organizational charts are distributed and updated regularly to reflect current operations and clear reporting lines that assist with segregation of duties. Charts are reviewed on a regular basis with signature and date to evidence Board approval. Control 3.2 - Authorization Matrix, comprehensive of entity operations, is documented and distributed with evidence of Board approval and reviewed on a regular basis. 4. Organization commitment to attract, develop and retain competent individuals. Control 4.1 - Entity maintains an HR department or employs a firm that specializes in screening for professional designations and vouching of employment history. Standards and procedures are in place for hiring, training, motivating, evaluating, promoting, compensating, transferring and terminating personnel that are applicable to all functional areas. Key employees and related salary and bonus compensation are approved in Board meetings and evidenced in Board minutes. Control 4.2 – Structured, documented independent reviews are made on a regular basis, including opportunities for upward performance appraisals and independent exit interviews. 5. Organization accountability for internal control responsibilities. Control 5.1 - Entity obtains regular employee verification of their awareness and responsibility for internal controls with sufficient transparency for their responsibilities in-line with policies, procedures, organizational charts and authorization matrices. Control 5.2 – IAD has unrestricted read-only access to all IT applications and business unit /function folders, including financial statement chart of accounts. Control 5.3 – Identified deficiencies are remediated in a timely manner, and related documentation is updated and approval signatories are notified and evidence of their response obtained for such updates. Control 5.4 – Transparent documentation and open lines of communication between internal and external auditors and management to address significant matters relating to internal control and accounting issues is documented in regular meeting minutes of Audit Committee and monthly updates.
PART 1 – COSO 2013 6                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     RISK ASSESSMENT (2): 6. Objectives are transparent in order to identify and assess risks relating to each objective. OPERATIONAL OBJECTIVE: Complete a solo bike journey in consecutive riding days, following Highways 1 and 101, from the Canadian border to the Mexican border. Risk 1 – Road conditions, weather, wildlife, traffic and health are all significant risks that controls can mitigate, but not remove completely. Stung in the throat and eye by bees and wasps - watch out for the Oregon coast! Control 6.1.1 – Ensure phone /tablet has a full charge each morning, for emergencies and directions. Control 6.1.2 – Maintain spare tubes, air pump, chain connector, patch kit, weapon, cleansing wipes, sunscreen and water bottles and account for inventory levels against a checklist each morning. ...until I encountered a growling cougar, I was a typical Canadian - no weapon Control 6.1.3 – Assess distance and route for isolated areas to plan for daily nutrition and water stops. Use maps to plan for alternate bike routes when possible. Control 6.1.4 – Road and weather conditions cannot be altered, but pace and riding schedule modifications to avoid lightning or extreme heat can keep you on track and maintain health. That bee sting… got infected and antibiotics caused severe sunburn… imagine wearing arm and leg warmers in last summer’s heat wave! Risk 2 – Bike and gear condition and malfunction and lodging availability are controllable risks. Control 6.2.1 – Gear is washed, accounted for and laid out each evening and repacked (and secured to the bike or water-proofed) each morning reviewing for low inventory levels or worn parts (i.e. spare tubes, worn cleats or nutrition) so purchases can be sourced and planned for, timely. Control 6.2.2 – Bike is wiped down each night and tire pressure is checked each morning. Control 6.2.3 – Plan and book accommodation the night before to preserve assets (bike and cyclist). At a remote bike shop in Bend, OR I left my tire levers on the counter – no levers on a Sunday when my tire went flat…
PART 1 – COSO 2013 7                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     REPORTING OBJECTIVE: Document the journey to raise awareness and funding in three main disciplines (intentionally vague for proprietary ventures), including road share. Risk 3 – Cyclist could take a ferry, accept a ride or take a bus when inclement weather, fatigue or timely completion issues arise, or could disappear without evidence of location or work product. Control 6.3.1 – GARMIN GPS is turned on for the duration of the ride and heart rate monitor “HRM” is worn; distance, speed, cadence, heart rate and maps are uploaded to the web for independent review. Control 6.3.2 – Original receipts are retained for all purchases (picture for credit card purchases). Control 6.3.3 – Cyclist calls in/emails daily status updates and documents key components in daily journal. COMPLIANCE OBJECTIVE: Comply with US GAAP for reporting and (road) rules and regulations in order to complete the journey, without the aid or assistance that impedes completion within the calendar month. Risk 4 – Current GAAP and other regulatory reporting requirements are not being met. Control 6.4.1 – Management maintains memberships, regularly attends professional development (CPE) and reads publications with respect to accounting pronouncements and industry developments. Control 6.4.2 – see principle 6 - control 6.3.1. Control 6.4.3 – Cyclist acknowledges road rules and regulations, by state and signs a disclaimer to acknowledge the personal safety risk and use of judgment required in highway and road conditions, and adherence to the use of safety lights, bells and reflectors and hand signals on the roads. 7. Risks are identified and assessed. Control 7.1 - see principle 1 - control 1.1 and principle 2 - control 2.1. 8. Fraud is considered in assessing risks. Control 8.1 - see principle 3 – controls 3.1 and 3.2. Control 8.2 – On at least an annual basis, fraud risk discussions are documented. 9. Identification and assessment of changes that could significantly impact the system of internal control. Control 9.1 - see principle 6 - control 6.4.1.
PART 1 – COSO 2013 8                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     CONTROL ACTIVITIES (3): 10. Development of general control activities that contribute to the mitigation of risks. Control 10.1 – Management maintains narrative documentation for all processes (could be incorporated with policies and procedures) that are in scope, based on the risk assessment. These processes are then summarized in an Excel matrix that clearly outlines risks and associated controls that mitigate risks. This matrix further identifies key controls relating to accurate and timely financial reporting, fraud controls and the link to COSO 2013 components and principles, financial statement assertions (“FSA”), control type (prevent, detect or compensating) and frequency and whether it is a manual or automated (IT) control. 11. Development of general IT controls. Control 11.1 – Access to IT hardware, servers, routers and networking components are restricted to key personnel with access rights approved by the Board. Control 11.2 – Access rights to accounting applications are based on business needs and restricted use or reports to monitor use are assigned and monitored by the super user with sign-off by the Board and Audit Committee on at least an annual basis. Control 11.3 – User access (network server and remote access) is authenticated through unique username and password with automatic logout period and limited password attempts. Password change is required on a regular basis as driven by the super user. Users sign a confidentiality agreement on at least a quarterly basis to acknowledge their responsibility to protect their password and confidential nature of the critical and sensitive records they have access to modify and change. 12. Development of general control activities through policies and procedures. Control 12.1 – see principle 1 - control 1.1. Control 12.2 – Original documentation is obtained and maintained for all processes. Scanned or stored electronic data must be sufficiently clear and all process owners are responsible to ensure the transparency of records. Control 12.3 – Documentation used for funds disbursements must clearly reflect a unique record with the business name and address and the date and list of goods and services and the total funds paid. Control 12.4 – Disbursement records are defaced to reflect GL coding, authorization and business unit to apply payment, including full name and title for all employees and any non-employee the record applied to.
PART 1 – COSO 2013 9                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     INFORMATION & COMMUNICATION (4): 13. Obtains or generates and uses relevant, quality information to support the functioning of IC. Control 13.1 – Quarterly and annual closing checklists for 10-Q and 10-K reporting are completed and signed off by appropriate signatories reflecting attestation to analysis and approval of reports. Control 13.2 – Audit Committee minutes reflect ratified and approved 10-Q and 10-K reports that were discussed with appropriate signatories with evidence of corrections and changes clearly documented and maintained. Control 13.3 – Chart of Accounts and IT general and application controls and reports are monitored for modifications and operational effectiveness as part of the 10-Q and 10-K meetings. 14. Organization internally communicates objectives and responsibilities for IC. Control 14.1 – see also, principle 5 – Entity obtains regular employee verification of their awareness and responsibility for internal controls with sufficient transparency for their responsibilities in-line with Policy, Procedures, Organization charts and Authorization matrices. 15. Organization communicates with external parties regarding matters affecting the functioning of IC. Control 15.1 – 302 and 404 quarterly and annual certifications, respectively asserted by management and annual 404 certification opined by the independent auditor. Control 15.2 – SOC 1 Type II (formerly SAS 70 Type II) report obtained from any service organizations. Note that SSAE 16 and SOC 1 are the same.
PART 1 – COSO 2013 10                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     MONITORING ACTIVITIES (5): 16. Organization selects, develops and performs ongoing and /or separate evaluations to ascertain the presence and functioning of ICFR. Control 16.1 – see principle 1 - control 1.2. Control 16.2 – see principle 2 - control 2.2. Control 16.3 – Internal audit function adheres to professional standards, such as the Institute of Internal Auditors (“IIA”), as evidenced by transparent audit plans and programs that consider risk and are supported by sufficient audit evidence that can be independently verified. Control 16.4 – IAD has authority to examine all aspects of the entity’s operations with results clearly reported to management and the Audit Committee. Refer also to principle 1 – control 1.3. 17. Organization evaluates and communicates IC deficiencies in a timely manner to those responsible for taking corrective action (senior management and Board, as appropriate). Control 17.1 – see principle 2 - control 2.3.

Empfohlen

COSO Update DTF
COSO Update DTFCOSO Update DTF
COSO Update DTFDavid Fernandes
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightBlackLine
 
Top 10 lessons learned from COSO 2013 Implementation
Top 10 lessons learned from COSO 2013 Implementation Top 10 lessons learned from COSO 2013 Implementation
Top 10 lessons learned from COSO 2013 Implementation Amit Bhargava
 
policyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated FrameworkpolicyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated Frameworksbyearly
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
COSO ERM
COSO ERMCOSO ERM
COSO ERMSophia Abigayle
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 

Empfohlen

COSO Update DTF
COSO Update DTFCOSO Update DTF
COSO Update DTFDavid Fernandes
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightBlackLine
 
Top 10 lessons learned from COSO 2013 Implementation
Top 10 lessons learned from COSO 2013 Implementation Top 10 lessons learned from COSO 2013 Implementation
Top 10 lessons learned from COSO 2013 Implementation Amit Bhargava
 
policyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated FrameworkpolicyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated Frameworksbyearly
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
COSO ERM
COSO ERMCOSO ERM
COSO ERMSophia Abigayle
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The AuditorCorporate Compliance Seminars
 
IFC Presentation
IFC PresentationIFC Presentation
IFC PresentationSDN And CO.
 
Audit Quality
Audit QualityAudit Quality
Audit QualityNik Hasyudeen
 
Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...
Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...
Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...riven064
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarAli Zeeshan
 
Coso framework
Coso frameworkCoso framework
Coso frameworkDarryl Woolley
 
12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...The Business Council of Mongolia
 
Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Tim Leech
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
Coso illustrative tool
Coso illustrative toolCoso illustrative tool
Coso illustrative toolSARVJEET KAUSHAL
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Functional Audit
Functional AuditFunctional Audit
Functional AuditManoj Agarwal
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsCorporate Compliance Seminars
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
COSO 2013: What you need to know
COSO 2013: What you need to knowCOSO 2013: What you need to know
COSO 2013: What you need to knowjennyhollingworth
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ssKashif Rana ACCA
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
Coso Based Internal Audit Controls
Coso Based Internal Audit ControlsCoso Based Internal Audit Controls
Coso Based Internal Audit ControlsEMESAP - International Management
 
Growth in crude oil by rail EIA Graphic
Growth in crude oil by rail EIA GraphicGrowth in crude oil by rail EIA Graphic
Growth in crude oil by rail EIA GraphicJeremy Cherson
 
Story Boards - “The Hidden Treasure”
Story Boards - “The Hidden Treasure”Story Boards - “The Hidden Treasure”
Story Boards - “The Hidden Treasure”Peter Hayes
 
Power of Small Manufacturing
Power of Small ManufacturingPower of Small Manufacturing
Power of Small ManufacturingMarlin Steel
 
Cindy P CarterResume
Cindy P CarterResumeCindy P CarterResume
Cindy P CarterResumeCindy Carter
 

Weitere ähnliche Inhalte

Was ist angesagt?

IFC Presentation
IFC PresentationIFC Presentation
IFC PresentationSDN And CO.
 
Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...
Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...
Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...riven064
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarAli Zeeshan
 
12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...The Business Council of Mongolia
 
Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Tim Leech
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsCorporate Compliance Seminars
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
COSO 2013: What you need to know
COSO 2013: What you need to knowCOSO 2013: What you need to know
COSO 2013: What you need to knowjennyhollingworth
 

Was ist angesagt? (15)

COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
 
IFC Presentation
IFC PresentationIFC Presentation
IFC Presentation
 
Audit Quality
Audit QualityAudit Quality
Audit Quality
 
Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...
Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...
Solutions Manual for Auditing The Art and Science of Assurance Engagements Ca...
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - Webinar
 
Coso framework
Coso frameworkCoso framework
Coso framework
 
12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...12.12.2011, Internal audit role and functions in corporate governance, Scott ...
12.12.2011, Internal audit role and functions in corporate governance, Scott ...
 
Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
Coso illustrative tool
Coso illustrative toolCoso illustrative tool
Coso illustrative tool
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
 
Functional Audit
Functional AuditFunctional Audit
Functional Audit
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
 
COSO 2013: What you need to know
COSO 2013: What you need to knowCOSO 2013: What you need to know
COSO 2013: What you need to know
 

Andere mochten auch

Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
Growth in crude oil by rail EIA Graphic
Growth in crude oil by rail EIA GraphicGrowth in crude oil by rail EIA Graphic
Growth in crude oil by rail EIA GraphicJeremy Cherson
 
Story Boards - “The Hidden Treasure”
Story Boards - “The Hidden Treasure”Story Boards - “The Hidden Treasure”
Story Boards - “The Hidden Treasure”Peter Hayes
 
Power of Small Manufacturing
Power of Small ManufacturingPower of Small Manufacturing
Power of Small ManufacturingMarlin Steel
 
Cindy P CarterResume
Cindy P CarterResumeCindy P CarterResume
Cindy P CarterResumeCindy Carter
 
Assisi Teachers' Meeting with Astronaut
Assisi Teachers' Meeting with AstronautAssisi Teachers' Meeting with Astronaut
Assisi Teachers' Meeting with Astronautphiloobenjamin
 
Retail Executive
Retail ExecutiveRetail Executive
Retail ExecutivePeter Hayes
 
Que es la Copralalia
Que es la CopralaliaQue es la Copralalia
Que es la CopralaliaAna Martinez
 
Performance testing with 5 yrs experience
Performance testing with 5 yrs experiencePerformance testing with 5 yrs experience
Performance testing with 5 yrs experienceNavajeevan Reddy
 
Planning Portfolio
Planning PortfolioPlanning Portfolio
Planning PortfolioHenry Steel
 
Story Board - A Themed Specialty Store
Story Board - A Themed Specialty StoreStory Board - A Themed Specialty Store
Story Board - A Themed Specialty StorePeter Hayes
 
Michael Gibson Resume 2015
Michael Gibson Resume 2015Michael Gibson Resume 2015
Michael Gibson Resume 2015Michael Gibson
 
A Tale of Two Risk Measures: Economic Capital vs. Stress Testing and a Call f...
A Tale of Two Risk Measures: Economic Capital vs. Stress Testing and a Call f...A Tale of Two Risk Measures: Economic Capital vs. Stress Testing and a Call f...
A Tale of Two Risk Measures: Economic Capital vs. Stress Testing and a Call f...Xiaoling (Sean) Yu Ph.D.
 
Crude Oil Transport on the Hudson- Riverkeeper & Scenic Hudson
Crude Oil Transport on the Hudson- Riverkeeper & Scenic HudsonCrude Oil Transport on the Hudson- Riverkeeper & Scenic Hudson
Crude Oil Transport on the Hudson- Riverkeeper & Scenic HudsonJeremy Cherson
 

Andere mochten auch (20)

Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ss
 
Internal Control
Internal ControlInternal Control
Internal Control
 
Coso Based Internal Audit Controls
Coso Based Internal Audit ControlsCoso Based Internal Audit Controls
Coso Based Internal Audit Controls
 
Growth in crude oil by rail EIA Graphic
Growth in crude oil by rail EIA GraphicGrowth in crude oil by rail EIA Graphic
Growth in crude oil by rail EIA Graphic
 
Story Boards - “The Hidden Treasure”
Story Boards - “The Hidden Treasure”Story Boards - “The Hidden Treasure”
Story Boards - “The Hidden Treasure”
 
Power of Small Manufacturing
Power of Small ManufacturingPower of Small Manufacturing
Power of Small Manufacturing
 
Cindy P CarterResume
Cindy P CarterResumeCindy P CarterResume
Cindy P CarterResume
 
Assisi Teachers' Meeting with Astronaut
Assisi Teachers' Meeting with AstronautAssisi Teachers' Meeting with Astronaut
Assisi Teachers' Meeting with Astronaut
 
Retail Executive
Retail ExecutiveRetail Executive
Retail Executive
 
Que es la Copralalia
Que es la CopralaliaQue es la Copralalia
Que es la Copralalia
 
S Vincent Dissertation
S Vincent DissertationS Vincent Dissertation
S Vincent Dissertation
 
Performance testing with 5 yrs experience
Performance testing with 5 yrs experiencePerformance testing with 5 yrs experience
Performance testing with 5 yrs experience
 
Planning Portfolio
Planning PortfolioPlanning Portfolio
Planning Portfolio
 
Traffic
TrafficTraffic
Traffic
 
Story Board - A Themed Specialty Store
Story Board - A Themed Specialty StoreStory Board - A Themed Specialty Store
Story Board - A Themed Specialty Store
 
Michael Gibson Resume 2015
Michael Gibson Resume 2015Michael Gibson Resume 2015
Michael Gibson Resume 2015
 
SPEECH informative
SPEECH informativeSPEECH informative
SPEECH informative
 
SELECT
SELECTSELECT
SELECT
 
A Tale of Two Risk Measures: Economic Capital vs. Stress Testing and a Call f...
A Tale of Two Risk Measures: Economic Capital vs. Stress Testing and a Call f...A Tale of Two Risk Measures: Economic Capital vs. Stress Testing and a Call f...
A Tale of Two Risk Measures: Economic Capital vs. Stress Testing and a Call f...
 
Crude Oil Transport on the Hudson- Riverkeeper & Scenic Hudson
Crude Oil Transport on the Hudson- Riverkeeper & Scenic HudsonCrude Oil Transport on the Hudson- Riverkeeper & Scenic Hudson
Crude Oil Transport on the Hudson- Riverkeeper & Scenic Hudson
 

Ähnlich wie SOX 2016 - PART I - COSO 2013

IFC Knowldge Sharing 23.02.20 (1).pptx
IFC Knowldge Sharing 23.02.20 (1).pptxIFC Knowldge Sharing 23.02.20 (1).pptx
IFC Knowldge Sharing 23.02.20 (1).pptxSejalJain178980
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002SARVJEET KAUSHAL
 
Article on audit committee and financial reporting in corporate
Article on audit committee and financial reporting in corporate Article on audit committee and financial reporting in corporate
Article on audit committee and financial reporting in corporate SujathaN8
 
01 linkage of risk to governance processes
01 linkage of risk to governance processes01 linkage of risk to governance processes
01 linkage of risk to governance processesveritama
 
Audit Report And Internal Control Evaluation
Audit Report And Internal Control EvaluationAudit Report And Internal Control Evaluation
Audit Report And Internal Control EvaluationRochelle Schear
 
Running head ACCOUNTINGACCOUNTING 2Internal control a.docx
Running head ACCOUNTINGACCOUNTING 2Internal control a.docxRunning head ACCOUNTINGACCOUNTING 2Internal control a.docx
Running head ACCOUNTINGACCOUNTING 2Internal control a.docxjoellemurphey
 
.POINTS TO REMEMBER ADVANCED AUDITING.pdf
.POINTS TO REMEMBER ADVANCED AUDITING.pdf.POINTS TO REMEMBER ADVANCED AUDITING.pdf
.POINTS TO REMEMBER ADVANCED AUDITING.pdfGauri More
 
Advanced Auditing and assurance ,chapter1
Advanced Auditing and assurance ,chapter1Advanced Auditing and assurance ,chapter1
Advanced Auditing and assurance ,chapter1seidIbrahim2
 
Ch7 Quiz Questions And Solutions
Ch7 Quiz Questions And SolutionsCh7 Quiz Questions And Solutions
Ch7 Quiz Questions And SolutionsSamantha Caldwell
 
FINANCIAL ANALYSIS AND ITS INTERPRETATIN
FINANCIAL ANALYSIS AND ITS INTERPRETATINFINANCIAL ANALYSIS AND ITS INTERPRETATIN
FINANCIAL ANALYSIS AND ITS INTERPRETATINthierryTuratsinze
 
Coso 2013 icfr executive summary
Coso 2013 icfr executive summaryCoso 2013 icfr executive summary
Coso 2013 icfr executive summaryErwin Morales
 
Coso 2013 icfr executive summary
Coso 2013 icfr executive summaryCoso 2013 icfr executive summary
Coso 2013 icfr executive summaryKatherine Reyes V.
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013SARVJEET KAUSHAL
 
990025 p executive-summary-final-may20
990025 p executive-summary-final-may20990025 p executive-summary-final-may20
990025 p executive-summary-final-may20Thoriq Rivaldi
 

Ähnlich wie SOX 2016 - PART I - COSO 2013 (20)

IFC Knowldge Sharing 23.02.20 (1).pptx
IFC Knowldge Sharing 23.02.20 (1).pptxIFC Knowldge Sharing 23.02.20 (1).pptx
IFC Knowldge Sharing 23.02.20 (1).pptx
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002
 
01 Auditing CH 1.ppt
01 Auditing CH 1.ppt01 Auditing CH 1.ppt
01 Auditing CH 1.ppt
 
Article on audit committee and financial reporting in corporate
Article on audit committee and financial reporting in corporate Article on audit committee and financial reporting in corporate
Article on audit committee and financial reporting in corporate
 
01 linkage of risk to governance processes
01 linkage of risk to governance processes01 linkage of risk to governance processes
01 linkage of risk to governance processes
 
Audit Report And Internal Control Evaluation
Audit Report And Internal Control EvaluationAudit Report And Internal Control Evaluation
Audit Report And Internal Control Evaluation
 
WIRC-IFC.pdf
WIRC-IFC.pdfWIRC-IFC.pdf
WIRC-IFC.pdf
 
Running head ACCOUNTINGACCOUNTING 2Internal control a.docx
Running head ACCOUNTINGACCOUNTING 2Internal control a.docxRunning head ACCOUNTINGACCOUNTING 2Internal control a.docx
Running head ACCOUNTINGACCOUNTING 2Internal control a.docx
 
.POINTS TO REMEMBER ADVANCED AUDITING.pdf
.POINTS TO REMEMBER ADVANCED AUDITING.pdf.POINTS TO REMEMBER ADVANCED AUDITING.pdf
.POINTS TO REMEMBER ADVANCED AUDITING.pdf
 
Advanced Auditing and assurance ,chapter1
Advanced Auditing and assurance ,chapter1Advanced Auditing and assurance ,chapter1
Advanced Auditing and assurance ,chapter1
 
Ch7 Quiz Questions And Solutions
Ch7 Quiz Questions And SolutionsCh7 Quiz Questions And Solutions
Ch7 Quiz Questions And Solutions
 
Ch01
Ch01Ch01
Ch01
 
FINANCIAL ANALYSIS AND ITS INTERPRETATIN
FINANCIAL ANALYSIS AND ITS INTERPRETATINFINANCIAL ANALYSIS AND ITS INTERPRETATIN
FINANCIAL ANALYSIS AND ITS INTERPRETATIN
 
477 10 (5)
477 10 (5)477 10 (5)
477 10 (5)
 
Coso 2013 icfr executive summary
Coso 2013 icfr executive summaryCoso 2013 icfr executive summary
Coso 2013 icfr executive summary
 
Coso 2013 icfr executive summary
Coso 2013 icfr executive summaryCoso 2013 icfr executive summary
Coso 2013 icfr executive summary
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013
 
990025 p executive-summary-final-may20
990025 p executive-summary-final-may20990025 p executive-summary-final-may20
990025 p executive-summary-final-may20
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 
13 internal controls
13 internal controls13 internal controls
13 internal controls
 

SOX 2016 - PART I - COSO 2013

  • 2. PART 1 – COSO 2013 2                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     SOX 2016 PCAOB release No. 2015-003 provided a graph reflecting an increase of deficiencies in audits of ICFR, from 15% in 2010 to 39% in 2013. On 8.8.15, at the American Accounting Association Annual Meeting, the PCAOB stated that “…ICFR audit deficiencies continue to be the most frequent inspection findings…” and PCAOB Release No. 2015-007 observations included common Part I findings related to risk assessment deficiencies as follows: “In a firm inspection report, a Part I Finding is an auditing deficiency identified by Inspections staff that is of such significance that it appeared to the Inspections staff that a firm, at the time it issued its report, had not obtained sufficient appropriate audit evidence to support (1) its opinion that the financial statements were presented fairly, in all material respects, in accordance with the applicable financial reporting framework and/or (2) its opinion about whether the issuer had maintained, in all material respects, effective internal control over financial reporting (“ICFR”). In other words, in these audits, the auditor issued an opinion without satisfying its fundamental obligation to obtain reasonable assurance about whether the financial statements were free of material misstatement and/or the issuer maintained effective ICFR.” PCAOB news releases (10.1.15) highlight three general areas of concern: ICFR, assessing and responding to risks of material misstatement and accounting estimates, including fair value measurements. Financial crisis and global economic factors include the high pace of mergers and acquisitions, higher–yielding investment returns in a low interest rate environment and industry effects from oil price fluctuations. The underlying business question is one of judgment and cost: • Has your management team provided value by implementing and maintaining transparent and comprehensive documentation and controls that auditors, regulators and other stakeholders can independently follow? • Do you have an independent Internal Audit Department (“IAD”) with open lines of communication to management and the Audit Committee? • Is there a transparent organizational structure to reflect financial reporting and the related control environment? • Is IAD or external audit independence limited by incentives to maintain relationships over objective reporting? • Does IAD provide value by providing transparent audit programs and workpapers and do they pose relevant questions to external auditors, in order to provide efficient and effective audits. • Are internal and external auditors comfortable making probing inquiries to executive management? The 2013 revision of the recommended COSO framework provides an opportunity to re-think improvements to existing control structure or to implement a more robust environment.
  • 3. PART 1 – COSO 2013 3                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     This document has three parts. It is not intended to be comprehensive of all risks and controls, but sufficient to provide an illumination and examples of internal control (“IC”). Part I reflects an interpretation of controls for the COSO 2013 requirements incorporating the 17 principles within the five components of risk, applied to a personal experience. Part II highlights audit responsibilities. Part III observations and further examples of communication breakdown that public entities and auditors struggle with to identify and manage Internal Controls over Financial Reporting (“ICFR”). Simplified, ICFR are the responsibility of management. External consultants or IAD’s manage the framework in order to independently report gaps, remediation and deficiencies for management certifications and as part of the Board and Audit Committee oversight and on behalf of stakeholders. External Auditors are responsible to assess the design and effectiveness of ICFR on behalf of stakeholders. Comments and discussions are a welcome part of progress through open communication. PART I – COSO 2013: 17 Principles within 5 COSO components On 7.1.15, I cycled alone from Vancouver, BC to the Mexican border in 21 days. It’s not the first time, nor am I the first person to accomplish this endeavor. In the same vein, the 2013 COSO framework enhanced or clarified the 1992 framework in order to address the current and increasingly complex, global, technology-driven business environments. ICFR is not new and yet communication and documentation remains a challenge. The same control can apply to more than one principle and component, which is more clearly represented within a matrix summarizing the framework. Please accept the caveat that this journey is a simplified metaphor in which to apply the COSO 2013 framework to corporate governance and ICFR. Effective internal control applies all seventeen principles within the five components. You will see that an understanding of audit requirements is linked to a robust ICFR framework.
  • 4. PART 1 – COSO 2013 4                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     CONTROL ENVIRONMENT (1): 1. Commitment to integrity and ethical values. Control 1.1 - Policies and procedures are documented with transparent controls addressing end-to-end processing of entity operations, in sufficient detail to be independently verified. This includes corporate governance (including implementation /modification of stock option plans, salary and bonus arrangements) as well as IT general and application controls. The CFO and CEO (or others responsible for quarterly and annual 302 and 404 certifications, respectively) sign off on policies and procedures and control matrices (and any modifications to reflect current operations) that clearly and comprehensively summarize ICFR. Control 1.2 – Code of Conduct, Code of Ethics (including Whistleblower Policy, independent of management) is presented to all employees and contractors to read and sign before access is provided to entity records. Control 1.3 – IAD has unrestricted read-only access to all IT applications and business unit /function servers, including financial statement chart of accounts. 2. Board independence and oversight over management development and execution of internal control. Control 2.1 - Policies and procedures are documented with evidence of process owners and subsequent Board approval, and evidence of regular, dated, review for any modifications to reflect current operations. Control 2.2 – IAD documents an annual internal audit plan, with evidence of Board approval. Control 2.3 - Board reviews audit programs and audit reports with management response and maintains documented queries to and responses from management and IAD on the results. Control 2.4 - Board member background and expertise is documented, including affiliations and relationships or transactions with the entity, and includes a sufficient number of independent members. Control 2.5 – Audit Committee and Board members have sufficient independence that necessary and often probing questions are raised, as documented in meeting minutes and other documented correspondence that is retained. Control 2.6 - The Audit Committee includes at least one financial expert and operates under a charter that outlines their duties and responsibilities and includes adequate resources and authority to discharge such responsibilities.
  • 5. PART 1 – COSO 2013 5                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     3. Management establishes structure, reporting lines and appropriate authorities and responsibilities in pursuing objectives. Control 3.1 - Organizational charts are distributed and updated regularly to reflect current operations and clear reporting lines that assist with segregation of duties. Charts are reviewed on a regular basis with signature and date to evidence Board approval. Control 3.2 - Authorization Matrix, comprehensive of entity operations, is documented and distributed with evidence of Board approval and reviewed on a regular basis. 4. Organization commitment to attract, develop and retain competent individuals. Control 4.1 - Entity maintains an HR department or employs a firm that specializes in screening for professional designations and vouching of employment history. Standards and procedures are in place for hiring, training, motivating, evaluating, promoting, compensating, transferring and terminating personnel that are applicable to all functional areas. Key employees and related salary and bonus compensation are approved in Board meetings and evidenced in Board minutes. Control 4.2 – Structured, documented independent reviews are made on a regular basis, including opportunities for upward performance appraisals and independent exit interviews. 5. Organization accountability for internal control responsibilities. Control 5.1 - Entity obtains regular employee verification of their awareness and responsibility for internal controls with sufficient transparency for their responsibilities in-line with policies, procedures, organizational charts and authorization matrices. Control 5.2 – IAD has unrestricted read-only access to all IT applications and business unit /function folders, including financial statement chart of accounts. Control 5.3 – Identified deficiencies are remediated in a timely manner, and related documentation is updated and approval signatories are notified and evidence of their response obtained for such updates. Control 5.4 – Transparent documentation and open lines of communication between internal and external auditors and management to address significant matters relating to internal control and accounting issues is documented in regular meeting minutes of Audit Committee and monthly updates.
  • 6. PART 1 – COSO 2013 6                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     RISK ASSESSMENT (2): 6. Objectives are transparent in order to identify and assess risks relating to each objective. OPERATIONAL OBJECTIVE: Complete a solo bike journey in consecutive riding days, following Highways 1 and 101, from the Canadian border to the Mexican border. Risk 1 – Road conditions, weather, wildlife, traffic and health are all significant risks that controls can mitigate, but not remove completely. Stung in the throat and eye by bees and wasps - watch out for the Oregon coast! Control 6.1.1 – Ensure phone /tablet has a full charge each morning, for emergencies and directions. Control 6.1.2 – Maintain spare tubes, air pump, chain connector, patch kit, weapon, cleansing wipes, sunscreen and water bottles and account for inventory levels against a checklist each morning. ...until I encountered a growling cougar, I was a typical Canadian - no weapon Control 6.1.3 – Assess distance and route for isolated areas to plan for daily nutrition and water stops. Use maps to plan for alternate bike routes when possible. Control 6.1.4 – Road and weather conditions cannot be altered, but pace and riding schedule modifications to avoid lightning or extreme heat can keep you on track and maintain health. That bee sting… got infected and antibiotics caused severe sunburn… imagine wearing arm and leg warmers in last summer’s heat wave! Risk 2 – Bike and gear condition and malfunction and lodging availability are controllable risks. Control 6.2.1 – Gear is washed, accounted for and laid out each evening and repacked (and secured to the bike or water-proofed) each morning reviewing for low inventory levels or worn parts (i.e. spare tubes, worn cleats or nutrition) so purchases can be sourced and planned for, timely. Control 6.2.2 – Bike is wiped down each night and tire pressure is checked each morning. Control 6.2.3 – Plan and book accommodation the night before to preserve assets (bike and cyclist). At a remote bike shop in Bend, OR I left my tire levers on the counter – no levers on a Sunday when my tire went flat…
  • 7. PART 1 – COSO 2013 7                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     REPORTING OBJECTIVE: Document the journey to raise awareness and funding in three main disciplines (intentionally vague for proprietary ventures), including road share. Risk 3 – Cyclist could take a ferry, accept a ride or take a bus when inclement weather, fatigue or timely completion issues arise, or could disappear without evidence of location or work product. Control 6.3.1 – GARMIN GPS is turned on for the duration of the ride and heart rate monitor “HRM” is worn; distance, speed, cadence, heart rate and maps are uploaded to the web for independent review. Control 6.3.2 – Original receipts are retained for all purchases (picture for credit card purchases). Control 6.3.3 – Cyclist calls in/emails daily status updates and documents key components in daily journal. COMPLIANCE OBJECTIVE: Comply with US GAAP for reporting and (road) rules and regulations in order to complete the journey, without the aid or assistance that impedes completion within the calendar month. Risk 4 – Current GAAP and other regulatory reporting requirements are not being met. Control 6.4.1 – Management maintains memberships, regularly attends professional development (CPE) and reads publications with respect to accounting pronouncements and industry developments. Control 6.4.2 – see principle 6 - control 6.3.1. Control 6.4.3 – Cyclist acknowledges road rules and regulations, by state and signs a disclaimer to acknowledge the personal safety risk and use of judgment required in highway and road conditions, and adherence to the use of safety lights, bells and reflectors and hand signals on the roads. 7. Risks are identified and assessed. Control 7.1 - see principle 1 - control 1.1 and principle 2 - control 2.1. 8. Fraud is considered in assessing risks. Control 8.1 - see principle 3 – controls 3.1 and 3.2. Control 8.2 – On at least an annual basis, fraud risk discussions are documented. 9. Identification and assessment of changes that could significantly impact the system of internal control. Control 9.1 - see principle 6 - control 6.4.1.
  • 8. PART 1 – COSO 2013 8                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     CONTROL ACTIVITIES (3): 10. Development of general control activities that contribute to the mitigation of risks. Control 10.1 – Management maintains narrative documentation for all processes (could be incorporated with policies and procedures) that are in scope, based on the risk assessment. These processes are then summarized in an Excel matrix that clearly outlines risks and associated controls that mitigate risks. This matrix further identifies key controls relating to accurate and timely financial reporting, fraud controls and the link to COSO 2013 components and principles, financial statement assertions (“FSA”), control type (prevent, detect or compensating) and frequency and whether it is a manual or automated (IT) control. 11. Development of general IT controls. Control 11.1 – Access to IT hardware, servers, routers and networking components are restricted to key personnel with access rights approved by the Board. Control 11.2 – Access rights to accounting applications are based on business needs and restricted use or reports to monitor use are assigned and monitored by the super user with sign-off by the Board and Audit Committee on at least an annual basis. Control 11.3 – User access (network server and remote access) is authenticated through unique username and password with automatic logout period and limited password attempts. Password change is required on a regular basis as driven by the super user. Users sign a confidentiality agreement on at least a quarterly basis to acknowledge their responsibility to protect their password and confidential nature of the critical and sensitive records they have access to modify and change. 12. Development of general control activities through policies and procedures. Control 12.1 – see principle 1 - control 1.1. Control 12.2 – Original documentation is obtained and maintained for all processes. Scanned or stored electronic data must be sufficiently clear and all process owners are responsible to ensure the transparency of records. Control 12.3 – Documentation used for funds disbursements must clearly reflect a unique record with the business name and address and the date and list of goods and services and the total funds paid. Control 12.4 – Disbursement records are defaced to reflect GL coding, authorization and business unit to apply payment, including full name and title for all employees and any non-employee the record applied to.
  • 9. PART 1 – COSO 2013 9                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     INFORMATION & COMMUNICATION (4): 13. Obtains or generates and uses relevant, quality information to support the functioning of IC. Control 13.1 – Quarterly and annual closing checklists for 10-Q and 10-K reporting are completed and signed off by appropriate signatories reflecting attestation to analysis and approval of reports. Control 13.2 – Audit Committee minutes reflect ratified and approved 10-Q and 10-K reports that were discussed with appropriate signatories with evidence of corrections and changes clearly documented and maintained. Control 13.3 – Chart of Accounts and IT general and application controls and reports are monitored for modifications and operational effectiveness as part of the 10-Q and 10-K meetings. 14. Organization internally communicates objectives and responsibilities for IC. Control 14.1 – see also, principle 5 – Entity obtains regular employee verification of their awareness and responsibility for internal controls with sufficient transparency for their responsibilities in-line with Policy, Procedures, Organization charts and Authorization matrices. 15. Organization communicates with external parties regarding matters affecting the functioning of IC. Control 15.1 – 302 and 404 quarterly and annual certifications, respectively asserted by management and annual 404 certification opined by the independent auditor. Control 15.2 – SOC 1 Type II (formerly SAS 70 Type II) report obtained from any service organizations. Note that SSAE 16 and SOC 1 are the same.
  • 10. PART 1 – COSO 2013 10                                     Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.                                     MONITORING ACTIVITIES (5): 16. Organization selects, develops and performs ongoing and /or separate evaluations to ascertain the presence and functioning of ICFR. Control 16.1 – see principle 1 - control 1.2. Control 16.2 – see principle 2 - control 2.2. Control 16.3 – Internal audit function adheres to professional standards, such as the Institute of Internal Auditors (“IIA”), as evidenced by transparent audit plans and programs that consider risk and are supported by sufficient audit evidence that can be independently verified. Control 16.4 – IAD has authority to examine all aspects of the entity’s operations with results clearly reported to management and the Audit Committee. Refer also to principle 1 – control 1.3. 17. Organization evaluates and communicates IC deficiencies in a timely manner to those responsible for taking corrective action (senior management and Board, as appropriate). Control 17.1 – see principle 2 - control 2.3.