2. Components of Internal
Control
• COSO sets forth five
components of internal
control:
– Control Environment
– Risk Assessment
– Control Activities
– Information and
Communication
– Monitoring
3. Components of Internal
Control (continued)
Two types of Controls:
• Organizational Level Controls (Focus of this Presentation)
• Functional Level Controls
COSO Component Primary Level of Application
Organizational Level Functional Level
Control Environment X
Risk Assessment X
Information and
X
Communication
(Communication)
X
(Information Systems)
Control Activities X
Monitoring X
4. Control Environment
• Sets the Organization’s Tone
• Most Cost Effective and Efficient way to
Implement Internal Control
• Effects all Other Aspects of Internal Control
• Control Environment Factors Include the
Following Principles:
– Integrity and ethical values, commitment to competence, oversight by board or
audit committee, management’s philosophy and operating style, organizational
structure, manner of assigning authority and responsibility, HR policies and
procedures.
• Hard Controls vs. Soft Controls
5. Integrity and Ethical Values
• Management’s Integrity Plays a Significant
Role in “Setting the Tone at the Top”
• Challenges Faced when Establishing Ethical
Values:
– Balancing the Issues and Concerns of Various
Parties
– Assigning Prominence to High Ethical Behavior
within the Organization
– Balancing Short-Term and Long-Term Goals
6. Commitment to
Competence
• Employee Competence is Critical to an Organization’s
Control Environment
– Otherwise, Employees May Not Follow Policies
– Internal Control Effectiveness would be Impaired
• Competence Levels Required are Determined by
Management.
– Implemented by hiring decisions, training
– Competence comes with cost
– Jobs with less supervision require more Competence
7. Board of Directors / Audit
Committee
• Their Existence Plays a Role in Setting Tone at the Top
• Board and Audit Committee Should Consist of
Executives Outside the Company
– Outsiders are Less Likely to be Influenced by Management
• Audit Committee Should Oversee:
– Internal Controls over Financial Reporting
– Fraud Risks Identified by Management
– Implementation of Anti-Fraud Measures
– Creation of Appropriate Tone at the Top
– Consideration of Management Override of Controls
8. The Audit Committee
Should…
• Exercise Appropriate Skepticism
• Have Knowledge of the Business and Industry
• Brainstorm Possible Fraud Risks
• Assess Tone at the Top via the Code of Conduct
• Use an Effective Whistleblower Program (including a
fraud hotline)
• Develop an Effective Information and Feedback
Network
9. Management’s Philosophy
and Operating Style
• Management Style: Formal vs. Informal
– Organizations with a formal management style generally have more
structured policies and procedures in place.
– Organizations with an informal management style use personal
contact with supervisors as a control function instead of written
policies and procedures.
• Management’s Philosophy and Operating Style Determine
Acceptable Behavior and Expectations for Each Employee
– An effective antifraud environment is created with a strong value
system founded on integrity.
– Proper examples set by management resonate through the business
10. Organizational Structure
• Organizational Structure:
– “Provides the framework within which its activities for achieving
entity-wide objectives are planned, controlled, and monitored.”
– Types of structures include: Centralized, decentralized, matrix
reporting relationships, direct reporting relationships.
– Can be organized by: Product line, industry, geographic location,
distribution network, marketing network, function.
– Issues to consider when establishing appropriate organizational
structure are how: Areas of authority are defined, appropriate
responsibilities are assigned, appropriate lines or reporting are
established.
11. Assignment of Authority and
Responsibility
• Determined by Management
– Segregation of Duties should be Considered
– Delegating authority to those closest to the transaction
facilitates timely decision-making. However, raises the risk
of poor decisions.
• Other Factors Affecting how Organizations
Delegate Responsibilities include:
– Organizational structure, competence,
accountability, monitoring.
12. Assignment of Authority and
Responsibility (Continued)
• Considerations for assignment of authority
and responsibility related to financial
reporting include:
– Appropriateness of authority and responsibility to
meet required objectives
– Policies that prevent unauthorized access
– Assignments of authorization is assigned at
appropriate levels
13. Human Resource Policies and
Procedures
• HR Policies and Procedures enable and
reinforce other aspects of the control
environment.
– Includes an organization’s practices relating to: hiring,
orientation, training, evaluating, counseling, promoting,
compensating, and remedial actions.
14. Special Considerations for Small
and Mid-sized Businesses
• Nature and Size of the Business
• Organization and Ownership Characteristics
• Diversity and Complexity of Operations
• Methods for Processing Financial Information
• Legal and Regulatory Requirements
15. Challenges for Smaller Businesses in
Implementing Internal Controls
• Management Influence
– Potential for management override of controls is greater with smaller
companies.
• Segregation of Duties
– This is often difficult with smaller companies since there are less
employees to split tasks with.
• Qualified Accounting Personnel
– Smaller companies may not have the resources to hire accounting
personnel with the appropriate technical skills.
16. Challenges for Smaller Businesses in
Implementing Internal Controls (Continued)
• Board of Directors and Audit Committee
– Smaller companies may not have the resources to attract a qualified
board of directors.
• Information Technology
– It may not make financial sense for a smaller company to have an
expensive ERP system with robust controls.
17. Managing Change – Potential
Changes with Significant Impact
• Changes in the Organization’s Operating Environment
– Management implements changes that result in additional risks
– Competitive pressures affect marketing or production strategies
– Deregulation affects competition and cost structures
• New Personnel May:
– Not have proper understanding of control
– Not understand the corporate culture
– Emphasize performance over control activities
– Not have the training and supervision necessary for controls to operate
• New or Revised Information Systems
– Time and cost constraints, and other issues on implementation
– Lack of training and lack of new controls related to new system
18. Managing Change – Potential Changes
with Significant Impact (Continued)
• Rapid Growth within the Organization
– May strain existing systems and personnel
– Shifting responsibilities
– More focused on results than on controls
• New Technology
– New or modified controls need to be implemented to address new technology
– Personnel may require training on use of new technology
• New Business Models, Products, or Activities
– Personnel may be unfamiliar of new business models, products, and activities
– Existing controls may not address new areas
19. Managing Change – Potential Changes
with Significant Impact (Continued)
• Restructuring Within the Organization May Result In:
– Staff reductions, inadequate supervision, inadequate separation of duties,
reassignment of personnel and new duties
• Expanded Foreign Operations
– Culture and customs of foreign country may different
– Economic and regulatory environment may be different
• Adaption of New Accounting Principles
– Unfamiliar with new requirements
– New requirements may affect a variety of accounts and transactions
– Complex requirements may require study and analysis to ensure provisions
are applied properly
– Presentation and disclosure issues
20. Communication
• Communication of expectations, responsibilities, and other
matters is necessary for the business to operate effectively
• Internal Communication- It is important that management
communicates:
– The importance of internal control
– Internal control responsibilities
– That unexpected events should be investigated
– How job activities relate to the work of others
21. Communication
(Continued)
• Importance of Upstream Communication
– Information flowing from bottom to top
– Significant operating issues are typically identified by
people close to the transaction
– Sales representatives may learn new way to give company
products an edge
– Personnel may be aware of ways to cut costs
– Finance employees may be aware of misstatements
22. Communication
(Continued)
• For upstream communication to occur, open
channels must be available
• Management should communicate key issues
to the board
23. Communication
(Continued)
• External Communication
– Communication with companies doing business
with the organization
– Communication with independent auditors
– Communication with regulators
– Communication with shareholders
24. Monitoring
• Monitoring can be accomplished through:
– Ongoing Activities
• Comparisons
• Reconciliations
• Internal and External Audit
• Regulators
• Vendors & Customers
– Separate Evaluations
– A Combination of the Two
26. Thank You!
Please call Debbie Risher or Marvin
Willis at Smith & Howard with
questions.
404-874-6244
www.smith-howard.com
drisher@smith-howard.com
Notas del editor
Organizational level controls relate to the organization as a whole, as opposed to functional level controls, which focus on specific processes. Organizational level controls serve as the foundation for all control components within the organization.
Control Environment: Sets the tone of an organization and influences the control consciousness of its people. The control environment is the foundation for all other components of internal control and provides structure and discipline.
Risk Assessment is the process of setting objectives, prioritizing, identifying, analyzing, and managing risks to the organization.
Communication related to providing an understanding of the control policies to employees.
Monitoring is the process that assesses the quality of internal control, and taking actions if necessary.
(Mostly self-explanatory without much more wording in the chapter)
Hard Controls include oversight from the Board, organizational structure, assigning authority and responsibility, and HR policies. Soft controls are less tangible and include: integrity, ethical values, competence, management philosophy and operating style.
Balancing the issues and concerns of various parties: Management must consider issues concerning the organization, employees, suppliers, customers, competitors, and the public.
Assigning prominence to high ethical behavior: Successful organizations have generally recognized the importance of integrity and ethical behavior.
Balancing short and long term goals: Overemphasizing short term results (sales, profit) may lead to unethical behavior such as unethical sales practices, financial statement manipulation, fraud.
Employees should possess the knowledge and skills necessary to accomplish job-related tasks.
Competence comes with a cost. Higher competence typically means hiring more expensive employees, and extra costs incurred to maintain proper training.
An organization’s board and audit committee play an important role within the control environment of an organization: setting the tone at the top.
Exercising appropriate skepticism: Audit committees should have the proper attitude towards the risk of management override of controls. Audit committees should understand the risk of fraud is present in every entity. Asking tough, probing questions would reflect the audit committee’s skepticism.
Knowledge of the business and industry: Committee members should have knowledge of the business and industry. Risks are different, depending on which industry the entity operates in. There are also risks specific to an individual entity based on their history and operating structure.
Brainstorming possible fraud risks: Brainstorming helps the audit committee take a step back and access how fraud could occur.
Tone at the top via the code of conduct: The Audit committee use the code of conduct as a benchmark for assessing whether the company’s culture at the top is likely to maintain a high level of integrity needed to prevent fraud.
Whistleblower programs: Allows an anonymous employee to submit information regarding suspected unethical behavior by members of the organization. This is an effective tool to combat management override of controls. Tips are the leading method of detecting fraud – as many as 40% of detected frauds are uncovered as a result of an employee tip.
Develop an effective information and feedback network: It is important for the audit committee to consider sources of information other than that of senior management. Communication network should include: Key employees, compensation committee, internal audit, external audit.
The philosophy and operating style displayed by management impacts how the organization is managed, including its approach to accepting and managing business risks.
Many organizations have placed responsibility for making decisions with employees closest to the situation or transaction. Delegating authority in this manner facilitates timely decision-making and quick reaction to changing conditions. However, delegation also raises the risk that employees will make poor decisions or act in ways contrary to management’s wishes. Thus, management should weigh the risks associated with decisions and delegate authority and responsibilities only to the extent required to achieve the organization’s objectives.
Organizational structure: The level of delegation impacts the organizational structure since it generally leads to a flatter structure.
Competence: Employee competence is an even bigger factor when authority has been extensively delegated.
Accountability: As management and employees are granted more authority and responsibilities, they must be held accountable for their decisions.
Monitoring: Management must monitor the decision-making process and associated results.
(no further detail available)
HR policies and procedures enable and reinforce other aspects of the control environment: integrity, ethical behavior, and competence.
HR policies and procedures that affect financial reporting and safeguarding of assets include: Standards for hiring qualified job candidates, recruiting that includes comprehensive interviews, background checks and reference checks of financial reporting personnel, training, employee performance evaluations, compensation and advancement policies, and remedial actions.
Smaller businesses, due to their size and limited resources, are generally more sensitive to the costs of implementing controls. However, COSO’s expectation for smaller businesses is the same as large businesses. The approaches a small business takes to achieve an effective internal control environment may differ from that of a large business.