Beruflich Dokumente
Kultur Dokumente
Exposure Draft
December 2011
What is COSO?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
Sponsoring Organizations
American Accounting Association
Points to consider
Internal control is:
A process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself.
Points to consider
Internal control is:
Geared to the achievement of objectives in one or more separate but overlapping categories.
Categories of Objectives
Improving Quality Reducing Costs Reducing Production Time Improving Innovation Improving Customer Satisfaction Improving Employee Satisfaction etc External Financial Reporting Objectives External NonFinancial Reporting Objectives Internal Financial Reporting Objectives
Operations
Reporting
Compliance
Identifying Applicable Laws and Regulations Ensuring Compliance with Applicable Laws and Regulation
Monitoring
Control Activities
Risk Assessment
Control Environment
10
Risk Assessment
4 principles
Control Activities
3 principles
81 Attributes
3 principles
Monitoring Activities
2 principles
Total
17 principles
Operations Objectives
Compliance Objectives
Reporting Objectives
12
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
14
15
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
16
12. The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies.
17
18
19
Establishes Standards of ConductThe expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entitys standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners.
22
23
24
25
26
27
28
29
30
31
Plans and Prepares for SuccessionSenior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.
32
5. Enforces Accountability
Enforces Accountability through Structures, Authorities, and ResponsibilitiesManagement and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary. Establishes Performance Measures, Incentives, and Rewards Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longerterm objectives.
33
5. Enforces Accountability
Evaluates Performance Measures, Incentives, and Rewards for Ongoing RelevanceManagement and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives. Considers Excessive PressuresManagement and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance.
34
5. Enforces Accountability
Evaluates Performance and Rewards or Disciplines Individuals Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence and provide rewards or exercise disciplinary action as appropriate.
35
Considers Tolerances for RiskManagement considers the acceptable levels of variation relative to the achievement of operations objectives.
Reflects Managements ChoicesOperations objectives reflect managements choices about structure, industry considerations, and performance of the entity.
37
Includes Operations and Financial Performance GoalsThe organization reflects the desired level of operations and financial performance for the entity within operations objectives.
Forms Basis for Committing of ResourcesManagement uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance.
38
Complies with Applicable Accounting StandardsFinancial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances. Reflects Entity ActivitiesExternal reporting reflects the underlying transactions and events within a range of acceptable limits.
39
40
41
42
43
Considers Tolerances for RiskManagement considers the acceptable levels of variation relative to the achievement of compliance objectives.
Reflects External Laws and RegulationsLaws and regulations establish minimum standards of behavior which the entity integrates into compliance objectives
44
45
46
47
48
49
51
52
Establishes Relevant Technology Infrastructure Control ActivitiesManagement selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
53
54
Establishes Responsibility and Accountability for Executing Policies and ProceduresManagement establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside.
56
Takes Corrective ActionResponsible personnel investigate and act on matters identified as a result of executing control activities.
Reassesses Policies and ProceduresManagement periodically reviews control activities to determine their continued relevance, and refreshes them when necessary.
57
58
59
60
Selects Relevant Method of CommunicationThe method of communication considers the timing, audience, and nature of the information.
61
63
Selects Relevant Method of CommunicationThe method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Communicates with the Board of DirectorsRelevant information resulting from assessments conducted by external parties is communicated to the board of directors.
64
66
Reports Deficiencies to Senior Management and the Board of DirectorsDeficiencies are reported to senior management and to the board of directors, as appropriate. Monitors Corrective ActionsManagement tracks whether deficiencies are remediated on a timely basis.
67
69
70
has a key role in defining expectations on integrity and ethical values and internal control responsibilities.
have a working knowledge of the entitys activities and environment, and they commit the time necessary to fulfill their governance responsibilities. utilize resources as needed to investigate any issues, and have an open and unrestricted communications channel with all entity personnel, the internal auditors, independent auditors, external reviewers, and legal counsel.
71
Audit Committee
Compensation Committee Nomination/Governance Committee
Other Committees
72
ultimately responsible for the effectiveness of the entitys internal control system
sets the tone at the top that affects control environment factors and all other components of internal control.
73
Providing leadership and direction to senior management. With the support of management, the CEO shapes the values, principles, and major operating policies that form the foundation of the entitys internal control system. Meeting periodically with senior management from each of the operating units (e.g., research and development, production, marketing, sales) and major business enabling functions (e.g., finance, human resources, legal, compliance, risk management).
74
Defining metrics, targets, or other measurable expectations with which to gauge the ongoing and long-term effectiveness of the system of internal control. The methods of designing, implementing, and assessing internal control are delegated to management at different levels.
75
Directing all management and other personnel to proactively identify threats to the system of internal control. Given the everincreasing pace of change and networked interactions of business partners, customers, and employees, the sources of threat to an ongoing effective internal control system are constantly changing. The CEO expects senior management in particular to beware of making assumptions based on the traditional sources of threats to an effective internal control system.
76
supports the CEO in front-line responsibilities, including internal control over financial reporting.
is integrally involved when the entitys strategies are decided, objectives are established, risks are analyzed, and decisions are made on how changes will be managed. provides valuable input and direction and is positioned to focus on evaluating and following up on the actions decided by management. is an equal partner with the other functional heads.
77
78
guides the development and implementation of internal control policies and procedures that address the objectives of their functional or operating unit and verify that they are consistent with the entity-wide objectives. assigns responsibility for establishing even more specific internal control procedures to those personnel responsible for the units functions or departments
79
provide guidance and assessment of internal control related to their areas of expertise.
keep the organization informed of relevant requirements as they evolve over time. Their efforts are coordinated and integrated as appropriate.
80
81
evaluate the adequacy and effectiveness of controls in responding to risks within the organizations oversight, operations, and information systems regarding:
Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations and programs. Safeguarding of assets. Compliance with laws, regulations, policies, procedures, and contracts.
82
83
Assessing Effectiveness
Assessing Effectiveness
When controls are effective; the organization:
Understands the extent to which operations are managed effectively and efficiently.
Prepares reliable reports.
85
Assessing Effectiveness
Each of the five components must be present and operate together. Effectiveness of internal control is assessed relative to the five components of internal Control. Effectiveness of internal control can also be assessed relative to a specific part of the organizational structure.
86
Assessing Effectiveness
Determining whether a principle is present and functioning implies that the organization: Understands the intent of the principle and how it is being applied. Applies the principle consistently across the entity. Works to help personnel understand and apply the principle across the entity. Views omission of or non-conformity with a principle as an exception (i.e., not applying the wording, intent, and spirit of
88
89
90
Developing control activities that contribute to the mitigation of risks based on a risk assessment process is a part of internal control, but choosing which risk response is preferred to address specific risks is not.
91
Q & A Session
Thank You