Presentation is loading. Please wait.

Presentation is loading. Please wait.

Updated COSO Framework & Green Book

Published bySaige Buckles Modified over 9 years ago

Similar presentations

Presentation on theme: "Updated COSO Framework & Green Book"— Presentation transcript:

1 Updated COSO Framework & Green Book

2 Effective Dates COSO: Green Book:
Updated Framework will supersede original Framework at the end of the transition period (December 15, 2014) Green Book: GAO's 2014 revision will be effective beginning with fiscal year 2016

3 What is COSO? COSO (Committee of Sponsoring Organizations) of the Treadway Commission American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Financial Executives International (FEI) Institute of Management Accountants (IMA) The Institute of Internal Auditors (IIA)

4 What is the Green Book? Standards for Internal Control in the Federal Government Government Accountability Office (GAO) Comptroller General of the United States “May also be adopted by state, local, and quasi-governmental entities as a framework for an internal control system”

5 OK so why should I care? Auditors are required to gain an understand of control framework: COSO Internal Control Framework The Green Book Federal Grants & Single Audit The new “Super Circular” adds additional emphasis on internal controls Obtain an understanding of those controls and determine they are designed and implemented. And refers to those components of internal control within COSO and have been adopted by the Green book.

6 Link to the Yellow Book 2011 Yellow Book –
¶A.04 discusses that in addition to the COSO framework – Standards for Internal Control in the Federal Government (aka the Green Book) provides definitions and fundamental concepts pertaining to internal control at the federal level and may be useful to auditors at other levels of government. The related “Internal Control Management and Evaluation Tool” based on federal internal control standards, provides a systematic, organized, and structured approach to assessing the internal control structure.

7 Uniform Guidance Synopsis
Internal Controls ( ) Topic Strong Emphasis on Internal Controls Mentioned 103 times in the 12/26/2013 Federal Register notice Uniform Guidance Synopsis References “Standards for Internal Controls in the Federal Government”, issued by the Comptroller General (also known as the “Green Book”) and “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) What Does This Mean? While OMB has clarified in an FAQ that there is no expectation that we have to explicitly follow these referenced guidelines (as long as we have effective internal controls in place), it is unclear what the audit community will expect.

8 Internal Controls (200.303) The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

9 Components of Internal Control

10 Update principles of effective internal control
Control Environment Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability Risk Assessment Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change Control Activities Selects and develops control activities 11. Selects and develops general controls over technology Deploys through policies and procedures Information & Communication Uses relevant information Communicates internally Communicates externally Monitoring Activities Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies

11 Update principles of effective internal control (continued)
Control Environment The organization demonstrates a commitment to integrity and ethical values. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

12 How Various Controls Effect Principles, e.g.,
Control Environment Component Principle Controls embedded in other components may effect this principle 1. A CPA firm demonstrates a commitment to integrity and ethical values Information Technology staff tests for data breaches of personally identifiable information continuously Control Environment Management obtains and reviews data and information underlying potential deviations captured in reports generated immediately upon occurrence Information & Communication Risk manager separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon Monitoring Activities

13 Update principles of effective internal control (continued)
Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control.

14 How Various Controls Effect Principles, e.g.,
Component Principle Controls embedded in other components may effect this principle Risk Assessment The Controller identifies risks to the achievement of the objectives across the office and analyzes risks as a basis for determining how the risks should be managed. As part of the meetings with senior staff on goals and objectives, risks are noted and potential controls against those risks are brainstormed and initiated if approved by the audit committee. Risk Assessment The result of the brainstorming is communicated to staff as part of semi-annual reviews Information & Communication A dashboard of risks is established and is updated with each batch cycle. Employee reviews are completed timely. Monitoring Activities

15 Update principles of effective internal control (continued)
Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place.

16 How Various Controls Effect Principles, e.g.,
Component Principle Controls embedded in other component s may effect this principle Control Activities The Controller selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Every two years, the Controller rotates duties among the divisional managers not only to provide them with a broader experience but also to lower the risk of financial reporting fraud. Staff enjoys the rotation as they are not working the same job repeatedly. Control Activity A report is developed predicting payables over the next 30 days and disseminated to fiscal officers. The payables are compared to encumbrances. Information & Communication The Comptroller reviews payables that are unusual, or above $5,000 or infrequent. Monitoring Activities

17 Information & Communication
Update articulates principles of effective internal control (continued) Information & Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. The organization communicates with external parties regarding matters affecting the functioning of internal control.

18 Update principles of effective internal control (continued)
Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

19 How Various Controls Effect Principles, e.g.,
Component Principle Controls embedded in other components may effect this principle Monitoring Activities The Controller selects, develops, and performs ongoing and / or separate evaluations to ascertain whether the components of internal control are present and functioning. The quality assurance division reports are also transmitted to the division where the problem occurred. Corrective action is taken. If no corrective action is accomplished, the employee’s personnel file contains the issue and if repeated, could be grounds for termination. Control Activity Statistical reports on uses of personally identifiable activity are reported to employees on a monthly basis. All employees are trained semi-annually on when / how / who can access PII Information & Communication Reports on detections of improper use of personally identifiable information by employees are escalated to a senior review board that investigates all activities and reacts to breaks in accordance with state law. Monitoring Activities

20 COSO & Green Book Required to address when implementing:
5 elements of control 17 principles Points of focus (not required) COSO – 87 Green Book – 47 (attributes)

21 Example Attribute Component – Risk Assessment
Principle- “Management should identify, analyze, & respond to risk relate to objectives” Attributes to Principle: Identification of Risks Analysis of Risks Response to Risks 7.02 Management identifies risks throughout the entity to provide a basis for analyzing risks. Risk assessment is the identification and analysis of risks related to achieving the defined objectives to form a basis for designing risk responses. Principle 7 - Identify, Analyze, and Respond to Risks Identification of Risks Risk Assessment Page 38 GAO G Federal Internal Control Standards 7.03 To identify risks, management considers the types of risks that impact the entity. This includes both inherent and residual risk. Inherent risk is the risk to an entity in the absence of management’s response to the risk. Residual risk is the risk that remains after management’s response to inherent risk. Management’s lack of response to either risk could cause deficiencies in the internal control system Management considers all significant interactions within the entity and with external parties, changes within the entity’s internal and external environment,23 and other internal and external factors to identify risks throughout the entity. Internal risk factors may include the complex nature of an entity’s programs, its organizational structure, or the use of new technology in operational processes. External risk factors may include new or amended laws, regulations, or professional standards; economic instability; or potential natural disasters. Management considers these factors at both the entity and transaction levels to comprehensively identify risks that affect defined objectives.24 Risk identification methods may include qualitative and quantitative ranking activities, forecasting and strategic planning, and consideration of deficiencies identified through audits and other assessments 7.05 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual 23See paras through 9.03 for further discussion of changes in the internal control system. 24See paras through for further discussion of level of controls. Analysis of Risks Risk Assessment Page 39 GAO G Federal Internal Control Standards transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined Risks may be analyzed on an individual basis or grouped into categories with related risks and analyzed collectively. Regardless of whether risks are analyzed individually or collectively, management considers the correlation among different risks or groups of risks when estimating their significance. The specific risk analysis methodology used can vary by entity because of differences in entities’ missions and the difficulty in qualitatively and quantitatively defining risk tolerances. 7.08 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following: • Acceptance - No action is taken to respond to the risk based on the insignificance of the risk. • Avoidance - Action is taken to stop the operational process or the part of the operational process causing the risk. • Reduction - Action is taken to reduce the likelihood or magnitude of the risk. • Sharing - Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses Based on the selected risk response, management designs the specific actions to respond to the analyzed risks. The nature and extent of risk response actions depend on the defined risk tolerance. Operating within the defined risk tolerance provides greater assurance that the entity will achieve its objectives. Performance measures are used to assess whether risk response actions enable the entity to operate within the defined risk tolerances. When risk response actions do not enable the entity to operate within the defined risk tolerances, management may need to revise risk responses or reconsider defined risk tolerances. Management may need to conduct periodic risk assessments to evaluate the effectiveness of the risk response actions.

22 Documentation Requirements
If management determines a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively.

23 Documentation Requirements
Control Environment Management develops and maintains documentation of its internal control system. Control Activities Management documents in policies the internal control responsibilities of the organization.

24 Documentation Requirements
Monitoring Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis.

25 Control Considerations - CE
Establishment of formal Code of Conduct Communicates appropriate ethical and moral behavior, penalties, and how to communicate when becoming aware of any potential issue. Conflicts of interest – including dealing with suppliers Proper hiring & Training program (commitment to excellence) Including P&P for hiring, training, promoting, discipline, termination

26 Control Considerations - CE
Key areas of authority & responsibility are defined & communicated Establishment of Internal audit function Establishment of fraud/ethics hotline Properly designed and report to proper levels of the government.

27 Control Considerations - RA
Brainstorm – included appropriate levels of the organization (always include IT) This means “not” just finance/business Identify risk associated with compliance, operation, & reporting Should not be a once and done approach Should consider both entity-wide and activity-level objectives; and internal/external risk

28 Control Considerations - RA
Maintain list of items from (brainstorming) Assess likelihood and significance (benchmark to your entities risk appetite) Identify corresponding control to address those (significant/likely or combination ) Update list with additional areas identified while performing monitoring activities

29 Control Considerations - RA
Principle 8 - The organization considers the potential for fraud in assessing risks t Added emphasis on fraud Resources: “Managing the Business Risk of Fraud: A Practical Guide” the achievement of objectives

30 IT’S FREE. http://www. acfe
IT’S FREE!!!! Currently in the process of revision.

31 Control Considerations - CA

32 Control Considerations - CA
Don’t forget IT General Controls Password(s) Segregation of Duties Approvals Change Management Controls

33 Control Considerations - MA
Ongoing monitoring – regular management and supervisory activities, comparisons, reconciliations, and other routine actions Separate evaluations – can be conducted by management or others such as internal auditors or management consultants

34 Control Considerations – I/C
Established communication exist to provide appropriate information to individuals related to their responsibility and role in internal controls process. Communication channels exist for employees and management to report issue up the chain to ensure appropriate action is taken. Appropriate information is generated to support internal controls.

35 Large vs Small Entity OV4.04 The 17 principles apply to both large and small entities. However, smaller entities may have different implementation approaches than larger entities. Smaller entities typically have unique advantages, which can contribute to an effective internal control system. These may include a higher level of involvement by management in operational processes and direct interaction with personnel. Smaller entities may find informal staff meetings effective for communicating quality information, whereas larger entities may need more formal mechanisms—such as written reports, intranet portals, or periodic formal meetings—to communicate with the organization.

Download ppt "Updated COSO Framework & Green Book"

Similar presentations

Internal Control–Integrated Framework

Internal Control–Integrated Framework
Post Award MUHAS, Dartmouth, UCSF Basics of Internal Controls Tuesday October 21, 2014.

Post Award MUHAS, Dartmouth, UCSF Basics of Internal Controls Tuesday October 21, 2014.
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.

Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.

Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.
INTERNAL AUDIT PROCESS Pre-Audit Presentation. OBJECTIVES OF PRESENTATION  Provide a basic understanding of internal audit  Provide a basic awareness.

INTERNAL AUDIT PROCESS Pre-Audit Presentation. OBJECTIVES OF PRESENTATION  Provide a basic understanding of internal audit  Provide a basic awareness.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Government Auditing Standards

Government Auditing Standards
Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.

Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.
What’s New in Government Internal Control Standards?

What’s New in Government Internal Control Standards?
Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.

Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Purpose of the Standards

Purpose of the Standards
Presented By: Donna Denker, CPA Donna Denker & Associates.

Presented By: Donna Denker, CPA Donna Denker & Associates.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Minnesota Adoption of the Green Book April 16, 2015 Jo Kane Internal Control & Accountability Specialist.

Minnesota Adoption of the Green Book April 16, 2015 Jo Kane Internal Control & Accountability Specialist.

Similar presentations

Ads by Google