3 COSO – Integrated Framework COSO: Committee of Sponsoring Organizations of the Treadway CommissionAICPAIIAIMAAAAFEI
4 COSO – Integrated Framework In 1992, COSO issued a landmark report identifying a framework for internal controls.This framework was given near regulatory status by the PCAOB in its Auditing Statement No. 2.The framework is not without its detractors.
5 COSO – Integrated Framework What is internal control?Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:
6 COSO – Integrated Framework The three categories of internal control:Effectiveness and efficiency of operations.Includes performance and profitability goals, and safeguarding of resources.Reliability of financial reporting.External reporting of all sortsCompliance with applicable laws and regulations.
7 COSO – Integrated Framework The internal control system is intertwined with the entity’s operating activities and exists for fundamental business reasons. Internal control is most effective when controls are built into the entity’s infrastructure and are a part of the essence of the enterprise.
8 COSO – Integrated Framework When can controls be judged effective?Controls are effective when management and the board have reasonable assurance that:Effectiveness and efficiency of operationsmanagement understands the extent to which the entity’s objectives are being achieved.Reliability of financial reporting.published financial statements are reliable.Compliance with laws and regulations.applicable laws and regulations are being complied with.
9 COSO – Integrated Framework Internal controls consist of five interrelated components:The Control EnvironmentRisk AssessmentControl ActivitiesInformation and CommunicationMonitoring
10 COSO – Integrated Framework The Control Environment1. Integrity and ethical values.2. Commitment to competence.3. Participation by the Board4. Management’s operating style5. Organizational structure6. Assignment of authority and responsibility7. Human resource policies and practices
11 COSO – Integrated Framework Risk Assessment1. Changes in operating environment2. New personnel or corporate restructurings3. New or revamped information systems4. Rapid growth5. New technology6. New business models, products, activities7. Expanded foreign operations8. New accounting pronouncements
12 COSO – Integrated Framework Control ActivitiesThe policies and procedures that help ensure management directives are carried out. Control activities occur throughout the organization, at all levels and in all functions.Approvals and authorizationsVerificationsReconciliationsReviews of operating performanceSecurity of assetsSegregation of duties
13 COSO – Integrated Framework Information and CommunicationInformation systems produce reports that contain operational, financial and compliance-related information.Effective communication must flow down, across and up the organization.Also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.
14 COSO – Integrated Framework MonitoringA process that assesses the quality of the internal control system’s performance over time.Monitoring is accomplished throughOngoing monitoring activitiesSeparate evaluations
15 COSO – Integrated Framework Ongoing monitoring activitiesOccurs in the course of operations.Includes regular management and supervisory activities, and other actions personnel take in performing their duties.
16 COSO – Integrated Framework Separate evaluationsThe scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures.Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
17 COSO – Integrated Framework Roles and Responsibilities for Controls:The Board of DirectorsManagementInternal auditorsOther personnel in the organizationExternal auditors
18 COSO – Integrated Framework Roles and Responsibilities for Controls:The Board of DirectorsGovernance, guidance and oversight.Effective board members are objective, capable and inquisitive.ManagementThe CEO is ultimately responsible and should assume ownership of the system.The CEO, more than anyone else, sets the “tone at the top.”The CEO provides leadership and direction.
19 COSO – Integrated Framework Roles and Responsibilities for Controls:Internal auditorsInternal auditors play an important role in evaluating the effectiveness of control systems, and contribute to ongoing effectiveness.Because of organizational position and authority in an entity, an internal audit function often plays a significant monitoring role.
20 COSO – Integrated Framework Roles and Responsibilities for Controls:Other personnel in the organizationInternal control should be an explicit or implicit part of everyone’s job description.All personnel are responsible for communicating problems upward.External auditorsBring an independent and objective view.Contribute to internal controls directly through the financial statement audit.Contribute indirectly by providing information useful to management and the Board.
21 Sarbanes-Oxley requirements Title III – Corporate Responsibility301The audit committee shall be directly responsible for the appointment, compensation, and oversight of the work of the independent auditors. The auditors shall report directly to the audit committee.Each member of the audit committee must be independent.
22 Sarbanes-Oxley requirements Title III – Corporate Responsibility301The audit committee shall establish procedures for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or auditing matters.The audit committee shall establish procedures for the confidential, anonymous submission by employees of the company of concerns regarding questionable accounting or auditing matters.
23 Sarbanes-Oxley requirements Title III – Corporate Responsibility301The audit committee shall have the authority to engage independent counsel and other advisers.The audit committee shall determine the appropriate funding necessary for payment of compensation for the independent audit and for work performed by other advisors hired by the audit committee.
24 Sarbanes-Oxley requirements Title III – Corporate Responsibility302The CEO and CFO must certify, in each annual or quarterly report, thatthe signing officers reviewed the report;the report does not contain any material misstatements, and does not omit any facts necessary to make the statements not misleading;the financial statements fairly present in all material respects the financial condition and results of operations of the company;
25 Sarbanes-Oxley requirements Title III – Corporate Responsibility302: the signing officers must certify that theyare responsible for establishing and maintaining internal controls;have designed internal controls to ensure that material information relating to the company is made known to such officers;have evaluated the effectiveness of the company’s internal controls within 90 days prior to the report;have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation.
26 Sarbanes-Oxley requirements Title III – Corporate Responsibility302:The CEO and CFO must certify, in each annual or quarterly report, thatThe signing officers have disclosed to the company’s auditors and the audit committee all significant deficiencies in the design or operation of internal controls which could adversely affect the company’s ability to record, process, summarize, and report financial data, and have identified for the company’s auditors any material weaknesses in internal controls.
27 Sarbanes-Oxley requirements Title III – Corporate Responsibility302:The CEO and CFO must certify, in each annual or quarterly report, thatThe signing officers have disclosed to the company’s auditors and the audit committee any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal controls.
28 Sarbanes-Oxley requirements Title III – Corporate Responsibility302:The CEO and CFO must certify, in each annual or quarterly report, thatThe signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses
29 Sarbanes-Oxley requirements Title III – Corporate Responsibility303:It shall be unlawful for any officer or director of the company, or any other person acting under the direction thereof, to take any action to fraudulently influence, coerce, manipulate, or mislead the independent auditors for the purpose of rendering the financial statements materially misleading.
30 Sarbanes-Oxley requirements Title III – Corporate Responsibility304:If a company is required to restate the financial statements due to material noncompliance, as a result of misconduct, with any financial reporting requirement under the securities laws, the CEO and CFO must reimburse the company for any bonus or other incentive-based or equity-based compensation received within 12 months of the issuance of the statements, and any profits realized from the sale of company stock within this same 12 months.
31 Sarbanes-Oxley requirements Title III – Corporate Responsibility406:The SEC shall issue rules to require companies to disclose whether or not (and if not, the reason therefore) the company has adopted a code of ethics for senior financial officers.The SEC shall issue rules that require companies to promptly disclose any change in or waiver of the code of ethics for senior financial officers.
32 Sarbanes-Oxley requirements Title III – Corporate Responsibility407:The SEC shall issue rules that require companies to disclose whether or not (and if not, the reasons therefore) the audit committee is comprised of at least one member who is a financial expert, as defined by the SEC.
33 NYSE Corporate Governance Rules These are the rules that companies must comply with to be listed on the NYSE.These rules became effective in 2003, strengthening the NYSE’s existing corporate governance requirements.Other exchanges have their own rules, in many cases similar to the NYSE. However, the NYSE probably has the most stringent rules.
34 NYSE Corporate Governance Rules Listed companies must have a majority of independent directors.The board must affirmatively determine that each director has no material relationship with the company.A director who is an employee, or whose immediate family member is an executive officer of the company, is not independent until three years after the end of the employment relationship.
35 NYSE Corporate Governance Rules Listed companies must have a majority of independent directors.A director who received, or whose immediate family member receives, more than $100,000 per year in direct compensation from the company, other than director and committee fees and pension or other deferred compensation from prior service, is not independent until three years after he or she ceases to receive more than $100,000 per year.
36 NYSE Corporate Governance Rules Listed companies must have a majority of independent directors.A director who is affiliated with or employed by, or whose immediate family member is affiliated with or employed in a professional capacity by, a present or former internal or external auditor of the company is not independent until three years after the end of the employment or auditing relationship.
37 NYSE Corporate Governance Rules Listed companies must have a majority of independent directors.A director who is employed, or whose immediate family member is employed, as an executive officer of another company where any of the listed company’s present executives serve on that company’s compensation committee is not independent until three years after the end of such service or employment relationship.
38 NYSE Corporate Governance Rules Listed companies must have a majority of independent directors.A director who is an executive officer or an employee, or whose immediate family member is an executive officer, of a company that makes payments to, or receives payments from, the listed company for property or services in an amount which, in any single year, exceeds the greater of $1 million, or 2% of such other company’s revenues, is not independent until three years after falling below such threshold.
39 NYSE Corporate Governance Rules The non-management directors of the board must meet at regularly scheduled executive sessions without management.
40 NYSE Corporate Governance Rules Listed companies must have a nominating/corporate governance committee composed entirely of independent directors.This committee must have a written charter that addresses:The committee’s purpose and responsibilities.An annual performance evaluation of the committee.
41 NYSE Corporate Governance Rules Listed companies must have a compensation committee composed entirely of independent directors.This committee must have a written charter that addresses:The committee’s purpose and responsibilities.An annual performance evaluation of the committee.
42 NYSE Corporate Governance Rules Listed companies must have an audit committee.The committee must consist of at least three members.Each member of the audit committee must be independent.Each member of the audit committee must be financially literate, or become financially literate.
43 NYSE Corporate Governance Rules The audit committee must have a written charter that addressesthe committee’s purposean annual performance evaluation of the committeethe duties of the committee must include obtaining and reviewing at least annually a report by the independent auditors describing the accounting firm’s internal quality-control procedures, recent issues raised by peer reviews, and all relationships between the independent auditor and the company.
44 NYSE Corporate Governance Rules The audit committee must discuss the company’s annual financial statements and quarterly statements with management and the independent auditor, including M.D.&A.The audit committee must discuss the company’s earnings press releases and financial information and earnings guidance provided to analysts.The audit committee must discuss policies with respect to risk assessment and risk management.
45 NYSE Corporate Governance Rules The audit committee must meet separately, periodically, with management, with internal auditors, and with the independent auditors.The audit committee must review with the independent auditor any audit problems or difficulties and management’s response.The audit committee must set clear hiring policies for employees or former employees of the independent auditors.
46 NYSE Corporate Governance Rules Each listed company must have an internal audit function.This function can be outsourced to a third-party service provider other than the company’s independent auditor.
47 NYSE Corporate Governance Rules Listed companies must adopt and disclose corporate governance guidelines.These guidelines must addressDirector qualification standardsDirector responsibilitiesDirector access to management and independent advisorsDirector compensation, orientation, and continuing educationManagement successionAnnual performance evaluation of the board
48 NYSE Corporate Governance Rules Listed companies must adopt and disclose a code of business conduct and ethics for directors, officers, and employees, and promptly disclose any waivers of the code for directors or executive officers.At a minimum, this code should addressConflicts of interestConfidentialityFair dealingProtection and proper use of company assetsCompliance with laws, rules and regulations
49 Documenting Internal Controls Who relies on documentation of controls?Management accountantsInternal auditorsExternal auditorsSystems development teamsAlternative methods of documentation:QuestionnairesNarrativeFlowcharts
50 Documenting Internal Controls External auditorsNon-public companies (and all companies pre-SOX):On all engagements, the auditor should obtain an understanding of internal control sufficient to plan the audit.The auditor is not obligated to search for internal control weaknesses, or to test controls unless the auditor plans to rely on controls.Public companies under SOX:The auditor must attest to and report on management’s assessment of internal control.
51 Documenting Internal Controls FlowchartingEncourages rigor of the analysis and thorough understanding of the systemThe flow is top down and left to rightTime-consuming to prepare