Frameworks For Evaluating Internal Controls - City of Seattle

italiansaucySoftware and s/w Development

Dec 13, 2013 (3 years and 10 months ago)

105 views

Frameworks For
Evaluating Internal
Controls

Cadbury

Many Models To Chose Among


COSO


COCO


Cadbury Report


Deming Award


TQM


12 Attributes


Deep Learning
Framework


Baldrige Award


ISO 9000


Westinghouse
Award


Northrop Award

Who Developed Models?


COSO:
The major accounting and audit
professional organizations issued COSO in
1992.


12 Criteria
: The Canadian Comprehensive
Auditing Foundation published
Effectiveness
Reporting and Auditing in the Public Sector

in
1987.


COCO:
In November 1995, The Canadian
Institute of Chartered Accountants (CICA)
published
Guidance on Control
.


Who Developed Models?
(Continued)


ISO 9000
developed by the International
Organization for Standardization (ISO)


Deep Learning Framework:
In 1990, Peter
Senge published the now classic
The Fifth
Discipline

and then in 1995 published
The Fifth
Discipline Fieldbook
.

Different Frameworks: Same Goals


Frameworks provide a way of understanding
our organizations.


By having different groupings, each highlights
some aspects of control more than others.


The criteria in the frameworks provide a basis
for understanding control in an organization
and for making judgment about the
effectiveness of control.

Different Frameworks: Same Goals


Frameworks provide a systematic step by step
method of evaluating and addressing the adequacy of
controls in multiple dimensions of a business.


Frameworks provide a standard review process.


Frameworks provide a tool that helps management
and audtiors evaluate the adequacy of controls in
multiple dimensions of the business. It helps give a
picture of how well all of the controls in all of the
dimensions are working.

Using These Frameworks



Paints a picture that focuses on what is
important to users, that keeps things in
perspective, and that is sensitive to ‘shades of
gray’.


Flexibility is allowed and creativity is required.


Nothing magical about them
--
but they can allow
you to have seemingly magical insights.

One More Tool in the Tool box


CSA


Questionnaires


Unobtrusive Measures


Structure Interviews


Document Reviews


Regression Analysis


Integrated Control Frameworks



And many more!

Information and Communication
Monitoring
Activities
Risk
Assessment
Environment
COSO

Coso ERM Framework

OH 3
-
19

COSO
-

Cadbury


COSO


Control Environment


Risk Assessment


Control Activities


Information and
Communication


Monitoring



Cadbury


Control Environment


Identification of
Risks, Control
Priorities and
Objectives


Control Activities


Monitoring and
Corrective Action

Control Environment


Provides an atmosphere in which people
conduct their activities and carry out their
control responsibilities. It serves as the
foundation for the other components (COSO)


Management must send a clear message to
all personnel that control responsibilities are
to be taken seriously, that each personal has
a particular role in the control system and that
each role relates to the role of others.
(Cadbury)

Risk Assessment


Management must assess risks to the
achievement of specified objectives.
(COSO)


Is the process by which executive
management identifies the risks arising
from the organization’s business and,
since resources are always limited,
establishes the priorities for control and
particular control objectives. (Cadbury)

Control Activities


Are implemented to help ensure that
management directives to address the risks
are carried out. (COSO)


Are the detailed polices and procedures
designed to achieve the company’s control
objectives and to provide management with
reasonable assurance that their priorities for
internal control are being addressed. They
operate throughout the organization,
potentially covering all levels. (Cadbury)

Information and Communication


Relevant information is captured and
communicated throughout the
organization.

Monitoring


The entire process is monitored and modified
as conditions warrant. (COSO)


Monitoring and corrective action should
produce sufficient evidence that the financial
control system for which they are responsible
is effective in practice. Monitoring is
performed at a higher level than the routine
checks built into the day
-
to
-
day routine and
involves a greater degree of independence
from those who operate the procedures.
(Cadbury)

CRIME


C
ontrol Activity



R
isks


I
nformation


M
onitoring


E
nvironment

COSO Matrix

Operations
Financial
Reporting
Compliance
With Laws and
Regulations
Control
Environment
Risk
Control Activities
Information and
Communication
Monitoring
Purpose
A sense of direction.
What are we here for?
Commitment
A sense of identity
and values.
Do we want to do
a good job?
Capability
A sense of competence.
What action do we need to
take?
Monitoring and
Learning
A sense of evol ution.
What Progress?
What Next?
ACTION
COCO

COCO Criteria:

Purpose


Objectives should be established and communicated.


The significant internal and external risks faced by an
organization in the achievement of its objectives should be
identified and assessed.


Policies designed to support the achievement of an
organization’s objectives and the management of its risks
should be established, communicated and practiced so that
people understand what is expected of them and the scope of
their freedom to act.


Plans to guide efforts in achieving the organization’s objectives
should be established and communicated.


Objectives and related plans should include measurable
performance targets and indicators.

COCO Criteria:

Commitment


Shared ethical values, including integrity, should be established,
communicated and practiced throughout the organization.


Human resource policies and practices should be consistent
with an organization’s ethical values and with the achievement
of its objectives.


Authority, responsibility, and accountability should be clearly
defined and consistent with an organization’s objectives so that
decisions and actions are taken by the appropriate people.


An atmosphere of mutual trust should be fostered to support the
flow of information between people and their effective
performance toward achieving the organization’s objectives.

COCO Criteria:

Capability


People should have the necessary knowledge, skills and tools to
support the achievement of the organization’s objectives.


Communication processes should support the organization’s
values and the achievement of its objectives.


Sufficient and relevant information should be identified and
communicated in a timely manner to enable people to perform
their assigned responsibilities.


The decisions and actions of different parts of the organization
should be coordinated.


Control activities should be designed as an integral part of the
organization, taking into consideration its objectives, the risks to
their achievement, the inter
-
relatedness of control elements.

COCO Criteria:

Monitoring and Learning


Environment should be monitored to obtain information that may signal
a need to re
-
evaluate the organization’s objectives or controls


Performance should be monitored against the targets and indicators
identified in the organization’s objectives and plans.


The assumptions behind an organization’s objectives should be
periodically challenged.


Information needs and related information systems should be
reassessed as objectives change or as reporting deficiencies are
identified.


Follow
-
up procedures should be established and performed to ensure
appropriate change or action occurs.


Management should periodically assess the effectiveness of control in
its organization and communicate the results to those to whom it is
accountable.


COCO:

Sample Assessment Questions

Purpose


Do we understand our objectives?


Are our plans responsive and adequate to change?


Commitment


Are critical decisions made by people with the necessary
expertise, knowledge and authority?


Capability


Is there adequate information to allow us to perform our tasks?


Monitoring and Learning


Do we challenge the assumptions behind our objectives?

COSO and COCO’s Definition of
Internal Control

Per COSO, Internal Control is:


a process,


effected by an entity’s board of directors, management, and
other personnel,


designed to provide reasonable assurance regarding the
achievement of objectives.

Per COCO, Internal Control is


those elements of an organization (including its resources,
systems, processes, culture, structure and tasks) that, taken
together, support people in the achievement of the objectives.

Objectives of Internal Controls

Per COSO, organization’s


effectiveness and efficiency of operations;


reliability of
financial

reporting; and


compliance with applicable laws and
regulations.

Per COCO


effectiveness and efficiency of operations


reliability of
internal and external

reporting;
and


compliance with applicable laws and regulations
and internal policies.
Key COSO and COCO Concepts


Internal Control is a process.


Internal Control is effected by
people.


Internal Control can be expected to
provide only reasonable assurance.


Internal Control is geared to the
achievement of objectives.


Hard Controls
-

Soft Controls


Policy and
Procedures


Organizational
Structure


Bureaucracy


Restrictive formal
processes


Competence


Trust


Shared Values


Leadership


Expectations


Commitment

What’s More Important?


Segregation of duties or ethical
employees?


Well written and thorough policy and
procedures manuals or competent
employees?


Clear delineation of roles and
responsibilities or a group of employees
dedicated to accomplishing the
organization’s mission?

Soft Controls

In the past, auditors have focused exclusively on the hard controls.

As the Savings and Loan crises demonstrated, this has meant

that auditors have often missed the really important issues that

will dictate whether an organization succeeds and is operating

at the most efficient and effective manner. COSO, COCO,

Cadbury, the Baldrige Award and the other control models

highlight the need to examine soft controls and provide the

analytical tools to do so.


Soft

Factors

lntegrity and ethical values


Commitment to competence


Management's
philosophy
and
operating
style


Managing change


Communication
Soft Control

a useful, though not precisely definable
term


best explained with common
characteristics and examples
Common Characteristics
Hard controls
Soft controls
tend to be:



tend to

be:
formal
informal
objective
subjective
Quantitatively
intangible
measurable
the 'map"
the real terrain
Examples
Hard
Controls
Soft
Controls
Policy/procedure
Competence
Organizational
Trust
structure
Shared Values
Bureaucracy
Strong Leadership
Restrictive formal
processes
High expectations
Openness

Centralized decision
High ethical
making
standards
Framework

Baldrige
COCO
12
Attributes
Learning
Frame-
work
COSO
ISO 9000
Major Areas:
7
Examination
Items: 28
Areas to
Address: 93
Major
groupings:
4
Criteria: 20
Attributes:
12
Domains: 3
Two of the
domains each
have 3 areas
Major
Elements: 5
Numerous
issues to
consider
Major
Elements:
20
Major Emphasis





Note: COCO defines control as those elements of an organization
(including its resources, systems, processes, culture, structure, and
tasks) that, taken together, support people in the achievement of
the organization’s objectives.

COSO defines control as a process, effected by an entity’s board of
directors, management, and other personnel, designed to provide
reasonable assurance regarding internal controls

Baldrige
COCO
12 Attributes
Learning
Framework
COSO
ISO 9000
Results and
continuous
improvement
Control
Effectiveness
Continuos
learning
Control
Quality
Control
Baldrige
COCO
12
Attributes
COSO
Senge’s
Deep
Learning
Framework
ISO 9000
Used in the
private sector
in the U.S.
Similar
frameworks,
such as the
Presidential
Award, is used
in the public
sector. State
of Washington
just adopted it.
Used in
the public
and
private
sector in
Canada.
Public
Sector in
Canada.
Widespread
in the
private
sector in
Europe,
increasingly
used by U.S.
companies,
especially
those
involved in
international
trade.
U.S.
Companies
such as
General
Motors and
Sprint
Over 40,000
companies
around the
world.
Increasingly
used in the
U.S.,
especially
by firms
interested in
European
trade.
Used By:

Customer Focus


Baldrige
COCO
12
Attributes
Learning
Framework
COSO
major
focus
very indirect,
discusses meeting
objectives and
evaluating external
environment
indirect
indirect
very
indirect
Monitoring

Baldrige
COCO
12 Attributes
Learning
Framework
COSO
in relation
to results
and
customer
satisfaction
in relation to
(1) the
effectiveness
of controls;
(2) targets
and
indicators
key matters
pertaining to
performance
and
organizational
strength
as part of
continuous
learning
Major
Element in
relation to the
effectiveness
of the other
four major
control
elements
CONTROL ENVIRONMENT


Management
:


Management is aware of the importance of accountability controls,
communicates this importance to employees at all levels, and
displays a supportive attitude toward management controls.


Management did not adequately communicate the purpose and
importance of implementing management control procedures to
employees at all levels. For example, most of the control
weaknesses which the State Auditor identified in a 1993
management letter to the City were not corrected.


Review of Freeway Park Garage Using COSO Model (1)

Review of Freeway Park Garage Using COSO Model (2)

Employees
:

Employees understand the importance of implementing control
procedures.

Garage employees did not always implement existing management
control procedures. Although the old Freeway Park Garage manual
instructed employees to enter all cash transactions into the cash
register as they occurred, we found that parking attendants were not
always implementing this policy. For instance, the revenue report for
the evening shift on May 2, 1994 reported $372.00 more in sales than
what was entered into the cash register. We also found that parking
attendants did not always give customers a cash register receipt. For
example, an auditor posing as a daily parking customer requested a
receipt and received one that was retrieved from a garbage can.


Employees do not circumvent or ignore existing controls.

The Garage is a “pay as you enter” operation. Cashiers give each daily
parking customer a validated, dated and time
-
stamped parking ticket
which also shows the amount paid; $4 for daily parking. To exit the
Garage, daily parking customers must enter the validated ticket into a
card reader system, which sends a signal to open the gate. Although
required to retain records for a minimum of six years, according to the
retention schedule of the State of Washington, used daily parking tickets
were thrown away. In addition, we found no evidence to support that
the Garage supervisor or an independent party reviewed the daily
tickets before they tossed them away. On March 10, 1995, auditors
instructed staff to retain the daily tickets. We later reviewed the used
tickets to ensure that they were all validated and stamped with a $4
sales price. As a result of our review, we found one daily ticket dated
March 8, 1995 with a stamped sales price of $80, instead of $4.


Review of Freeway Park Garage Using COSO Model (3)

Review of Freeway Park Garage Using COSO Model (4)

Employees do not circumvent or ignore existing controls
.

Employees were not clear about their job responsibilities. For example,
the Garage supervisor did not understand that reviewing attendant’s
work included reconciling totals on cash register tapes to revenue
reports, deposit slips, refund report sheets, and documents recording
sales of monthly parking permits. Also, job descriptions were not
periodically reviewed or updated. (1) Employees at the Garage do not
receive written performance evaluations on a regular basis. Parking
attendants could not remember when they last received a written
performance evaluation. (2) Garage staff received no formal training on
how to use the Garage’s computer system and, although requested,
employees have not attended any City sponsored computer training
courses. (3) Although the Department of Finance required Finance’s
cash handling training course for certification as a cash handler with the
City, as of June 1995, only one of the three permanent parking
attendants had taken this course.


Arguing with a COSO auditor is
like wrestling with a pig in mud
. . .

Sooner or later you realize the pig enjoys it!