In control by mifei

VIEWS: 8 PAGES: 45

									In Control: Myth or Reality?


 Jean-Pierre Garitte, CIA, CCSA, CISA, CFE
 Executive Professor, UAMS
 Partner, Deloitte Enterprise Risk Services
 Past Chairman of the Board, IIA
 Past President, ECIIA

 Brussels
 July 12, 2006
Overview

    Understand US Regulations
     Regarding Internal Controls

    Overview of COSO Internal Control

    Overview of COSO Enterprise Risk
     Management
                                         2
Part I – Understand the US
Regulations Regarding
Internal Controls
Sarbanes-Oxley

Why Did the US Feel it was Necessary?
  Major Financial Reporting Failures

  Management Override of Reporting

  Inadequate Governance and Oversight

  Companies ought to be accountable
   about how they safeguard and use
   resources entrusted to them.
                                         4
Management Requirements
 MANAGEMENT ATTESTATION
  The CEO and CFO must sign the annual
   and quarterly reports signifying that to his
   or her knowledge the report does not
   contain anything untruthful.

    S/he must also attest to the proper
     implementation of internal controls and
     report any changes.
                                                  5
Internal Control Reporting (404)
    Every annual report must include a report on
     internal controls signed by the CFO and CEO.

    The report shall provide positive assertions as to
     the establishment and maintenance of the
     current internal controls, and also the
     effectiveness of the controls throughout the past
     year.

    Issuer’s accountant must attest to the report on
     internal controls .                                6
Summary – Internal Control
Provisions
 Management Must:
      Identify its Internal Controls over Financial Reporting
      Document the Design & Operation of Internal
       Controls
      Assess the Effectiveness of the Design of those
       Controls
      Remediate any Design Deficiencies
      Determine that the Controls are Working Properly
      Assess Nature of Deficiencies
                                                                 7
Criteria for Categorizing
Deficiencies

   A design deficiency exists when either a
    necessary control is missing or an existing
    control is not properly designed, so that even
    when the control is operating as designed the
    control objective is not always met.



                                                     8
Operating Deficiency

   An operating deficiency exists when a
    properly designed control either is not
    operating as designed or the person
    performing a control does not possess the
    necessary authority or qualifications to
    perform the control effectively.


                                                9
How Important is Each Deficiency?


   Internal control deficiencies range from
    inconsequential internal control deficiencies
    to material weaknesses in internal control.




                                                    10
PCAOB Definitions

   A significant deficiency is an internal control
    deficiency that could adversely affect the
    entity’s ability to initiate, record, process, and
    report financial data consistent with the
    assertions of management in the financial
    statements. A significant deficiency could
    arise from a single deficiency or an
    aggregation of deficiencies.

                                                     11
Material Deficiency

 A material deficiency is a significant deficiency in
 one or more of the internal control components that
 alone or in the aggregate precludes the entity’s
 internal control from reducing to an appropriately
 low level the risk that material misstatements in the
 financial statements will not be prevented or
 detected on a timely basis.


                                                         12
Part II – Understanding the
COSO Internal Control
Framework
COSO Internal Control Integrated
Framework

    Rationale for the Framework

    Common Language


                                   14
Applying the COSO Model


                    A PROCESS

                    Designed to ACHIEVE
                    OBJECTIVES

                    Applied across the
                    ORGANIZATION

                    With FIVE
                    COMPONENTS that
                    work interactively to
                    achieve objectives


                                            15
The Process
                                  Set
                              OBJECTIVES
                                              IDENTIFY RISKS to
   Once Effective Control
                                              the Achievement of
        is established,
                                               those Objectives
   develop MONITORING
     activities to ensure
   that controls continue
    to operate effectively.   EFFECTIVE
                               INTERNAL
                              CONTROL-
                              FINANCIAL
                              REPORTING         Implement an
                                                   Effective
     Develop Effective                            CONTROL
     INFORMATION &                            ENVIRONMENT as
    COMMUNICATION to                             First Line of
   Assist Organization in                      Defense against
   Meeting its Objectives       Design &          the Risks
                               Implement
                                Effective
                               CONTROL
                              ACTIVITIES to
                              address risks
                                                                   16
The Process



              EFFECTIVE
               INTERNAL
              CONTROL-
              FINANCIAL
              REPORTING




                          17
The Process
                  Set
              OBJECTIVES




              EFFECTIVE
               INTERNAL
              CONTROL-
              FINANCIAL
              REPORTING




                           18
The Process
                  Set
              OBJECTIVES

                           IDENTIFY RISKS to
                           the Achievement of
                            those Objectives

              EFFECTIVE
               INTERNAL
              CONTROL-
              FINANCIAL
              REPORTING




                                                19
The Process
                  Set
              OBJECTIVES
                           IDENTIFY RISKS to
                           the Achievement of
                            those Objectives



              EFFECTIVE
               INTERNAL
              CONTROL-
              FINANCIAL      Implement an
              REPORTING         Effective
                               CONTROL
                           ENVIRONMENT as
                              First Line of
                            Defense against
                               the Risks




                                                20
The Process
                  Set
              OBJECTIVES
                              IDENTIFY RISKS to
                              the Achievement of
                               those Objectives



              EFFECTIVE
               INTERNAL
              CONTROL-
                                Implement an
              FINANCIAL
                                   Effective
              REPORTING
                                  CONTROL
                              ENVIRONMENT as
                                 First Line of
                               Defense against
                                  the Risks
                Design &
               Implement
                Effective
               CONTROL
              ACTIVITIES to
              address risks
                                                   21
The Process
                           Set
                       OBJECTIVES
                                       IDENTIFY RISKS to
                                       the Achievement of
                                        those Objectives



                       EFFECTIVE
                        INTERNAL
                       CONTROL-
   Develop Effective                     Implement an
                       FINANCIAL
   INFORMATION &                            Effective
                       REPORTING
   COMMUNICATION                           CONTROL
       to Assist                       ENVIRONMENT as
    Organization in                       First Line of
      Meeting its                       Defense against
      Objectives                           the Risks
                         Design &
                        Implement
                         Effective
                        CONTROL
                       ACTIVITIES to
                       address risks
                                                            22
The Process
                                  Set
                              OBJECTIVES
                                              IDENTIFY RISKS to
   Once Effective Control
                                              the Achievement of
        is established,
                                               those Objectives
   develop MONITORING
     activities to ensure
   that controls continue
    to operate effectively.   EFFECTIVE
                               INTERNAL
                              CONTROL-
                              FINANCIAL
                              REPORTING         Implement an
                                                   Effective
     Develop Effective                            CONTROL
     INFORMATION &                            ENVIRONMENT as
    COMMUNICATION to                             First Line of
   Assist Organization in                      Defense against
   Meeting its Objectives       Design &          the Risks
                               Implement
                                Effective
                               CONTROL
                              ACTIVITIES to
                              address risks
                                                                   23
                    IDENTIFY THE RISKS TO FINANCIAL REPORTING


RISK ASSESSMENT - Every
                                                 8. Identify Financial Reporting            Relate to achievement of
entity faces a variety of risks                  Objectives                                 GAAP and full disclosure
from external and internal
sources that must be
assessed. Risk assessment is                                                                Consider processes,
                                                 9. Identify Risks that threaten the
the identification and analysis                  achievement of the objectives              personnel, incentives, and
of relevant risks to                                                                        technology impacts
achievement of the objectives,
forming a basis for determining                  10. Identify and assess the Risk of        Consider incentives and
how the risks should be                          Fraud as it affects the company            opportunities to commit
managed.                                                                                    fraud.




RISK ASSESSMENT:                Management and others in the organization understand the major risks that affect the
achievement of financial reporting objectives. The identification of risks present a starting point from which to develop
control activities and processes to minimize the risks to the achievement of the financial reporting objective. Some of
the major risks facing smaller business include, but are not limited to:
       Management Override
       Human Error or Fraud (which is often mitigated through segregation of duties)
       Inconsistent Processes
       Errors in Accounting Judgments due to a lack of Qualified Personnel
       Fraud, due to defalcations or misstatement of financial statements

The control activities to address these specific risks start with the CONTROL ENVIRONMENT.
                 A ROBUST CONTROL ENVIRONMENT MINIMIZES RISKS
                                                            1. Sound ethical values and a                    Organization articulates
CONTROL ENVIRONMENT: The                                    culture of integrity                             values, monitors activities,
control environment sets the tone of                                                                         and takes action.
an organization, influencing the
control consciousness of its people. It                     2. Effective and Independent
                                                                                                             Independent and Effective
                                                            Board
is the foundation for all other                                                                              Oversight
components of internal control,
providing discipline and structure.                         3. Management Operating Style                    Management sets objectives
                                                            Promotes Good Controls                           and creates a tone for
                                                                                                             activities
                                                            4. Organizational Structure
                                                            facilitates achievement of                       Structure supports processes
                                                            reporting objectives                             to achieve objectives

                                                                                                             Management identifies
                                                            5. Commitment to Financial                       competencies needed and
                                                            Reporting Competencies                           acquires those competencies


                                                            6. Assignment of Authority &                     Authority and Responsibilities
                                                            Responsibility that is consistent                are assigned – starting with
                                                            with Reporting Objectives                        the Board and the CFO


                                                            7. Human Resource Policies                       Consider incentives,
                                                            and Procedures Support                           recruitment, training, and
                                                            Effective Control                                other activities


   CONTROL ENVIRONMENT ASSESSMENT. The control environment often represents the first line of defense against the risks identified
   above, especially, the risks associated with management override, accounting errors, or inconsistent processes. A strong and independent
   board with sufficient resources and time to provide oversight can be effective in mitigating many of the risks. Many smaller businesses have
   independent and effective boards: many also have effective audit committees that can actively address many of the risks identified above.
   Management sets the tone for activities through its commitment to integrity and ethical values and reinforces that commitment through its
   human resource practices.
                CONTROL ACTIVITIES MITIGATE PROCESSING RISKS

                                                                                                 Consider all sources of
                                                         11. Controls chosen to                  entry into the books;
CONTROL ACTIVITIES: Control                              mitigate risks identified               information technology,
activities are the policies and procedures
                                                                                                 and personnel.
that help ensure that management
directives are carried out. They include a
                                                         12. Controls chosen based
range of activities as diverse as approvals,                                                     Apply a combination of
                                                         on assessment of
authorizations, verifications,                                                                   preventive and detective
                                                         effectiveness and cost
reconciliations, reviews of operating                                                            controls
performance, security of assets and
segregation of duties.                                   13. Policies and Procedures             Implement consistently in
                                                         established and                         a timely fashion across the
                                                         communicated to                         organization.
                                                         accomplish objectives.

                                                         14. Information Technology              Information technology
                                                         is utilized to accomplish               can be used as a control
                                                         objectives                              advantage when controls
                                                                                                 are “turned on” and
                                                                                                 utilized consistently.




CONTROL ACTIVITIES:                Control activities are effective when they are designed and
implemented to ensure that all transactions are recorded correctly, in a timely fashion, in
accordance with GAAP, and all adjustments and estimates are recorded correctly, in a timely
fashion, and in accordance with GAAP. Control activities should be sufficient to prevent or detect
the existence of material fraud.
  AN EFFECTIVE INFORMATION AND COMMUNICATION SYSTEM ENABLES THE
         COMPANY TO MANAGE ITS INTERNAL CONTROL PROCESS

INFORMATION &                                           15. Pertinent information is                  Data is captured at its source;
COMMUNICATION. Pertinent                                gathered at all levels in the                 technology is utilized to ensure
information must be identified,                         organization to support the                   consistency and accuracy, and is
captured and communicated in                            achievement of the                            designed to maintain quality.
a form and timeframe that                               financial reporting
enables people to carry out                             objectives.
their responsibilities.                                                                               Information is gathered to ensure
Organizational personnel must                           16. Information is gathered                   compliance with policies and
receive a clear message from                            to support personnel and                      regulations facilitates a quick
top management that control                             systems in carrying out                       identification and understanding of
responsibilities must be taken                          their control                                 the root causes of control failures,
seriously. They must                                    responsibilities.                             and facilitates maintaining quality.
understand their own role in
the internal control system, as                         17. Internal communication
well as how their individual                            facilitates personnel                         Includes effective communication
activities relate to the work of                        understanding sufficient to                   with the Board, across personnel,
others. They must have a                                accomplish the control                        and a “whistleblowing” process.
means of communicating                                  objectives.
significant information
upstream.
                                                        18. Matters affecting
                                                        achievement of the control                    Includes open communication with
                                                        objectives, where                             vendors and customers, as well
                                                        applicable, are                               as with important stakeholders.
                                                        communicated to outside
                                                        parties

        ASSESSMENT OF EFFECTIVENESS OF INFORMATION & COMMUNICATION: Information & Communication is
        considered effective when information is communicated across individuals within the organization that facilitates their
        accomplishment of internal control objectives; information identifies control breakdowns in a timely fashion; there are open
        communication channels with outside parties, and the company has an effective whistleblowing process.
 MONITORING CREATES EFFICIENCY BY FOCUSING ON CONTINUOUS
 IMPROVEMENT AND IDENTIFYING ANY DETERIATION OF CONTROLS

MONITORING: Internal                         19. On-Going or Separate                     On-going evaluations are
control systems need to be                   Evaluations are designed to                  designed to provide continuous
monitored - a process that                   provide information on                       monitoring of the controls.
assesses the quality of the                  whether internal control over                Separate evaluations need to
system's performance over                    financial reporting remains                  be carried out by
time. This is accomplished                   effective. Design is such                    knowledgeable personnel with
through ongoing monitoring                   that monitoring facilitates                  sufficient frequency and scope
activities, separate                         timely identification of                     to manage the risks associated
evaluations or a combination                 control failures and                         with control failures.
of the two. Internal control                 remediation
deficiencies should be                                                                    Findings and deficiencies are
reported upstream, with                                                                   reported to those with the ability
                                             20. Deficiencies are
serious matters reported to                                                               to correct the root causes of the
                                             reported to the proper
top management and the                                                                    failures in a timely fashion.
                                             personnel (and level) within
board.                                                                                    Important deficiencies are
                                             the organization that
                                                                                          reported to management and
                                             facilitates timely, corrective
                                                                                          the board to facilitate
                                             action of the control
                                                                                          accomplishment of their
                                             deficiencies.
                                                                                          responsibilities.



ASSESSMENT OF THE EFFECTIVENESS OF MONITORING.                                              Monitoring is
effective when it is designed such that control failures or deficiencies are identified in a timely
fashion, communicated to those who have responsibility for the controls, and the correction of the
control deficiency in a timely fashion is facilitated. Separate evaluations can (and should) address
each of the five components of the internal control framework.
Effective Monitoring




         supervisory




          execution
                       29
Part III – Understanding
the COSO Enterprise Risk
Management Framework
Enterprise Risk Management

   Broader Concept than Internal Control

   Critical to Company Management
       Feeds back into strategy
       Broader set of objectives
       More robust risk approach


                                            31
Enterprise Risk Management

“… a process, effected by an entity's board
of directors, management and other
personnel, applied in strategy setting and
across the enterprise, designed to identify
potential events that may affect the entity,
and manage risks to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.”
                                               32
Think of ERM as:

     Integral
     Crucial – “Risks Must be Taken”
     Integrated
     Risk Culture
     Both Macro and Micro


                                        33
 The ERM Framework

Foundational Aspects
  Starts with objectives
  Applies to activities at all levels
  of the organization
  Has eight interrelated
  Components

    Key Concepts
  Events and risks
  Risk appetite and risk tolerance
  Portfolio view
                                        34
 Relationship of Internal Control and
 ERM                                                            Event
                               Set                              Identification
                           OBJECTIVES
                                           IDENTIFY RISKS to
Once Effective Control                                           Risk Assessment
                                           the Achievement of
     is established,
                                            those Objectives
develop MONITORING
  activities to ensure
that controls continue                                            Risk Response
 to operate effectively.   EFFECTIVE
                            INTERNAL
                           CONTROL-
                           FINANCIAL
                           REPORTING         Implement an
                                                Effective
  Develop Effective                            CONTROL
  INFORMATION &                            ENVIRONMENT as
 COMMUNICATION to                             First Line of
Assist Organization in                      Defense against
Meeting its Objectives       Design &          the Risks
                            Implement
                             Effective
                            CONTROL
                           ACTIVITIES to
                           address risks
                                                                                 35
Relationship of Internal Control and
ERM




Internal Control
Framework

                                   36
                   ERM Framework
    Internal Environment

   Establishes a philosophy regarding risk
    management. It recognizes that unexpected
    as well as expected events may occur.

   Establishes the entity’s risk culture.

   Considers all other aspects of how the
    organization’s actions may affect its risk
    culture.
                                                 37
         Objective Setting

   Is applied when management considers risks
    strategy in the setting of objectives.

   Forms the risk appetite of the entity — a high-
    level view of how much risk management and the
    board are willing to accept.

   Risk tolerance, the acceptable level of variation
    around objectives, is aligned with risk appetite.
                                                        38
Key Concepts: Events and Risk

An Event is an incident or occurrence that
could affect the implementation of strategy
or achievement of objectives.

    Distinguish risk and opportunity
    Risk is the possibility that an event will
     occur and adversely affect the
     achievement of objectives.
    Events that may have a positive impact
     represent natural offsets or opportunities.
                                               39
Key Concepts

   Risks are measured using the same unit
    of measure as the related objectives.

   Time horizons are specified and aligned
    with objectives.


                                              40
Key Concepts of ERM

   Risks are viewed from a portfolio perspective.

   Risk Appetite must be established in broad
    terms by management – with discussion with
    the Board.

   Focus on Balancing Value, Growth, and Risk
                                                 41
How do we Change?
   Broader perspective of risk:
       We forget that a company’s current risk profile is a
        culmination of all that has preceded it.
       We don’t retroactively evaluate where we are because of
        decisions made earlier.
       Risk might be in our decision-structure or incentive
        systems.

   Must Look at (to) the External Environment

   Risk discussions must be Elevated to the Board
    Level                                                         42
Elevating Risk Awareness
   Internal Control – expand beyond discussion
    of financial reporting. Can’t talk about
    controls without understanding risk.
   Must Consider External Environment:
       Environmental Changes
       Sustainability
       Competitive Actions
       Potential competitive actions – no monopoly for a
        lifetime!                                       43
Elevating Risk Management

   Must Get the Right Metrics

   Example: We are becoming (US and Europe) more
    knowledge based economies.

       Where should our investments be?
       How are they measured?
       How does this compare with current accounting
        measures?

                                                        44
In Control: Myth or Reality?


 Jean-Pierre Garitte, CIA, CCSA, CISA, CFE
 Executive Professor, UAMS
 Partner, Deloitte Enterprise Risk Services
 Past Chairman of the Board, IIA
 Past President, ECIIA

 Brussels
 July 12, 2006

								
To top