Internal Control

COSO’s FrameworkCommittee of Sponsoring

Organizations• 1992 issued a white paper on

internal control• Since this time, this

framework has been incorporated into US auditing standards

Internal control that provides reasonable assurance regarding achievement of objectives in the following categories.

• Effective and efficient operations• Reliable financial reporting • Compliance with applicable laws and regulations

Components of Internal Control

• Control Environment• Risk Assessment• Control Activities• Information and

Communication • Monitoring

Control Environment

• Integrity and ethical values• Commitment to competence• Participation of board of directors or

audit committee• Management’s philosophy and

operating style• Organizational structure • Assignment of authority and

responsibilities • Human resource policies and

practices

Risk Assessment

• Changes may occur in the operating environment

• New personnel may become involved • Information systems may change• Rapid growth • New technologies • New products or services • Restructuring • Foreign operations • New accounting pronouncements

Control Activities

• Segregation of duties • Proper authorization • Assets safeguarded • Compare actual to books• Employees of integrity • Record properly and on a

timely basis

Information and Communication

• Identify and record all valid transactions

• Provide timely description of transactions

• Properly measure transactions • Record transactions in a timely

manner

Monitoring

Assess controls on a timely basis and make modifications when appropriate.

Use internal auditors to review

Test controls

Other factors to consider

• Size of organization• Ownership characteristics • Nature of business• Diversity and complexity of

activities• Data processing methods • Legal and regulatory

environment of the business

Under Sarbanes Oxley Act

• CEO and CFO certification • Internal control report • Document system so others

can review• SEC will review every 3 years

CEO, CFO Certification

• Explicitly must evaluate and report on effectiveness of internal control

• Disclose to audit committee any material deficiencies in financial controls

• Report any changes in IC• Report any corrective actions

CEO, CFO Report

• Assess effectiveness within 90 days of filing dates

• Design disclosure controls and procedures

“ ..are intended to cover a broader range of information than is covered by internal controls related to financial reporting.. They are intended to ensure that an issuer maintains commensurate procedures for gathering, analyzing and disclosing all information that is required to be disclosed…”

Internal Control Report

• A part of annual report • Management responsible for

internal control • States a conclusion on the

effectiveness of IC • External auditor has to attest

to company’s internal control under PCAOB rules