Sarbanes-Oxley Project

Summary of COSO Framework

Presented by

Larry Dillehay & Scott ReitanParkfield Group LLC

Sample General Education Session 2 Parkfield Group

COSO Control Framework

The SEC requires companies to use a control framework to evaluate their internal controls over financial reporting. The most popular framework is COSO (Committee of Sponsoring Organizations) of the Treadway Commission.

COSO Framework requires both an entity level and process level focus on internal controls over financial reporting.

Sample General Education Session 3 Parkfield Group

Internal Control Definition

Internal Control is defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations

Sample General Education Session 4 Parkfield Group

COSO Control Framework

Sample General Education Session 5 Parkfield Group

Control Environment

Provides the discipline and structure for the overall system of internal control

Established and maintained by management (foster control conscientiousness)

Includes overall control culture – the attitudes and habits of senior management

Internal Control Environment factors include: Organizational Structure Assignment of authority and responsibility Commitment to competence Integrity and ethical values Board of Directors and Audit Committee Management philosophy and operating style

Sample General Education Session 6 Parkfield Group

Risk Assessment

Establish Objectives at both the entity and process level

Identify and analyze risks associated with objectives Recognize that Risk Assessment is a critical element

in designing internal controls over financial reporting A Risk Assessment includes:

Determining the severity of a risk Assessing likelihood of risk frequency Determining how the risk should be managed

Sample General Education Session 7 Parkfield Group

Risk Assessment (Continued)

COSO provides the following assertions that underlie an entity’s financial statements: Existence Occurrence Completeness Rights and Obligations Valuation or Allocation Presentation and Disclosure

The Foreign Corrupt Practices Act provides these assertions: Authorization Completeness and Accuracy Proper Classification Evaluation of Balances Access to Assets

Sample General Education Session 8 Parkfield Group

Control Activities

Policies and procedures that ensure management directives are carried out

Ensures that necessary actions are taken to address risks

Occurs throughout the organization at all levels and functions

Control activities include: Authorizations Segregation of Duties Recording Safekeeping Reconciliations

Sample General Education Session 9 Parkfield Group

Control Activities (Continued)

Adequate Controls exist when management has designed them in a manner that achieves reasonable assurance that risks have been managed effectively

Reasonable Assurance implies that material errors and irregularities will be prevented or detected and corrected within a timely period by employees during the normal course of performing their duties.

Sample General Education Session 10 Parkfield Group

Types of Controls

Preventive Detective Primary Secondary Pervasive Manual Automated IT General Controls

Pervasive, Preventive, Detective IT Application Controls

Pervasive, Preventive, Detective

Sample General Education Session 11 Parkfield Group

Internal Control Assessment

Assessment of internal controls is required at design and operating levels

A Design deficiency exists when a necessary control is missing or an existing control is not properly designed to achieve the control objective

An Operating deficiency exists when a properly designed control is not operating as designed or the person performing the control does not possess the necessary authority or qualifications to effectively perform the control

Sample General Education Session 12 Parkfield Group

Degree of Control Deficiencies

Control deficiencies can range from inconsequential to material weaknesses

A Significant Deficiency is one that could adversely affect the entity's ability to initiate, record, process and report financial data consistent with the assertions of management in the financial statements

An Material Weakness is a significant deficiency in one or more of the internal controls that alone or together preclude internal controls from reducing to an appropriately low level the risk that material misstatements in the financial statements will not be prevented or detected in a timely manner

Sample General Education Session 13 Parkfield Group

Information & Communication

Pertinent Information must be identified and communicated in a form and timeframe that enables people to carry out their responsibilities

The quality of information received and given influences the quality of decisions made

Information is needed at all levels of an organization to run the business and achieve objectives

Communication must take place, dealing with expectations, responsibilities and other matters

Sample General Education Session 14 Parkfield Group

Monitoring

Is a process that assesses the quality of internal controls over time

Ensures that internal controls are operating as expected

Applied to all activities of an organization Should focus on high risk areas Monitoring can be accomplished by:

Ongoing Activities Separate Evaluations

Sample General Education Session 15 Parkfield Group

Any Questions?

Larry