Executive's Guide to COSO Internal Controls E-Book

Contents

Cover

Series

Title Page

Copyright

Preface

Chapter 1: Importance of the COSO Internal Control Framework

THE IMPORTANCE OF ENTERPRISE INTERNAL CONTROLS

WHAT ARE ENTERPRISE INTERNAL CONTROLS?

UNDERSTANDING THE COSO INTERNAL CONTROL FRAMEWORK: HOW TO USE THIS BOOK

Chapter 2: How We Got Here: Internal Control Background

EARLY DEFINITIONS OF INTERNAL CONTROLS: FOREIGN CORRUPT PRACTICES ACT OF 1977

THE FCPA AND INTERNAL CONTROLS TODAY

EVENTS LEADING UP TO THE TREADWAY COMMISSION

EARLIER AICPA AUDITING STANDARDS: SAS NOS. 55 AND 78

THE TREADWAY COMMITTEE REPORT

THE ORIGINAL COSO INTERNAL CONTROL FRAMEWORK

THE SARBANES-OXLEY ACT AND INTERNAL ACCOUNTING CONTROLS

NOTES

Chapter 3: COSO Internal Controls: The New Revised Framework

UNDERSTANDING INTERNAL CONTROLS

REVISED FRAMEWORK BUSINESS AND OPERATING ENVIRONMENT CHANGES

THE REVISED COSO INTERNAL CONTROL FRAMEWORK

COSO INTERNAL CONTROL PRINCIPLES

COSO OBJECTIVES AND BUSINESS OPERATIONS

SOURCES FOR MORE INFORMATION

Chapter 4: COSO Internal Control Components: Control Environment

IMPORTANCE OF THE CONTROL ENVIRONMENT

CONTROL ENVIRONMENT PRINCIPLE 1: INTEGRITY AND ETHICAL VALUES

CONTROL ENVIRONMENT PRINCIPLE 2: ROLE OF THE BOARD OF DIRECTORS

CONTROL ENVIRONMENT PRINCIPLE 3: THE NEED FOR AUTHORITY AND RESPONSIBILITY

CONTROL ENVIRONMENT PRINCIPLE 4: HUMAN RESOURCE STRENGTHS

CONTROL ENVIRONMENT PRINCIPLE 5: INDIVIDUAL INTERNAL CONTROL RESPONSIBILITIES

COSO CONTROL ENVIRONMENT IN PERSPECTIVE

Chapter 5: COSO Internal Control Components: Risk Assessment

RISK ASSESSMENT COMPONENT PRINCIPLES

RISK IDENTIFICATION AND ANALYSIS

RISK RESPONSE STRATEGIES

FRAUD RISK ANALYSIS

COSO RISK ASSESSMENT AND THE REVISED INTERNAL CONTROL FRAMEWORK

NOTES

Chapter 6: COSO Internal Control Components: Control Activities

COSO CONTROL ACTIVITY PRINCIPLES

COSO CONTROL ACTIVITIES TODAY

Chapter 7: COSO Internal Control Components: Information and Communication

INFORMATION AND COMMUNICATIONS: WHAT HAS CHANGED?

INFORMATION AND COMMUNICATION PRINCIPLE 1: USE OF RELEVANT INFORMATION

INFORMATION AND COMMUNICATION PRINCIPLE 2: INTERNAL COMMUNICATIONS

INFORMATION AND COMMUNICATION PRINCIPLE 3: EXTERNAL COMMUNICATIONS

THE IMPORTANCE OF COSO INFORMATION AND COMMUNICATION

NOTES

Chapter 8: COSO Internal Control Components: Monitoring Activities

IMPORTANCE OF COSO MONITORING INTERNAL CONTROL ACTIVITIES

COSO MONITORING PRINCIPLE 1: CONDUCT ONGOING AND SEPARATE EVALUATIONS

COSO MONITORING PRINCIPLE 2: EVALUATE AND COMMUNICATE DEFICIENCIES

COSO INTERNAL CONTROL MONITORING IN PERSPECTIVE

NOTE

Chapter 9: COSO Internal Control GRC Operations Controls

COSO OPERATIONS OBJECTIVES

PLANNING AND BUDGETING OPERATIONS CONTROLS

IT SYSTEMS OPERATIONS CONTROLS

OPERATIONS PROCEDURE CONTROLS AND SERVICE CATALOGS

IMPORTANCE OF COSO OPERATIONS CONTROLS

NOTE

Chapter 10: COSO Reporting Processes

COSO REPORTING OBJECTIVES

COSO EXTERNAL FINANCIAL REPORTING CONTROLS

COSO INTERNAL FINANCIAL REPORTING CONTROLS

COSO EXTERNAL NONFINANCIAL REPORTING CONTROLS

COSO INTERNAL NONFINANCIAL REPORTING CONTROLS

IMPORTANCE OF COSO REPORTING CONTROLS

NOTE

Chapter 11: COSO Legal, Regulatory, and Compliance Objectives

IMPORTANCE OF ENTERPRISE COMPLIANCE CONTROLS

REGULATORY COMPLIANCE CONTROL ISSUES

INTERNAL CONTROLS AND LEGAL ISSUES

COMPLIANCE WITH PROFESSIONAL AND OTHER STANDARDS

Chapter 12: Internal Control Entity and Organizational GRC Relationships

INTERNAL CONTROLS FROM AN ORGANIZATIONAL GRC PERSPECTIVE

ENTERPRISE GOVERNANCE OVERALL CONCEPTS

BUSINESS ENTITY–LEVEL INTERNAL CONTROLS

DIVISIONAL AND FUNCTIONAL UNIT INTERNAL CONTROLS

DEPARTMENT- AND UNIT-LEVEL INTERNAL CONTROLS

ORGANIZATION AND GRC CONTROLS IN PERSPECTIVE

NOTE

Chapter 13: COSO, Service Management, and Effective IT Controls

IMPORTANCE OF IT GENERAL CONTROLS

IT GOVERNANCE GENERAL CONTROLS

IT MANAGEMENT GENERAL CONTROLS

CLIENT-SERVER AND SMALLER SYSTEMS GENERAL IT CONTROLS

ITIL SERVICE MANAGEMENT BEST PRACTICES

SERVICE DELIVERY BEST PRACTICES

NOTES

Chapter 14: Cloud Computing, Virtualization, and Wireless Networks

INTERNAL CONTROLS FOR IT WIRELESS NETWORKS

CLOUD COMPUTING AND COSO INTERNAL CONTROLS

STORAGE MANAGEMENT VIRTUALIZATION

COSO INTERNAL CONTROLS AND NEWER TECHNOLOGIES

NOTE

Chapter 15: Another Framework: COSO ERM

ERM DEFINITIONS AND THE ERM PORTFOLIO VIEW OF RISK

THE COSO ERM FRAMEWORK MODEL

OTHER DIMENSIONS OF THE ERM FRAMEWORK

COSO ERM AND THE REVISED INTERNAL CONTROL FRAMEWORK

NOTES

Chapter 16: Understanding and Using COBIT

AN EXECUTIVE’S INTRODUCTION TO COBIT

USING COBIT TO ASSESS ENTERPRISE INTERNAL CONTROLS

MAPPING COBIT TO COSO INTERNAL CONTROLS

NOTES

Chapter 17: ISO Internal Control and Risk Management Standards

BACKGROUND AND IMPORTANCE OF ISO STANDARDS IN A GLOBAL COMMERCE WORLD

ISO STANDARDS OVERVIEW

ISO STANDARDS AND THE COSO INTERNAL CONTROL FRAMEWORK

NOTES

Chapter 18: COSO Internal Controls in the Board Room

BOARD DECISIONS AND INTERNAL CONTROL PROCESSES

BOARD ORGANIZATION AND GOVERNANCE RULES

CORPORATE CHARTERS AND THE BOARD COMMITTEE STRUCTURE

THE AUDIT COMMITTEE AND MANAGING INTERNAL CONTROLS

BOARD MEMBER INTERNAL CONTROL KNOWLEDGE REQUIREMENTS

COSO INTERNAL CONTROLS AND CORPORATE GOVERNANCE

NOTES

Chapter 19: Service Organization Control Reports and COSO Internal Controls

IMPORTANCE OF SERVICE ORGANIZATION INTERNAL CONTROLS

EARLY STEPS TO GAIN ASSURANCE: SAS 70

SERVICE ORGANIZATION CONTROL (SOC) REPORTS

RIGHT-TO-AUDIT CLAUSES

INTERNAL CONTROL LIMITATIONS

Chapter 20: Implementing the Revised COSO Internal Control Framework

UNDERSTANDING WHAT IS NEW IN THE 2013 FRAMEWORK

TRANSITIONING TO THE NEW COSO GUIDANCE

STEPS TO BEGIN IMPLEMENTING THE NEW COSO INTERNAL CONTROL FRAMEWORK

Index

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.

The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.

Cover image: iStockphoto/merrymoonmary Cover design: Wiley

Copyright © 2014 by Robert R. Moeller. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

ISBN 978-1-118-62641-2 (Hardcover) ISBN 978-1-118-81377-5 (ePDF) ISBN 978-1-118-81381-2 (ePub)

Preface

INTERNAL CONTROL IS A BASIC management concept that covers all aspects of enterprise operations, from basic accounting processes to production operations to IT systems and more. However, in past years, it was one of those nice-sounding expressions where no one really had a consistent definition about what was meant by effective internal controls. Then, after a series of accounting scandals in the early 1990s, a group of professional accounting and finance organizations, including the American Institute of Certified Public Accountants (AICPA), formed what has become the Committee of Sponsoring Organizations (COSO) to develop a consistent framework to define the concept of internal controls.

After a lengthy period of review and comments as a public exposure document, the initial COSO internal control framework was released in 1992. It is not a formal standard or a set of governmental regulations but a framework outlining the characteristics and concepts of an effective system of internal control for enterprises of all types and sizes. It was soon adapted as a requirement for external auditors in their assessments of financial statement internal controls, and it became a key measure for assuring Sarbanes-Oxley Act (SOx) compliance.

Although this framework has remained unchanged and in effect since its 1992 release, that original framework no longer really reflected some of the massive changes in IT and business systems since then, as well as the more collaborative and international nature of business today and growing concerns for improved enterprise governance processes. As a result, COSO has recently revised its internal control framework, with a beginning draft and comment period, and the new revised COSO internal control framework was released in May 2013.

This book provides an executive-level description of the new COSO internal control framework. In the following chapters, we describe the components of the new framework and the elements that are particularly important to enterprise business operations. We have also taken COSO’s three-dimensional framework and rotated it around to better explain the importance of all of the internal control framework’s elements. Various chapters also look at such supporting guidance materials as COBIT and both ISO internal control and risk management standards, with an emphasis on building and implementing effective enterprise internal controls.

One of this book’s objectives is to introduce and explain this revised COSO internal control framework in such a manner that an enterprise executive can use this internal control guidance material to understand and implement effective internal controls processes, as well as to explain the importance of COSO internal controls to board and audit committee members, to other members of the staff, and to IT management, as well as to retain an overall understanding of the importance of COSO internal controls. In addition, we will discuss transition and implementation rules for using this revised COSO framework to achieve Sarbanes-Oxley internal control compliance.

At first glance, the COSO internal control framework looks complex and confusing, but it is an important management tool that should be with us for some years to come. Enterprises may adopt this new framework immediately or may continue to use the old framework until December 15, 2014, at which point the updated framework will supersede the original framework.

CHAPTER 1

Importance of the COSO Internal Control Framework

IT IS NOT A STANDARD or detailed requirement but only a framework. Some business executives may ask then, “Who or what is COSO?” In our business world of multiple rules and regulations that have been established by numerous governmental and other agencies that often use hard-to-remember acronyms, it is easy to roll our eyes or shrug our shoulders at yet another set of standards. In addition, COSO (Committee of Sponsoring Organizations) internal controls are only a framework model outlining professional practices for establishing preferred business systems and processes that promote efficient and effective internal controls. Also, the “sponsoring organizations” that issue and publish this material are neither governmental nor some other regulatory agencies. Nevertheless, the COSO internal control framework is an important set or model of guidance materials that enterprises should follow when developing their systems and procedures, as well as when establishing Sarbanes-Oxley Act (SOx) compliance.

This COSO internal control framework was originally launched in the United States in 1992, now a long time ago. This was yet another period of notable fraudulent business practices in the United States and elsewhere that identified a well-recognized need for improved internal control processes and procedures to help and guide. The 1992 COSO internal control framework soon became a fundamental element of American Institute of Certified Public Accountants (AICPA) auditing standards in the United States, and eventually became the standard for enterprise external auditors in their reviews, certifying that enterprise internal controls were adequately following the Sarbanes-Oxley Act (SOx) rules. Because of its general nature describing good internal control practices, the COSO framework had never been revised until the present.

Since the release of that original COSO framework, a whole lot has changed for business organizations and particularly for their IT processes during these interim years. For example, mainframe computer systems with lots of batch-processing procedures were common then but have all but gone away, to be replaced by client-server systems. Also, while the World Wide Web was just getting started then, it was not nearly as developed as it is today. Because of the Internet, enterprises’ organization structures have become much more fluid, flexible, and international. In addition, things such as social network computing, powerful handheld devices, and cloud computing did not exist back then.

Although some might wonder why it took so long, COSO announced in 2011 that it was revising its internal control framework with a draft version, which was issued in early 2012. That COSO internal control draft was circulated to a wide range of internal and external auditors, academics, and enterprise financial management, and it went through an extensive public comment period. The final revised COSO internal control framework description was released in mid-May 2013.

The following chapters describe the revised COSO internal control framework in some detail and explain why its concepts are very important for enterprise management today. This chapter begins with some background information on the COSO internal control framework from a senior executive management perspective. The COSO internal control framework sets the stage for achieving SOx compliance and will continue to be even more important with its new revised version. This book will conclude with some guidance and rules for implementing the new revised COSO internal control framework.

THE IMPORTANCE OF ENTERPRISE INTERNAL CONTROLS

An effective internal control system is one of the best defenses against business failure. An internal control system is an important driver of business performance, which manages risk and enables the creation and preservation of enterprise value. Internal controls are an integral part of an enterprise’s governance system and ability to manage risk, which is understood, effected, and actively monitored by an enterprise governing body, its management, and other personnel to take advantage of the opportunities and to counter the threats to achieving an enterprise’s objectives. On a very high-level conceptual manner, Exhibit 1.1 shows the relationship of internal controls as a component of risk-management processes and as a key element of enterprise governance.

Internal controls are a crucial component of an enterprise’s governance system and ability to manage risk, and it is fundamental to supporting the achievement of an enterprise’s objectives and creating, enhancing, and protecting stakeholder value. High-profile organizational failures typically lead to the imposition of additional rules and requirements, as well as to subsequent time-consuming and costly compliance efforts. However, this obscures the fact that the right kind of internal controls—which enable an enterprise to capitalize on opportunities, while offsetting threats—can actually save time and money and promote the creation and preservation of value. Effective internal controls also create a competitive advantage, because an enterprise with effective controls can take on additional risks.

Internal controls are designed to protect an enterprise and its related business units from the loss or misuse of its assets. Sound internal controls help ensure that transactions are properly authorized, that supporting IT systems are well-managed, and that the information contained in financial reports is reliable. An internal control is a process through which an enterprise and one of its operating units attempts to minimize the likelihood of accounting-related errors, irregularities, and illegal acts. Internal controls help safeguard funds, provide for efficient and effective management of assets, and permit accurate financial accounting. Internal controls cannot eliminate all errors and irregularities, but they can alert management to potential problems.

WHAT ARE ENTERPRISE INTERNAL CONTROLS?

A classic definition states that internal controls consist of the plan of organization and all of the coordinate methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies. This definition recognizes that a system of internal controls extends beyond those matters that relate directly just to the functions of the accounting and financial departments. Rather, an internal control is a business practice, policy, or procedure that is established within an enterprise to create value or minimize risk. Although enterprises first thought of internal controls in terms of fair and accurate accounting processes and effective operational management, information technology (IT) controls are also a very important subset of internal controls today. They are designed to ensure that the information within an enterprise operates as intended, that data is reliable, and that the enterprise is in compliance with all applicable laws and regulations.

We should think of internal controls not as just one solitary activity but as a series of related internal system actions. For example, a requirement that all sales receipts must be accurate and assigned to correct accounts may be an important internal control, but processes should also be in place to correct out-of-balance sales receipts and to make related adjustments as necessary. Together, these requirements and processes represent an internal control system. These internal control systems are often complex, and it is not practical or profitable to attempt to independently review every transaction. Instead, management should be alert to conditions that could indicate potential problems.

Enterprise personnel at all levels, and senior executives in particular, should be responsible for understanding internal control concepts and helping to manage and implement effective internal control systems in their enterprises. This is particularly important for senior-level enterprise internal controls, in which different business units and subsidiaries must interact and IT systems must connect through often complex business and international interconnections. In addition, an enterprise must establish overall governance practices and operate in compliance with the numerous laws, regulations, and standards that affect its operations.

In a business operation, finance and accounting personnel have certain internal control responsibilities, a purchasing executive has others, and an IT systems developer has different responsibilities, but a senior executive should have an overall understanding of all aspects of internal controls throughout an enterprise, as well as of the top-level internal control concepts that affect overall enterprise operations and governance processes. The COSO internal control framework ties these all together, and an objective of this book is to help the senior executive understand these internal control concepts and, at a minimum, ask the right questions.

UNDERSTANDING THE COSO INTERNAL CONTROL FRAMEWORK: HOW TO USE THIS BOOK

Internal controls are important enterprise tools and concepts to ensure accurate financial reporting and management. However, in past years, internal controls was only a nice-sounding term by which professionals at all levels acknowledged that having effective internal controls was important. That was a long time ago, and matters were very much resolved with the introduction of the COSO internal control framework back in 1992. That best practices guide stood the test of time until it was recently updated.

This book will introduce the revised new COSO internal control framework from the perspective of senior enterprise executives. Chapter 2 will introduce the original framework that has been important for achieving SOx financial reporting compliance. Then, starting with Chapter 3, we will introduce and explain the new revised COSO internal control framework. This approach outlines and explains COSO’s complex-looking three-dimensional model for building and establishing enterprise internal controls. The chapters following take COSO’s three-dimensional framework and look at it from each of its dimensions to help the enterprise executive understand this internal control framework.

Other chapters cover supplementary standards or frameworks that are closely related to the COSO internal control framework, such as the continuing relationship of this framework to SOx internal control requirements, its relationship with the COBIT framework, and the current status of the related COSO enterprise risk management framework.

This book will conclude with guidance for implementing this revised framework. Although much of the COSO framework describes general practices that are applicable in many dimensions, there are some subtle differences between this new revised framework and the original edition. Following the transition rules outlined in Chapter 20, an enterprise must specify the version of the COSO internal control framework used when releasing its SOx financial reports.

The original COSO framework was with us for many years, and we expect these revisions will also be in place for years into the future. A goal of this book is to provide sufficient summary information about the revised COSO internal control framework such that a senior executive can brief members of the audit committee about the nature of this new revision and can also help members of the enterprise management team understand and implement enterprise internal controls that are consistent with these new revisions.

CHAPTER 2

How We Got Here: Internal Control Background

ALTHOUGH THE CONCEPT OF BUSINESS and accounting systems internal controls is fairly well understood today by enterprise senior managers, this was not true before the late 1980s. In particular, while we often understood the general concept, there had been no consistent agreement among many interested persons of what was meant by “good internal controls” from either a business process or a financial accounting sense. Those early definitions first came from the American Institute of Certified Public Accountants (AICPA) and were then used by the U.S. Securities and Exchange Commission (SEC) for the Securities Exchange Act of 1934 regulations and provide a good starting point. Although there have been changes over the years, the AICPA’s first codified standards, called the Statement on Auditing Standards (SAS No. 1), defined the practice of financial statement external auditing in the United States for many years with the following definition for internal controls:

Comprises the plan of enterprise and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies.

That original AICPA SAS No. 1 then was later modified to add administrative and accounting controls to the basic internal controls definition. Administrative controls include, but are not limited to, the plan of the enterprise and the procedures and records that are concerned with the decision-making processes that lead to management’s authorization of transactions. Such an authorization is a management function directly associated with the responsibility for achieving the objectives of the enterprise and is the starting point for establishing the accounting controls of transactions.

Accounting control comprises the plan of enterprise and the procedures and records that are concerned with the safeguarding of assets and the reliability of financial records and consequently are designed to provide reasonable assurance that