Using the COSO

Framework to Develop a
Strong and Preventive
Control Environment
Weaver Public Sector CPE Event
Speakers
Alyssa G. Martin, CPA Dan Graves, CPA
Dallas Executive Partner, Senior Manager, Advisory Services
Advisory Services

25+ years of 10+ years of

public public
accounting accounting
experience, experience,
with a with a practice
practice emphasis in risk
emphasis in risk management
management, and
internal audit, assessment,
and business internal audit,
process and process
improvement improvement
consulting
Topics

• Overview – COSO 2013 Internal

Control Integrated Framework
• Considering All Risks and Costs
• Focus on Fraud and IT
• Putting It Into Action
• Common Transaction Processing
Areas
– Purchase-to-Pay
• Balancing Internal Controls

3
COSO Internal Control Integrated Framework
COSO Framework
COSO (Committee of Sponsoring Organizations) is an integrated
framework for internal control which, when implemented, can
provide a baseline to establish a control structure.

• COSO identifies five components

of control that need to be in
place and integrated into the
organization’s operations
• The focus for a financial
statement audit is on financial
reporting
• Internal audit includes
compliance and operations with
financial reporting

5
What is Internal Control?

A process effected by an entity’s

commissions or council, management
and other personnel and designed to
provide reasonable assurance regarding
the achievement of objectives in the
following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and
regulations
• Safeguarding of assets 6
Requirements for Effective
Internal Control

• Provides reasonable assurance regarding the achievement of

objectives and requires that:
– Each component and each relevant principle is present and functioning
– The five components are operating together in an integrated manner

• Each principle is suitable to all entities; all principles are presumed

relevant except in rare situations where management determines
that a principle is not relevant to a component (e.g., governance,
technology)
• Components operate together when all components are present
and functioning and internal control deficiencies aggregated across
components do not result in one or more major deficiencies
• A major deficiency represents an internal control deficiency or
combination thereof that severely reduces the likelihood that an
entity can achieve its objectives

7
COSO Components &
Principles
COMPONENTS PRINCIPLES
1. Demonstrates commitment to integrity and ethical values
2. Board is independent and oversees internal controls
Control Environment 3. Establishes structure, authority and responsibility
4. Attracts, develops and retains competent individuals
5. Holds individuals accountable for responsibilities

6. Specifies suitable and clear objectives

Risk Assessment 7. Identifies and analyzes risk
8. Assesses potential for fraud risk
9. Identifies and analyzes significant change and its impact

10. Selects and develops control activities

Control Activities 11. Selects and develops general controls over technology
12. Deploys control activities through policies and procedures

13. Uses relevant, quality information

Information &
14. Communicates internally internal control responsibilities
Communication 15. Communicates externally matters affecting controls

16. Conducts ongoing and/or separate evaluations of controls

Monitoring Activities 17. Evaluates and communicates deficiencies to responsible parties
Considering All Risks and Cost
Risk Considerations

• Misappropriation of assets
• Fraudulent or inaccurate financial reporting
• Operational effectiveness and efficiency
• Compliance risk
• Reputational risk
• Regulatory and legal compliance risk
• Strategy and operational alignment

10
Risk Considerations

Balancing is important in both big and

small organizations.

A number of studies
support the conclusion that
material weaknesses in
internal control are more
likely in smaller, younger
and financially weaker
organizations.
11
Targeted Process

Focus on driving standardization,

and perfecting individual
compliance activities:
• Improvements in upstream
business processes
• Higher levels of maturity in
overall compliance efforts

12
Internal Control Costs

Direct Costs
Personnel
Third-party audits
IT systems
Indirect Costs
Potential inefficiency
Reduced productivity

13
External Drivers

• COSO 2013
• State or Federal Audits and Reviews
• State or Federal Laws & Regulatory
Guidance
• Federal Awards

Local State Federal

14
Focus on Fraud and IT
IT & Fraud:
Enhanced Focus

Due to the advancement and sophistication

of IT systems and the proliferation of
fraudulent activity since the 1992 framework
the new COSO has an enhanced focus on IT
and fraud considerations.
IT & Fraud:
Enhanced Focus
Assessing the significance of IT systems in your environment receives
specific focus in the new COSO.

• Organization are encouraged to identify the significant systems within their

environment and develop specific controls over the management and
application of those systems
• Additionally, organizations are challenged to consider their internal IT
operations to ensure they have adequate authority, staffing, training, and
expertise
• Knowing your dependence on specific systems to operate and execute daily
functions is a requirement to assessing the IT environment
• Organization are encouraged to perform risk assessments to identify the
likelihood and impact of fraud schemes in their environment
• Requires the consideration of the three major components of committing a
fraud – pressure, opportunity, and rationalization
• An organization should know where they are vulnerable to different types of
fraud and design controls to prevent and detect inappropriate activities
Fraud Prevention:
Why it Matters

• A typical organization loses 5% of its annual revenue

to fraud
– For 2014 GWP, this figure translates to a potential total
fraud loss of more than $3.7 trillion
• The median loss caused by occupational fraud
cases is $145,000
– More than 22% of fraud cases involved losses of at least $1
million
• Fraud typically lasts a median
of 18 months before being
detected

18
The Fraud Diamond

Opportunity Incentive
Opens the door for Leads the perpetrator
the perpetrator to the door

Capability
Enables the
Rationalization perpetrator to
walk through the
Coaxes the perpetrator to door
the door

19
Fraud Prevention: Detecting
Occupational Fraud

Source: 2014 Association of Certified Fraud Examiners “Report to the Nation.” 20
 Top Fraud Scenarios
Process
1. Revenue
2. Expenses
3. Cash and Cash Equivalents
4. Occupational Injury
5. Financial Reporting
6. Improper Note Disclosure
7. Hiring Process
8. Compliance with contracts
9. Assets
10. Expense reimbursement process
11. Competitive Bid Rigging
12. Performance and Compensation Review • Overpayment to existing employees
13. Credit Card Process
14. Non-Financial
15. Document Storage
Fraud Scheme Response
• Improper/early revenue recognition • Implement month-end review of financial statements
• Fictitious revenue • Require review and approval of journal entries
• Hiding losses in future reporting periods • Implement month-end review of financial statements
• Larceny • Establish ACH deposit into main operating account
• Defalcation • Implement lockbox through independent bank
• Non-compliance with FMLA, abuse of FMLA • Require review and approval of submitted forms
• Manipulation of management estimates for • Review and approval of journal entries
receivables, goodwill, or depreciation • Require supporting documentation for all estimates
• Omission of material contingencies • Implement month-end checklist reviewed by various members of
management
• Payment to fictitious employees • Segregation of duties in the payroll process; outsource payroll
• Awarding contracts to parties related to individuals • Involve various members of management in contract approval;
involved in the decision making process require two signatures for approval of material contracts
• Improper valuation of securities, inventory, fixed assets • Management review and approval of valuation methods
• Reimbursement for undocumented expenses • Require employee expense reimbursement forms with attached
original receipts
• Establishing criteria that gives select vendors an unfair • Require independence confirmation for all members involved in
advantage negotiations
• Segregation of duties in the payroll process; outsource payroll
• Reimbursement for personal, non-deductible expenses • Require employee acceptance of Terms of Use and re-payment
for personal expenses
• Falsifying external documents to suppliers • Require approved contracts and purchase orders
• Destruction or disappearance of records • Establish Code of Conduct that restricts tampering with records;
third-party document storage
21
 The Framework in Action:
Assessing & Designing Internal Controls
Assessing Internal Controls

• Are your controls keeping pace with your organization?

– Major change - your growth, changes in programs, restructurings, or new
markets, products, and partners introduce risk

• Changes in the operating environment

– Accelerating pace of operations - Your controls need to adapt to
planned changes and unforeseen circumstances and keep in sync with
the organization
– New and evolving expectations for non-financial reporting - stakeholders
seek greater transparency and confidence in your reporting
– Ongoing regulatory oversight and scrutiny

• Changes inside the organization

– Greater complexity in your operating model and structure
– Complex, interconnected operations
– Expanding reliance on technology - new uses of existing technology and
new investments may impact risks for internal and external interactions
23
Assessing Internal Controls
• How effective is your internal control?
– Do your strategic goals, initiatives, priorities, or operating decisions
introduce new risks that impact your internal control?
– Should we consider additional opportunities for applying internal control
to important reporting, operations, and compliance objectives? Why
not?
– What breakdowns have we experienced with existing controls? Why
didn’t we know about those before? How could they have been
prevented?
– Do internal controls reduce identified risks to an acceptable level?

• How do your entity-level controls map to each of the

principles?
– Follow the points of focus
– Cover each attribute
– Evaluate the coverage of your entity-level controls
– Provide a baseline on which to build process-specific controls 24
 COSO 2013 Internal Control
Framework Mapping
Mapping describes how various controls affect COSO Principles.

Component Control Environment

1. The organization demonstrates a commitment to

Principle
integrity and ethical values.

Controls Control Environment Information & Monitoring Activities

Communication
embedded in Human Resources Internal Audit
other review employees’ Management obtains separately evaluates
principles or confirmations to assess and reviews data and Control Environment,
whether standards of information underlying considering employee
components
conduct are potential deviations behaviors and
that may understood and captured in whistle- whistleblower hotline
affect the adhered to by staff blower hotline to assess results and reports
principle across the entity. quality of information. thereon .

25
COSO 2016:
Control Activities
The policies and procedures that help ensure that management directives
are carried out. They take many forms including policies and procedures,
approvals, verifications, reconciliations, performance reviews, security
measures, and segregation of duties.

10.The organization selects and develops control

Control Activities activities that contribute to the mitigation of risks to
the achievement of objectives to acceptable
levels.

11.The organization selects and develops general

control activities over technology to support the
achievement of objectives.

12.The organization deploys control activities

through policies that establish what is expected
and procedures that put policies into place.

26
Nature of Controls:
Preventive vs. Detective
Preventive Controls: Either people-based of systems-based, designed to
prevent errors or omissions (including fraud) from occurring and are
generally positioned at the source of the risk within a business process
• Standards, policies and procedures are the most basic type of
preventive controls
• Segregation of duties also acts as a preventive control against fraud
• Authorization/approval levels also prevent the risk of an illegal act and
are thus preventive in nature
Detective Controls: Either people-based or systems-based, designed to
detect and correct errors or omissions (including fraud) within a timely
manner prior to completion of a stated objective
• Exception reports – review of various exception reports helps in
detecting errors
• Reconciliations – after the fact reconciliations act as a double check
against errors and exceptions
• Periodic audits also act as a very good detective control
27
Nature of Controls:
Primary vs. Secondary
Primary Controls
• Controls that are especially
critical to the mitigation of
risk and the ultimate
achievement of one or more
financial reporting assertions
for each significant account
balance, class of
transactions and disclosure
• Controls that managers and
process owners primarily rely
on
Secondary Controls
• Controls important to the
mitigation of risk and the
ultimate achievement of one or
more financial reporting
assertions, but are not
considered “critical” by
management and process
owners
• These controls are significant,
but there are compensating
controls that also assist in
achieving the assertions
28
 Designing Effective Internal
Control Activities

• Understanding the Risk

– In order to identify appropriate control activities the risks
inherent in a particular process or organization must be
identified
• Identifying Control Activities
– Once you have identified the risk, identify the control
activity, reducing the identified risk to an acceptable level.
– The controls identified to reduce risk may be direct and
precise
– Each identified risk should have a primary control or a
group of secondary controls that appropriately mitigate
those risks

29
Effective Internal Control Activities

• Recommendations for Design Improvement

– Compare Benefit vs. Costs
• Consider People, Process, Technology
• Example: There is no point in protecting an asset
worth a couple of hundred dollars with a biometric
control costing thousands.
– Establish Internal Control
• Identify and establish activities as internal controls
• Define purpose, frequency, documentation
– It is management’s responsibility to evaluate the design
and determine if the risk is acceptable.

30
 Purchase-to-Pay:
Identify the Relevant Risks
Purchasing
1 Purchases are recorded into the general ledger completely and accurately when receiv ed.
2 Open purchase orders receiv ed are recorded in the general ledger.
3 Bids and purchases are approv ed by authorized personnel.
4 Coding of bids and purchases is correct.
5 Fictitious or duplicate v endors are not set up and purchases are not recorded. Consider the related sub-
6 Purchases are correctly capitalized. processes that make up the
7 Purchase contracts are authorized and do not contain kickback arrangements. overall cycle or process
8 Open purchase orders are tracked to ensure that they are filled by v endors.
area being evaluated. In
Accounts Payable
Purchase-to-Pay, that
9 Purchases/payables are recorded and coded correctly.
10 Inv oices represent goods/ serv ices actually receiv ed.
includes:
11 Fictitious or duplicate inv oices are not recorded.
12 Inv oices reflect correct prices, quantities and other v aluation information.
• Procurement
13 PO v ariances with the v endor inv oice is approv ed by authorized personnel.
• AP
14 Vendor inv oices are properly authorized.
15 Only authorized employees are allowed to use District credit cards.
• Disbursements
Cash Disbursements
16 Cash disbursements are correctly coded. These all have their own
17 Cash disbursements are recorded in the proper period.
unique risks.
18 Cash disbursements are recorded when paid.
19 Cash disbursements relate to actual purchases/expenses.
20 Duplicate or fictitious cash disbursements are not processed.
21 Cash disbursements are properly authorized.
22 Cash disbursement amounts recorded agree with amounts paid.
31
Purchase-to-Pay:
Identify the Controls

AUTHORIZATION AND
SEGREGATION OF DUTIES

• The organization has established delegation of authority to indicate the

value and type of expense that may be approved by each individual.
• Purchase orders and invoices are routed for approval based on the
authority limits established in the system. Authorization is required for
issuing a PO or recording an invoice.
• Purchasing issues POs and tracks status. AP receives invoices and
records transactions. Individuals do not have access to Purchasing
and AP.

32
Purchase-to-Pay:
Identify the Controls

PROCESSING AND DISBURSEMENT TYPE

MATCHING

• Invoices are matched to a • Manual checks are requested

Purchase Order and receiving on a check form and approved
document upon receipt by the by the CFO.
AP department.
• Wire disbursements are
• AP codes each invoice and requested on a wire form and
submits it for approval based approved by the CFO. The
on the approval routing Controller sets up wires on the
established in the system. bank portal and the CFO
Approvers sign off on invoices releases.
electronically to indicate that
the goods were received in
good condition, the value is
accurate, and the coding is
appropriate.

33
Purchase-to-Pay:
Evaluate Control Design

Do the control activities for a given

process contain a sufficient quantity of
preventive and detective controls?
A well designed control environment contains a mix of preventive
and detective controls. We frequently see a tendency to rely on
detective controls, as opposed to leveraging system functionality to
build preventive controls into the process.

Detective Control Complimentary Preventive Control

The Controller rev iew s the final
The Controller rev iew s the final
check run and prepares the
check register to ensure that
Positiv e Pay that is issued to the
printed checks match the
bank to authorize the printed
approv ed check run.
checks.
34
Purchase-to-Pay:
Linking Controls to COSO

COSO Principle 6: The organization specifies objectives with sufficient

clarity to enable the identification and assessment of risks relating to
objectives.

Points of Focus
• Reflects External Laws and
Regulations: Laws and
Control Activity
regulations establish minimum
standards of conduct which • Purchase Order’s over $50,000 must
include three formal bids and be
the entity integrates into
approved by Council.
compliance objectives.

35
 Balancing
Internal Controls
Balanced Controls

Consider both loss mitigation and

cost mitigation in recommending controls

 Communicate the link

between internal
controls, risk
management, INTERNAL
CONTROLS
RISK
MGMT
PROFIT-
ABILITY
and profitability
 The costs of a
control should
never exceed the
benefits of a control
COST OF A
CONTROL
≤ BENEFIT OF
A CONTROL
37
Balanced Controls

Establish efficient separation of duties

 Deploy minimal number of employees for
processes

Increase reliance on system controls

 Limit posting and maintenance access
 Utilize auto-balancing capabilities
 Establish dual control
38
Balanced Controls

Focus on crucial issues

 Determine which activities pose greatest
degrees of risk
 Ensure that secondary reviewers of critical
activities consider:
– Accuracy
– Completeness
– Validity
– Reasonableness
39
Summary
The COSO 2013 Internal Control Integrated Framework is a comprehensive
baseline for evaluating the adequacy of control at you organization.
• Leveraging the 17 principles to walk through and evaluate controls will
help to ensure your controls are adequately designed.
Start by identifying and relying on entity level controls that span all process
areas.
• Strong entity level controls provide a reliable foundation upon which to
build process-specific control activities.
Process-level controls can be used to show coverage of certain principles
and points of focus where entity-level controls are not highly specific or
precise.
• Adequately designed process controls that are developed with the
COSO principles in mind will ensure a streamlined and integrated
control structure.

40
Questions

Thank You
Alyssa G. Martin
Partner, Risk Advisory Services
[email protected]

Dan Graves
Senior Manager, Risk Advisory Services
[email protected]