C4: Internal Control and Risk Management

Committee of Sponsoring Organizations of the Treadway Commission

stands for COSO

Committee of Sponsoring Organizations of the Treadway Commission

is a joint initiative of the five private sector organizations listed on the right and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence

Composition of COSO Organizations

• American Institute of Certified Public Accountants

• Financial Executives International

• Institute of Management Accountants

• Institute of Internal Auditors

• American Accounting Association.

Internal Control

is designed and effected by an entity's board of directors, management, and other personnel to provide reasonable assurance about the achievement of the entity's objectives in the following categories:

• (1) reliability of financial reporting,

• (2) effectiveness and efficiency of operations, and

• (3) compliance with applicable laws and regulations.

Internal Control System

consists of all the policies and procedures (i.e., related to internal control) and processes adopted by the management of an entity to assist in achieving management's objective of ensuring, as far as practicable, the orderly and efficient conduct of its business.

Internal Auditors

They provide assurance and advisory support to management on internal control, including oversight, risks management, and internal control, and assist the organizaion in maintaining effectove control

Control Environment, Risk Assessment, Control Activities, Monitoring, Information and Communication

Elements of Internal Control

Control Environment

An element of internal control that sets the tone of an organization, influencing the control conscicusness of its people.

Control Environment

An element of internal control that serves as the foundation for all other components of internal control, providing discipline and structure.

Factors that affect the Control Environment

• Integrity and Ethical Values communication and enforcement

• Commitment to Competence

• Human Resources Policies and Practices

• Assignment of Authority and Responsibility

• Management's Philosophy and Operating Style

• Participation of those charged with governance (Board of Directors/Audit Committee)

• Organizational Structure

Control Activities

• are the policies and procedures that help ensure that management's directives are carried out and are implemented to address risks identified in the risk assessment process.

• may be either automated or manual.

Control Activities

• Performance reviews.

• Information processing controls, including authorization and document-based controls.

• Physical controls.

• Segregation of duties.

Performance Reviews

Under Control Activities, wherein a strong accounting system should have controls that independently check the performance of the individuals or processes in the system.

Examples:

• Comparing actual performance with budgets, forecasts, and prior-period performance;

• Investigating the relationship of operating and financial data followed by analysis, investigation of unexpected differences, and corrective actions; and

• Reviewing functional or activity performance.

Under Control Activities, wherein a variety of controls are used to check accuracy, completeness, and authorization in the processing of transactions. Has 2 broad categories: (1) General Controls and (2) Application Controls

General Controls

Under Information Processing Controls, it relate to the overall information processing environment and include controls over:

• data center and network operations;

• system software acquisition, change, and maintenance;

• access security; and

• application system acquisition, development, and maintenance.

Example: An entity's controls for developing new programs for existing accounting systems should include adequate documentation and testing before implementation.

Application Controls

Under Information Processing Controls, it apply to the processing of individual applications and help ensure the occurrence (validity), completeness, and accuracy of transaction processing.

Examples:

• (1) the entity should have controls that ensure that each transaction that occurs in an entity's accounting system is properly authorized and

• (2) the entity should design documents and records so that all relevant information is captured in the accounting system.

Physical Controls

Under Control Activities, wherein these controls include the physical security of assets or adequate safeguards, such as:

• secured facilities

• authorization for access to computer programs and data files, and

• periodic counting of assets such as inventory and comparison to control records.

Segregation of Duties

Under Control Activities, wherein independent performance of each of these functions reduces the opportunity for any one person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties.

Preventive, Detective, Directive, Compensating

Categories of Control Activities

Preventive

One of the categories of control activities wherein those activities that act before the error or omission can occur and reduce the likelihood and/or impact of the event.

Detective

One of the categories of control activities wherein it can identify errors or anomalies after they have occurred and alert the need for corrective action.

Directive

One of the categories of control activities wherein these are temporary controls that are implemented to redirect employee actions, sometimes called as corrective controls

Compensating

One of the categories of control activities wherein those that are put in place when a control is not where it is expected as proper design would stipulate. This could occur in a small office where an individual makes purchases, receives the items, and performs bank reconciliations.

Information System

consists of infrastructure (physical and hardware components), software, people, procedures (manual and automated), and data.

Communication

involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It can also be made electronically, orally, or through the actions of management.

Fundamental Principles of Monitoring

• On-going and separate evaluations.

• Reporting deficiencies.

On-going and separate evaluations

A fundamental principle of monitoring wherein it enable management to determine whether the other components of internal control continue to function over time.

Reporting deficiencies

A fundamental principle of monitoring wherein it is important for taking corrective action and to management and the board as appropriate.

This involves ongoing evaluation of the controls such as:

• Periodic evaluation of controls by internal audit.

• Analysis of and appropriate follow-up of operating reports or metrics that might identify anomalies indicative of a control failure.

• Supervisory review of controls, such as reconciliation reviews as a normal part of processing.

• Self-assessments by boards and management regarding the tone they set in the organization and the effectiveness of their oversight functions.

• Audit committee inquiries of internal and external auditors.

• Quality assurance reviews of the internal audit department.

Highest Level of Monitoring

The oversight provided to the entity by the board of directors (and, more specifically, the audit committee) provides the ________________.

Risk

is the possibility that events will occur and affect the achievement of a strategy and objectives

Risk

used by auditors and managers to express concerns about the probable effects of an uncertain environment.

Risk Assessment

is management's process for identifying, analyzing, and responding to such risks.

Risk Assessment Process

This process includes how management identifies risks relevant to the preparation of financial statements, estimates their significance, assesses the likelihood of their occurrence, and decides on how to manage them.

Risk Tolerance

is the acceptable level of variation in performance relative to the achievement of objectives. Risks may exist at the entity level or the transaction level.

Entity-level risks

This risks arise from external or internal factors, such as economic, regulatory, technology, and personnel factors.

Transaction-level risks

This risks are found within divisions, operating units, or functions of the organization.

Risks

represent the barriers to successfully achieving those objectives as well as the opportunities that may help achieve those objectives

Different Types of Risks

• Business and Process Risk

• Technological and Information Technology Risk

• Personnel Risk

• Financial Risk

• Environmental Risk

• Political Risk

• Social Risk

Business and Process Risk

This is the risk that the organization's processes are not effectively obtaining, managing, and disposing their assets, that the organization is not performing effectively and efficiently in meeting customer needs, is not creating value or is diluting value by suffering the degradation of financial, physical, and information assets.

Capacity Risk

Under Business and Process Risk wherein insufficient capacity limits the ability to meet demand in the short and long term, or excess capacity threatens the firm's ability to generate competitive profit margins.

Execution Risk

Under Business and Process Risk wherein inability to produce consistently without compromising quality.

Supply Chain Risk

Under Business and Process Risk wherein it is being unable to maintain a steady stream of supplies when needed.

Business Interruption Risk

Under Business and Process Risk wherein this risk stems from the unavailability of raw materials, IT, skilled labour, facilities, or other resources that threaten the organization's ability and capacity to continue operations.

Human Resources Risk

Under Business and Process Risk wherein a lack of knowledge, skills, and experiences among the organization's key personnel that threatens the ability to achieve business objectives.

Product or Service Failure Risk

Under Business and Process Risk wherein faulty or nonperforming products and services that do not meet customer expectations can expose the organization to customer complaints, warranty claims, returns, field repairs, product liability claims, litigation causing lost revenues, lower market share, and damage to the business' reputation.

Product Development Risk

Under Business and Process Risk wherein ineffective product development threatens the organization's ability to meet or exceed customers' expectations consistently over the long term.

Cycle Time Risk

Under Business and Process Risk wherein unnecessary activities threaten the organization's capacity to develop, produce, market, and deliver goods and services in a timely manner.

Health and Safety Risk

Under Business and Process Risk wherein failure to provide a safe working environment for workers exposes the organization to compensation liabilities, loss of business reputation, and other costs.

Leadership Risk

Under Business and Process Risk wherein workers are not being led effectively resulting in lack of direction, motivation to perform, customer focus, management credibility, and trust.

Outsourcing Risk

Under Business and Process Risk wherein outsourcing activities to third parties could result in these third parties not performing in a way that is consistent with the organization's strategies, objectives, values, and behavioral standards and expectations.

Competitor Risk

Under Business and Process Risk wherein the risk that actions by competitors may threaten the organization's competitive advantage or even its survival.

Catastrophic Loss Risk

Under Business and Process Risk wherein the risk that a catastrophe threatens the organization's ability to continue operating and provide goods and services.

Industry Risk

Under Business and Process Risk wherein changing conditions that affect the attractiveness of the industry.

Planning Risk

Under Business and Process Risk wherein lack of, unrealistic, irrelevant, or unreliable planning information could result in poor conclusion and decisions. This risk is often triggered when plans and budgets are unrealistic, not based on appropriate assumptions or performance metrics, is not relevant to organization goals, or unaccepted by managers and workers.

Organization Structure Risk

Under Business and Process Risk wherein the organization's structure does not support change, flexibility, or the organization's strategies. An ineffective organizational structure can threaten its ability to change.

Integrity and Fraud Risk

Under Business and Process Risk wherein risk of management or employee fraud, illegal or unauthorized acts that could result in reputation loss.

Management Fraud

is the intentional misstatement of financial and operational reports that negatively affect external stakeholders' decislons

Trademark Erosion Risk

Under Business and Process Risk wherein the erosion of a trademark or brand over time threatens the demand for the organization's products and services. It also limits its ability to develop and grow future revenue streams.

Reputation Risk

Under Business and Process Risk wherein risk of loss generally related to ethics, safety, security, quality, innovation, and sustainability causing lost revenue, higher capital and regulatory costs, lower stock price, or difficulties raising capital due to a potentially criminal event.

Data Integrity

Under Business and Process Risk wherein reliability and completeness of data flows, inbound and outbound from/to customers, vendors, regulators, investors, and other stakeholders. It also relates to the authorization, completeness, and accuracy of transactions as they are input, processed, and reported.

Infrastructure Risk

Under Business and Process Risk wherein risk that the organization's IT infrastructure is obsolete, or lacks the IT infrastructure, such as hardware, software, networks, and people it needs to effectively support the information requirements of the organization to remain viable in the short and long term.

Commerce Risk

Under Business and Process Risk wherein events that compromise Business-to-business (B2B), and business-to-customer (B2C)'s financial and data flows, data integrity, and security.

Access Risk

Under Business and Process Risk wherein failure to adequately restrict access to information could result in unauthorized use of confidential information. Conversely, overly restrictive access to information could limit the ability of personnel to perform their assigned responsibilities.

Availability Risk

Under Business and Process Risk wherein unavailability of information when needed could threaten the continuity of the organization's operations and processes.

Technological and Information Technology Risks

These risks relate to conditions where IT is not operating as intended, the integrity and reliability of data is compromised, and significant assets are exposed to potential loss or misuse. It also relates to the inability to maintain critical systems and processes.

Data and System Availability Risk

Under Technological and Information Technology Risks wherein uptime of systems, machines, and other tools to support the needs of workers, customers, suppliers, and other stakeholders of the organization. This involves data acquisition, maintenance, use, distribution, storage, and destruction.

Data Integrity Risk

Under Technological and Information Technology Risks wherein accuracy and consistency of data stored, processed, retrieved, and destroyed when it reaches the end of its life cycle.

System Capacity Risk

Under Technological and Information Technology Risks wherein optimizing the amount of storage and computing ability systems possess.

Infrastructure Risk

Under Technological and Information Technology Risks wherein risk that the organization's IT infrastructure is obsolete, or lacks the IT infrastructure, such as hardware, software, networks, and people it needs to effectively support the information requirements of the organization to remain viable in the short and long term.

Commerce Risk

Under Technological and Information Technology Risks wherein events that compromise B2B, and B2C financial and data flows, data integrity, and security.

Access Risk

Under Technological and Information Technology Risks wherein failure to adequately restrict access to information could result in unauthorized use of confidential information. Conversely, overly restrictive access to information could limit the ability of personnel to perform their assigned responsibilities.

Availability Risk

Under Technological and Information Technology Risks wherein unavailability of information when needed could threaten the continuity of the organization's operations and processes.

Personnel Risks

relate to conditions that limit the organization's ability to obtain, deploy, and retain sufficient numbers of suitably qualified and motivated workers.

Availability Risk

Under Personnel Risks wherein sufficient workers and subject matter experts to support the organization's present and future needs.

Competence Risk

Under Personnel Risks wherein workers' ability to perform their duties efficiently and successfully.

Judgment Risk

Under Personnel Risks wherein workers' capacity to make sensible decisions based on relevant circumstances.

Malfeasance Risk

Under Personnel Risks wherein wrongdoing perpetrated by employees, contractors, suppliers, or customers.

Motivation Risk

Under Personnel Risks wherein demotivated workers fail to apply creativity and discipline to their tasks resulting in lower production, lower quality, poor service, and higher turnover and absenteeism.

Financial Risks

This risks can result in poor cash flows, currency and interest rate fluctuations, and an inability to move funds quickly and without loss of value to where they are needed.

Resources Risk

Under Financial Risks wherein availability of funds when needed and their judicious use for business purposes.

Commodity Prices Risk

Under Financial Risks wherein fluctuations in prices expose the organization to lower margins or trading losses.

Foreign Currency Risk

Under Financial Risks wherein changes in foreign exchange rates can result in the economic loss of some of the value of the asset.

Liquidity Risk

Under Financial Risks wherein this is the loss exposure due to an inability to meet cash flow obligations, or the lack of buyers and sellers in a market

Market Risk

Under Financial Risks wherein movements in prices, rates, and indices affect the value of the organization's financial assets and stock price. This could also affect its cost of capital and its ability to raise capital.

Environmental Risks

This risk relate to the actual or potential threat of negative effects on the environment by emissions, wastes, and resource depletion. This can be caused by an organization's activities and it influences living organisms, land, air, and water.

Energy and Other Resources Risk

Under Environmental Risks wherein inability to obtain reliable supplies at a reasonable price.

Natural Disaster Risk

Under Environmental Risks wherein events such as floods, earthquakes, fires, hurricanes, and tornadoes, also the lack of potable water and other resources needed in company facilities.

Pollution Risk

Under Environmental Risks wherein excessive pollution that limit the organization's employees' health and safety. These activities can be harmful to the environment and expose the organization to liabilities for bodily injury, property damage, removal costs, and punitive damages, among others.

Transportation Risk

Under Environmental Risks wherein ensuring the availability of adequate means of transportation. Some depend on natural means such as navigable rivers, lakes, and coastlines, or are directly or indirectly affected by natural or human actions, such as having unobstructed roads and working railroads.

Pandemic Risk

Under Environmental Risks wherein bacteria or viruses that disrupt the organization's supply chain or availability of its workforce to perform its duties.

Political Risks

This is a type of risk faced by organizations, investors, and governments. It refers to the effects that political decisions, events, or conditions can cause when they affect the profitability of a business, or the ability to operate freely. It has to do with the complications organizations may encounter as a result of political decisíons.

Regulations and Legislation Risk

Under Political Risks wherein new or changes to existing regulations that limit the organization's ability to engage in its normal business activities.

Public Policy Risk

Under Political Risks wherein stakeholder demands affecting the organization's operations.

Instability Risk

Under Political Risks wherein civil or military unrest that disrupts the organization's activities.

Social Risks

relate to dynamics where an issue affects stakeholders who can form negative perceptions that can cause some form of damage to the organization.

Demographics Risk

Under Social Risks wherein changes that affect purchasing preferences, staff availability, or the cost to maintain a healthy workforce.

Privacy Risk

Under Social Risks wherein preferences that curtail the capture, storage, use, and dissemination of personal information.

Corporate Social Responsibility Risk

Under Social Risks wherein requirements for social involvement and investment that diverts time and other resources from the organization's primary activities.

Mobility Risk

Under Social Risks wherein dynamics that change the preferences of workers and customers to work and live in ways that support the organization's needs and products.