COSO Internal Control Framework

What is the point of a framework?

when discussing internal controls in the context of AIS, accountants rely on a common framework to ensure they are speaking the same language. The most widely adopted framework is the COS Internal control

COSO

Committee of Sponsoring Organizations

-an ad hoc group formed to provide guidance on financial controls, representing major professional accounting organizations

COS Internal Control Framework

-integrated framework

-published by the committee of sponsoring organizations of the treadway commission

-originally released in 1992 and updated in 2013

-the defacto standard for designing, implementing, and evaluating internal controls in organizations worldwide

how does COSO framework define internal control

a process designed to provide reasonable assurance regarding the achievement of objectives in three categories:

1. effectiveness and efficiency of operations

2. reliability of financial reporting

3. compliance with applicable laws and regulations

- reasonable assurance means that although no system of controls can provide absolute certainty, a well designed system significantly reduces the risk of material errors or fraud

COSO framework 5 interrelated components of internal control

1. control environment

2. risk assessment

3. control activities

4. information and communication

5. monitoring activities

control environment

This is the foundation upon which all other components rest

-encompasses the org's culture, values and commitment to integrity and ethical behavior

-includes management's philosophy, the board's oversight role, organizational structure, and how authority and responsibility are assigned

-an org with a strong control environment takes controls seriously; one with a weak control environment may have policies on paper that nobody follows

-tone at the top= An organization with a strong control environment takes controls seriously. One with a weak control environment may have policies on paper that nobody follows.

Risk assesment

organizations face numerous risks that could prevent them from achieving their objectives

-risk assessment involves identifying these risks, analyzing their likelihood and potential impact, and determining how to manage them

-considers threats to data integrity, system availability, and information confidentiality

-risk change over time as tech evolves and new threats emerge, making risk assessment an ongoing process

Control activities

specific policies and procedures that help ensure management directives are carried out and risks are addressed

-occur throughout the organization at all levels and in all functions

-include approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, and segregation of duties

-include manual controls performed by people and automated controls built into software

Information and communication

relevant information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities

-this component recognizes that AIS is a critical part of internal control (the system must produce accurate timely information and make it available to those who need it)

-communication flows downward from management, upward from employees, and across organizational boundaries

Monitoring activities

-internal control systems need ongoing evaluation to ensure they continue to operate effectively

-can be accomplished through ongoing activities (continuous monitoring built into normal operations) or separate evaluations (periodic audits and assessments)

-when deficiencies are identified, they should be reported to appropriate levels of management and corrected promptly

-systems thinking: monitoring provides the feedback that allows the control system to adapt and improve over time

practical significance of the COSO framework

-public companies subject to the sarbanes oxley act (SOX) must evaluate their internal controls over financial reporting and must use COSO as their framework

-external auditors assess controls using coso principles and the trust services criteria used in SOC engagements are explicitly aligned with the coso framework

The fundamental purpose of AIS

transform raw data about business events into useful information for decision making

data capture

recording business events as they occur

-today we use point of sale systems, electronic data interchange, ecommerce platforms, and sensors embedded in equipment and inventory

data processing

transforms captured data accounting to accounting rules and business logic

-validating data for accurate and completeness classifying transactions to appropriate accounts, summarizing individual transactions into meaningful total, and posting entries to ledgers

-calculating derived values like inv costs, depreciation, or tax obligations

data storage

maintains both current data needed for ongoing operations and historical data needed for analysis, reporting, and compliance

-modern systems store data in relational databases that allow flexible querying and reporting

-storage decisions involve trade offs between accessibility cost and security

Information reporting

presents processed data in formats useful for decision making

Business transactions and the Give-get exchange

-business transacions = the fundamental events that an AIS records and processes

-give-get exchange = an agreement between two parties where one give something of value and receives something of value in return

-give-get duality is the foundation of double bookeeping (every transaction affects at least two accounts because something is always given and something is always received

five business cycles that capture most business activity

-a business cycle is a cluster of transactions in a recurring pattern

-the rev cycle

-the expenditure cycle

-the production (or conversion cycle)

-0the HR/ payroll cycle

-the financial cycle

-these don't operate independently, but are connected through shared data abt the general ledger

The revenue cycle

-selling goods and services and collecting payment

-includes receiving customer orders, checking credit, shipping prod and delivering services, billing customers, and collecting cash

-converts the orgs p/s into cash

the expenditure cycle

-acquiring goods and sevices and making payments

-includes identifying needs, selecting vendors, ordering goods, receiving and inspecting deliveries, processing invoices, and disbursing cash

-converts cas into the resources needed for operations

the production or conversion cycle

-applies to manufacturing orgs and involves transforming raw mat into finished products

-includes production planning, scheduling, resource allocation, manufacturing, and quality control

-converts raw materials and labor into inventory available for sale

the hr/payroll cycle

recruiting, hiring, training, compensating, and evaluating employees

-tracking time worked, calculating pay and withholdings, disbursing paychecks, and reporting payroll taxes

-converts cash into labor services

the financing cycle

-acquiring and managing capital

-include obtaining debt and equity financing, paying dividends or interest, and managing investments

-handles the orgs relationship with capital providers

technology has changed everything

-tech changes how we implement controls but the fundamental principles remain the same