Transcription
Executive’s Guide toCOSO Internal Controls
Founded in 1807, John Wiley & Sons is the oldest independent publishing company inthe United States. With offices in North America, Europe, Asia, and Australia, Wileyis globally committed to developing and marketing print and electronic products andservices for our customers’ professional and personal knowledge and understanding.The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, fromaccounting and finance to internal controls and performance management.
Executive’s Guide toCOSO Internal ControlsUnderstanding and Implementingthe New FrameworkROBERT R. MOELLER
Cover image: iStockphoto/merrymoonmaryCover design: WileyCopyright 2014 by Robert R. Moeller. All rights reserved.Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.No part of this publication may be reproduced, stored in a retrieval system, or transmitted inany form or by any means, electronic, mechanical, photocopying, recording, scanning, orotherwise, except as permitted under Section 107 or 108 of the 1976 United States CopyrightAct, without either the prior written permission of the Publisher, or authorization throughpayment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Webat www.copyright.com. Requests to the Publisher for permission should be addressed to thePermissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201)748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their bestefforts in preparing this book, they make no representations or warranties with respect to theaccuracy or completeness of the contents of this book and specifically disclaim any impliedwarranties of merchantability or fitness for a particular purpose. No warranty may be createdor extended by sales representatives or written sales materials. The advice and strategiescontained herein may not be suitable for your situation. You should consult with a professionalwhere appropriate. Neither the publisher nor author shall be liable for any loss of profit or anyother commercial damages, including but not limited to special, incidental, consequential, orother damages.For general information on our other products and services or for technical support, pleasecontact our Customer Care Department within the United States at (800) 762-2974, outsidethe United States at (317) 572-3993 or fax (317) 572-4002.Wiley publishes in a variety of print and electronic formats and by print-on-demand. Somematerial included with standard print versions of this book may not be included in e-books orin print-on-demand. If this book refers to media such as a CD or DVD that is not included in theversion you purchased, you may download this material at http://booksupport.wiley.com. Formore information about Wiley products, visit www.wiley.com.ISBN 978-1-118-62641-2 (Hardcover)ISBN 978-1-118-81377-5 (ePDF)ISBN 978-1-118-81381-2 (ePub)Printed in the United States of America10 9 8 7 6 5 4 3 2 1
ContentsPrefaceixChapter 1: Importance of the COSO Internal Control FrameworkThe Importance of Enterprise Internal ControlsWhat Are Enterprise Internal Controls?Understanding the COSO Internal Control Framework: How toUse This BookChapter 2: How We Got Here: Internal Control BackgroundEarly Definitions of Internal Controls: Foreign Corrupt Practices Act of 1977The FCPA and Internal Controls TodayEvents Leading Up to the Treadway CommissionEarlier AICPA Auditing Standards: SAS Nos. 55 and 78The Treadway Committee ReportThe Original COSO Internal Control FrameworkThe Sarbanes-Oxley Act and Internal Accounting ControlsNotes123457891011121528Chapter 3: COSO Internal Controls: The New Revised Framework29Understanding Internal ControlsRevised Framework Business and Operating Environment ChangesThe Revised COSO Internal Control FrameworkCOSO Internal Control PrinciplesCOSO Objectives and Business OperationsSources for More Information303235373840Chapter 4: COSO Internal Control Components: Control Environment 41Importance of the Control EnvironmentControl Environment Principle 1: Integrity and Ethical ValuesControl Environment Principle 2: Role of the Board of DirectorsControl Environment Principle 3: The Need for Authority andResponsibilityControl Environment Principle 4: Human Resource StrengthsControl Environment Principle 5: Individual Internal ControlResponsibilitiesCOSO Control Environment in Perspective41434849515456v
vi ContentsChapter 5: COSO Internal Control Components: Risk Assessment 59Risk Assessment Component Principles Risk Identification and Analysis Risk Response Strategies Fraud Risk Analysis COSO Risk Assessment and the Revised Internal Control Framework Notes 606266697071Chapter 6: COSO Internal Control Components: Control Activities 73COSO Control Activity Principles COSO Control Activities Today Chapter 7: COSO Internal Control Components:Information and Communication Information and Communications: What Has Changed? Information and Communication Principle 1: Use of Relevant Information Information and Communication Principle 2: Internal Communications Information and Communication Principle 3: External Communications The Importance of COSO Information and Communication Notes Chapter 8: COSO Internal Control Components:Monitoring Activities Importance of COSO Monitoring Internal Control Activities COSO Monitoring Principle 1: Conduct Ongoing andSeparate Evaluations COSO Monitoring Principle 2: Evaluate and Communicate Deficiencies COSO Internal Control Monitoring in Perspective Note Chapter 9: COSO Internal Control GRC Operations Controls COSO Operations Objectives Planning and Budgeting Operations Controls IT Systems Operations Controls Operations Procedure Controls and Service Catalogs Importance of COSO Operations Controls Note Chapter 10: COSO Reporting Processes COSO Reporting Objectives COSO External Financial Reporting Controls COSO Internal Financial Reporting Controls COSO External Nonfinancial Reporting Controls COSO Internal Nonfinancial Reporting Controls Importance of COSO Reporting Controls Note 3133135135137137139141149149150151
Contents viiChapter 11: COSO Legal, Regulatory, and Compliance Objectives Importance of Enterprise Compliance Controls Regulatory Compliance Control Issues Internal Controls and Legal Issues Compliance with Professional and Other Standards Chapter 12: Internal Control Entity and Organizational GRCRelationships Internal Controls from an Organizational GRC Perspective Enterprise Governance Overall Concepts Business Entity–Level Internal Controls Divisional and Functional Unit Internal Controls Department- and Unit-Level Internal Controls Organization and GRC Controls in Perspective Note Chapter 13: COSO, Service Management, andEffective IT Controls Importance of IT General Controls IT Governance General Controls IT Management General Controls Client-Server and Smaller Systems General IT Controls ITIL Service Management Best Practices Service Delivery Best Practices Notes 4188191200201Chapter 14: Cloud Computing, Virtualization, andWireless Networks 203Internal Controls for IT Wireless Networks Cloud Computing and COSO Internal Controls Storage Management Virtualization COSO Internal Controls and Newer Technologies Note 204208214215215Chapter 15: Another Framework: COSO ERM 217ERM Definitions and the ERM Portfolio View of Risk The COSO ERM Framework Model Other Dimensions of the ERM Framework COSO ERM and the Revised Internal Control Framework Notes Chapter 16: Understanding and Using COBIT An Executive’s Introduction to COBIT Using COBIT to Assess Enterprise Internal Controls Mapping COBIT to COSO Internal Controls Notes 218222239240241243244252256257
viii ContentsChapter 17: ISO Internal Control and Risk Management Standards 259Background and Importance of ISO Standardsin a Global Commerce World ISO Standards Overview ISO Standards and the COSO Internal Control Framework Notes 259262269270Chapter 18: COSO Internal Controls in the Board Room 271Board Decisions and Internal Control Processes Board Organization and Governance Rules Corporate Charters and the Board Committee Structure The Audit Committee and Managing Internal Controls Board Member Internal Control Knowledge Requirements COSO Internal Controls and Corporate Governance Notes Chapter 19: Service Organization Control Reports and COSOInternal Controls 272275276279281282283285Importance of Service Organization Internal Controls Early Steps to Gain Assurance: SAS 70 Service Organization Control (SOC) Reports Right-to-Audit Clauses Internal Control Limitations 286287288290292Chapter 20: Implementing the Revised COSO InternalControl Framework 293Understanding What Is New in the 2013 Framework Transitioning to the New COSO Guidance Steps to Begin Implementing the New COSO InternalControl Framework Index 297293295296
PrefaceIN T ER N A L CO N T R O L IS A BA SI C management concept that covers all aspects ofenterprise operations, from basic accounting processes to production operations to ITsystems and more. However, in past years, it was one of those nice-sounding expressions where no one really had a consistent definition about what was meant by effectiveinternal controls. Then, after a series of accounting scandals in the early 1990s, a groupof professional accounting and finance organizations, including the American Institute of Certified Public Accountants (AICPA), formed what has become the Committeeof Sponsoring Organizations (COSO) to develop a consistent framework to define theconcept of internal controls.After a lengthy period of review and comments as a public exposure document, theinitial COSO internal control framework was released in 1992. It is not a formal standardor a set of governmental regulations but a framework outlining the characteristics andconcepts of an effective system of internal control for enterprises of all types and sizes. Itwas soon adapted as a requirement for external auditors in their assessments of financialstatement internal controls, and it became a key measure for assuring Sarbanes-OxleyAct (SOx) compliance.Although this framework has remained unchanged and in effect since its 1992release, that original framework no longer really reflected some of the massivechanges in IT and business systems since then, as well as the more collaborative andinternational nature of business today and growing concerns for improved enterprise governance processes. As a result, COSO has recently revised its internal controlframework, with a beginning draft and comment period, and the new revised COSOinternal control framework was released in May 2013.This book provides an executive-level description of the new COSO internal controlframework. In the following chapters, we describe the components of the new framework and the elements that are particularly important to enterprise business operations.We have also taken COSO’s three-dimensional framework and rotated it around to betterexplain the importance of all of the internal control framework’s elements. Variouschapters also look at such supporting guidance materials as COBIT and both ISOinternal control and risk management standards, with an emphasis on building andimplementing effective enterprise internal controls.One of this book’s objectives is to introduce and explain this revised COSO internalcontrol framework in such a manner that an enterprise executive can use this internal control guidance material to understand and implement effective internal controlsprocesses, as well as to explain the importance of COSO internal controls to board andix
x Prefaceaudit committee members, to other members of the staff, and to IT management, aswell as to retain an overall understanding of the importance of COSO internal controls.In addition, we will discuss transition and implementation rules for using this revisedCOSO framework to achieve Sarbanes-Oxley internal control compliance.At first glance, the COSO internal control framework looks complex and confusing,but it is an important management tool that should be with us for some years to come.Enterprises may adopt this new framework immediately or may continue to use theold framework until December 15, 2014, at which point the updated framework willsupersede the original framework.
1CHAPTER ONEImportance of the COSOInternal Control FrameworkIT IS N OT A S TA N DA R D or detailed requirement but only a framework. Some business executives may ask then, “Who or what is COSO?” In our business world of multiplerules and regulations that have been established by numerous governmental and otheragencies that often use hard-to-remember acronyms, it is easy to roll our eyes or shrugour shoulders at yet another set of standards. In addition, COSO (Committee of Sponsoring Organizations) internal controls are only a framework model outlining professional practices for establishing preferred business systems and processes that promoteefficient and effective internal controls. Also, the “sponsoring organizations” that issueand publish this material are neither governmental nor some other regulatory agencies.Nevertheless, the COSO internal control framework is an important set or model of guidance materials that enterprises should follow when developing their systems and procedures, as well as when establishing Sarbanes-Oxley Act (SOx) compliance.This COSO internal control framework was originally launched in the UnitedStates in 1992, now a long time ago. This was yet another period of notable fraudulentbusiness practices in the United States and elsewhere that identified a well-recognizedneed for improved internal control processes and procedures to help and guide. The1992 COSO internal control framework soon became a fundamental element of American Institute of Certified Public Accountants (AICPA) auditing standards in the UnitedStates, and eventually became the standard for enterprise external auditors in theirreviews, certifying that enterprise internal controls were adequately following theSarbanes-Oxley Act (SOx) rules. Because of its general nature describing good internalcontrol practices, the COSO framework had never been revised until the present.Since the release of that original COSO framework, a whole lot has changed for business organizations and particularly for their IT processes during these interim years. Forexample, mainframe computer systems with lots of batch-processing procedures werecommon then but have all but gone away, to be replaced by client-server systems. Also,1
2 Importance of the COSO Internal Control Frameworkwhile the World Wide Web was just getting started then, it was not nearly as developedas it is today. Because of the Internet, enterprises’ organization structures have becomemuch more fluid, flexible, and international. In addition, things such as social networkcomputing, powerful handheld devices, and cloud computing did not exist back then.Although some might wonder why it took so long, COSO announced in 2011 thatit was revising its internal control framework with a draft version, which was issued inearly 2012. That COSO internal control draft was circulated to a wide range of internaland external auditors, academics, and enterprise financial management, and it wentthrough an extensive public comment period. The final revised COSO internal controlframework description was released in mid-May 2013.The following chapters describe the revised COSO internal control framework in somedetail and explain why its concepts are very important for enterprise management today.This chapter begins with some background information on the COSO internal controlframework from a senior executive management perspective. The COSO internal controlframework sets the stage for achieving SOx compliance and will continue to be even moreimportant with its new revised version. This book will conclude with some guidance andrules for implementing the new revised COSO internal control framework.THE IMPORTANCE OF ENTERPRISE INTERNAL CONTROLSAn effective internal control system is one of the best defenses against business failure.An internal control system is an important driver of business performance, which manages risk and enables the creation and preservation of enterprise value. Internal controlsare an integral part of an enterprise’s governance system and ability to manage risk,which is understood, effected, and actively monitored by an enterprise governing body,its management, and other personnel to take advantage of the opportunities and tocounter the threats to achieving an enterprise’s objectives. On a very high-level conceptual manner, Exhibit 1.1 shows the relationship of internal controls as a component ofrisk-management processes and as a key element of enterprise governance.Internal controls are a crucial component of an enterprise’s governance systemand ability to manage risk, and it is fundamental to supporting the achievement ofan enterprise’s objectives and creating, enhancing, and protecting stakeholder value.High-profile organizational failures typically lead to the imposition of additional rulesEnterpriseGovernanceEXHIBIT 1.1RiskManagementImportance of Enterprise Internal ControlsInternalControls
What Are Enterprise Internal Controls? 3and requirements, as well as to subsequent time-consuming and costly complianceefforts. However, this obscures the fact that the right kind of internal controls—whichenable an enterprise to capitalize on opportunities, while offsetting threats—can actually save time and money and promote the creation and preservation of value. Effectiveinternal controls also create a competitive advantage, because an enterprise with effective controls can take on additional risks.Internal controls are designed to protect an enterprise and its related business unitsfrom the loss or misuse of its assets. Sound internal controls help ensure that transactions are properly authorized, that supporting IT systems are well-managed, and thatthe information contained in financial reports is reliable. An internal control is a processthrough which an enterprise and one of its operating units attempts to minimize thelikelihood of accounting-related errors, irregularities, and illegal acts. Internal controlshelp safeguard funds, provide for efficient and effective management of assets, and permit accurate financial accounting. Internal controls cannot eliminate all errors andirregularities, but they can alert management to potential problems.WHAT ARE ENTERPRISE INTERNAL CONTROLS?A classic definition states that internal controls consist of the plan of organization and all ofthe coordinate methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourageadherence to prescribed managerial policies. This definition recognizes that a system ofinternal controls extends beyond those matters that relate directly just to the functions ofthe accounting and financial departments. Rather, an internal control is a business practice,policy, or procedure that is established within an enterprise to create value or minimize risk.Although enterprises first thought of internal controls in terms of fair and accurate accounting processes and effective operational management, information technology (IT) controlsare also a very important subset of internal controls today. They are designed to ensure thatthe information within an enterprise operates as intended, that data is reliable, and that theenterprise is in compliance with all applicable laws and regulations.We should think of internal controls not as just one solitary activity but as a series ofrelated internal system actions. For example, a requirement that all sales receipts mustbe accurate and assigned to correct accounts may be an important internal control, butprocesses should also be in place to correct out-of-balance sales receipts and to makerelated adjustments as necessary. Together, these requirements and processes representan internal control system. These internal control systems are often complex, and it isnot practical or profitable to attempt to independently review every transaction. Instead,management should be alert to conditions that could indicate potential problems.Enterprise personnel at all levels, and senior executives in particular, should beresponsible for understanding internal control concepts and helping to manage andimplement effective internal control systems in their enterprises. This is particularlyimportant for senior-level enterprise internal controls, in which different business unitsand subsidiaries must interact and IT systems must connect through often complexbusiness and international interconnections. In addition, an enterprise must establish
4 Importance of the COSO Internal Control Frameworkoverall governance practices and operate in compliance with the numerous laws, regulations, and standards that affect its operations.In a business operation, finance and accounting personnel have certain internalcontrol responsibilities, a purchasing executive has others, and an IT systems developerhas different responsibilities, but a senior executive should have an overall understandingof all aspects of internal controls throughout an enterprise, as well as of the top-levelinternal control concepts that affect overall enterprise operations and governanceprocesses. The COSO internal control framework ties these all together, and an objectiveof this book is to help the senior executive understand these internal control concepts and,at a minimum, ask the right questions.UNDERSTANDING THE COSO INTERNAL CONTROLFRAMEWORK: HOW TO USE THIS BOOKInternal controls are important enterprise tools and concepts to ensure accurate financial reporting and management. However, in past years, internal controls was only anice-sounding term by which professionals at all levels acknowledged that having effective internal controls was important. That was a long time ago, and matters were verymuch resolved with the introduction of the COSO internal control framework back in1992. That best practices guide stood the test of time until it was recently updated.This book will introduce the revised new COSO internal control framework from theperspective of senior enterprise executives. Chapter 2 will introduce the original framework that has been important for achieving SOx financial reporting compliance. Then,starting with Chapter 3, we will introduce and explain the new revised COSO internalcontrol framework. This approach outlines and explains COSO’s complex-looking threedimensional model for building and establishing enterprise internal controls. The chapters following take COSO’s three-dimensional framework and look at it from each of itsdimensions to help the enterprise executive understand this internal control framework.Other chapters cover supplementary standards or frameworks that are closely relatedto the COSO internal control framework, such as the continuing relationship of this framework to SOx internal control requirements, its relationship with the COBIT framework,and the current status of the related COSO enterprise risk management framework.This book will conclude with guidance for implementing this revised framework.Although much of the COSO framework describes general practices that are applicablein many dimensions, there are some subtle differences between this new revised framework and the original edition. Following the transition rules outlined in Chapter 20, anenterprise must specify the version of the COSO internal control framework used whenreleasing its SOx financial reports.The original COSO framework was with us for many years, and we expect these revisions will also be in place for years into the future. A goal of this book is to provide sufficient summary information about the revised COSO internal control framework suchthat a senior executive can brief members of the audit committee about the nature of thisnew revision and can also help members of the enterprise management team understandand implement enterprise internal controls that are consistent with these new revisions.
2CHAPTER TWOHow We Got Here: InternalControl BackgroundALTHOUGH THE CONCEP T OF BUSINESS and accounting systems internalcontrols is fairly well understood today by enterprise senior managers, this wasnot true before the late 1980s. In particular, while we often understood the general concept, there had been no consistent agreement among many interested personsof what was meant by “good internal controls” from either a business process or a financial accounting sense. Those early definitions fi rst came from the American Instituteof Certified Public Accountants (AICPA) and were then used by the U.S. Securities andExchange Commission (SEC) for the Securities Exchange Act of 1934 regulations andprovide a good starting point. Although there have been changes over the years, theAICPA’s first codified standards, called the Statement on Auditing Standards (SAS No. 1),defi ned the practice of financial statement external auditing in the United States formany years with the following definition for internal controls:Comprises the plan of enterprise and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy andreliability of its accounting data, promote operational efficiency, and encourageadherence to prescribed managerial policies.That original AICPA SAS No. 1 then was later modified to add administrative andaccounting controls to the basic internal controls defi nition. Administrative controlsinclude, but are not limited to, the plan of the enterprise and the procedures and recordsthat are concerned with the decision-making processes that lead to management’sauthorization of transactions. Such an authorization is a management function directlyassociated with the responsibility for achieving the objectives of the enterprise and is thestarting point for establishing the accounting controls of transactions.5
6 How We Got Here: Internal Control BackgroundAccounting control comprises the plan of enterprise and the procedures andrecords that are concerned with the safeguarding of assets and the reliabilityof financial records and consequently are designed to provide reasonable assurance thata.b.c.d.Transactions are executed in accordance with management’s general orspecific authorization.Transactions are recorded as necessary (1) to permit preparation offinancial statements in conformity with generally accepted accountingprinciples or any other criteria applicable to such statement and (2) tomaintain accountability for assets.Access to assets is permitted only in accordance with management’sauthorization.The recorded accountability for assets is compared with the existing assetsat reasonable intervals, and appropriate action is taken with respect to anydifferences.The overlapping relationships of these two types of internal controls were thenfurther clarified in these pre-1988 AICPA standards:The foregoing definitions are not necessarily mutually exclusive because someof the procedures and records comprehended in accounting control may alsobe involved in administrative control. For example, sales and cost recordsclassified by products may be used for accounting control purposes and alsoin making management decisions concerning unit prices or other aspectsof operations. Such multiple uses of procedures or records, however, are notcritical for the purposes of this section because it is concerned primarily withclarifying the outer boundary of accounting control. Examples of records usedsolely for administrative control are those pertaining to customers contactedby salesmen and to defective work by production employees maintained onlyfor evaluation personnel per performance.1Our point here is that the definition of internal controls, as originally defined manyyears ago by the AICPA, has been subject to changes and reinterpretations over theyears. However, these earlier AICPA standards stress that the system of internal controlsextends beyond just matters relating directly to the accounting and financial statements, including administrative controls but not IT, operations, or governance-relatedcontrols. Over this period through the 1970s, there were many definitions of internalcontrols released by the SEC and the AICPA, as well as voluminous interpretations andguidelines developed by the then major external auditing firms.During the 1970s, in the United States and elsewhere in the world, there were anunusually large number of major corporate accounting fraud and internal control corporate failures. This same set of events was repeated again later in the early years of thiscentury. That first set of events led to the Foreign Corrupt Practices Act in the UnitedStates, as well as to an attempt to better understand and define this concept calledinternal control. The result here was the release of the original COSO internal controlframework, introduced in this chapter with its new revised version described in thefollowing chapters.
Early Definitions of Internal Controls: Foreign Corrupt Practices Act of 1977 7The second set of fraud and internal control corporate failures, with a companycalled Enron as a major example, resulted in the passage of the Sarbanes-Oxley Act(SOx). Its internal control–related rules were first applicable in the United States and noware important essentiall
framework, with a beginning draft and comment period, and the new revised COSO internal control framework was released in May 2013. This book provides an executive-level description of the new COSO internal control framework. In the following chapters, we describe the components of the new frame-
