Executive's guide to COSO internal controlsunderstanding and implementing the.

Wiley Corporate F&AEXECUTIVES GUIDE TOCOSO INTERNAL CONTROLSUnderstanding and Implementing the New FrameworkROBERT R. MOELLERWileyExecutives Guide to COSO Internal ControlsFounded in 180Z John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products cind services for our customers* professional and personal knowledge and understandingThe Wiley Corporate F&A series provides information, tools, and insights to corpo- rate professionals responsible for issues affecting the profitability of their compa ny, from acco Lin ting and finance to in terncil controls and performance management.Executives Guide to COSO Internal Controls Understanding and Implementing the New FrameworkROBERT R. MOELLERWileyCover image: iStockphoto/merrymoonmaryCover design: WileyCopyright 2014 by Robert R. Moeller. All rights reserved.Published by John Wiley & Sons, lnc. Hoboken. New Jersey.Published simultaneously in CanadaNo part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 1()8 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive. Danvers. MA 01923. (978) 750-8400, fax (978) 646-8600. or on the Web at . Requests to the Publisher for permission should be addressed to the Permissions Department John Wiley & Sons. Inc. Ill River Street, Hoboken. NJ ()7030. (201) 748-601L fax (201) 748-600& or online at Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damagesFor general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at . For more information about Wiley products, visit .ISBN 978-1-118-62641-2 (Hardcover)ISBN 978-1-118-81377-5 (ePDF)ISBN 9784-118-81381-2 (ePub)Printed in the United States of America10 987654 3 21Conte ntsChapter 5: COSO Internal Control Comp on ents: Risk Assessment 59Con tentsPreface ixChapter 1: Importance of the COSO Internal Control Framework1The Importance of Enterprise Internal Controls2What Are Enterprise Internal Controls?3Understanding the COSO Internal Control Framework: How toUse This Book4Chapter 2: How We Got Here: Internal Control Background5Early Definitions of Internal Controls: Foreign Corrupt Practices Act of 19777The FCPA and Internal Controls Today8Events Leading Up to the Treadway Commission9Earlier AICPA Auditing Standards: SAS Nos. 55 and 7810The Treadway Committee Report11The Original COSO Internal Control Framework12The Sarbanes-Oxley Act and Internal Accounting Controls15Notes28Chapter 3: COSO Internal Controls: The New Revised Framework 29Un d erst a nding Internal Controls30Revised Framework Business and Operating Environment Changes32The Revised COSO Internal Control Framework35COSO Internal Control Principles37COSO Objectives and Business Operations38Sources for More Information40Chapter 4: COSO Internal Control Components: Control Environment 41Importance of the Control Environment41Control Environment Principle 1: Integrity and Ethical Values43Control Environment Principle 2: Role of the Board of Directors48Control Environment Principle 3: The Need for Authority andResponsibility49Control Environment Principle4:HumanResource Strengths51Control Environment Principle 5: Individual Internal ControlResponsibilities54COSO Control EnvironmentinPerspective56Risk Assessment Component Principles60Risk Identification and Analysis62Risk Response Strategies66Fraud Risk Analysis69COSO Risk Assessment and the Revised Internal Control Framework70Notes71Chap ter 6: COSO Internal Control Compone nts: Control Activities 73COSO Control Activity Principles74COSO Control Activities Today85Chapter 7: COSO Internal Control Comp on ents:Information and Communication87Information and Communications: What Has Changed?87Inf ormation and Commu nicati on Principle 1: Use of Releva nt Informatio n89Information and Communication Principle 2: Internal Communications96Information and Communication Principle 3: External Communications100The Importance of COSO Information and Communication102Notes103Chap ter 8: COSO Internal Control Components:Monitoring Activities105Importanee of COSO Monitoring Internal Control Activities106COSO Monitoring Principle 1: Conduct Ongoing andSeparate Evaluations108COSO Monitoring Principle 2: Evaluate and Communicate Deficiencies112COSO In ter nal Control Mon itoringinPerspective115Note115Chapter 9: COSO Internal Control GRC Operations Controls117COSO Operations Objectives117Planning and Budgeting Operations Controls119IT Systems Operations Controls123Operations Procedure Controls and Service Catalogs133Importance of COSO Operations Controls135Note135Chapter 10: COSO Reporting Processes137COSO Reporting Objectives137COSO External Financial Reporting Controls139COSO In ter nal Fina ncial Reporting Controls141COSO External Nonfinancial Reporting Controls149COSO In ter nal Nonfi nancial Reporti ng Controls149Importanee of COSO Reporting Controls150Note151ContentsChapter 11: COSO Legal, Regulatory, and Compliance Objectives 153 VIIImportance of Enterprise Compliance Controls153Regulatory Complianee Control Issues155Internal Controls and Legal Issues157Compliance with Professional and Other Standards158Chapter 12: In ter nal Con trol Entity and Organizational GRCRelationships161Internal Controls from an Organizational GRC Perspective161Enterprise Governance Overall Concepts163Business Entity-Level Internal Controls167Divisional and Functional Unit Internal Controls175Department- and Unit-Level Internal Controls178Organization and GRC Controls in Perspective179Note179Chapter 13: COSO, Service Management, andEffective IT Controls181Importance of IT General Controls181IT Governanee General Controls183IT Management General Controls184Client-Server and Smaller Systems General IT Controls188ITIL Service Management Best Practices191Service Delivery Best Practices200Notes201Chapter 14: Cloud Computing，Virtualization, andWireless Networks203Internal Controls for IT Wireless Networks204Cloud Computing and COSO Internal Controls208Storage Management Virtualization214COSO In ter nal Controls and Newer Technologies215Note215Chapter 15: Another Framework: COSO ERM217ERM Definitions and the ERM Portfolio View of Risk218The COSO ERM Framework Model222Other Dimensions of the ERM Framework239COSO ERM and the Revised Internal Control Framework240Notes241Chapter 16: Understanding and Using COBIT243An Executives Introduction to COBIT244Using COBIT to Assess Enterprise Internal Controls252Mapping COBIT to COSO Internal Controls256Notes257Con tentsChapter 17: ISO Internal Control and Risk Management Standards 259 VIIIBackground and Importance of ISO Standardsin a Global Commerce World259ISO Standards Overview262ISO Standards and the COSO Internal Control Framework269Notes270Chapter 18: COSO Internal Controls in the Board Room271Board Decisions and Internal Control Processes272Board Organization and Governance Rules275Corporate Charters and the Board Committee Structure276The Audit Committee and Man aging Internal Controls279Board Member Internal Control Knowledge Requirements281COSO In ter nal Controls and Corporate Gover nance282Notes283Chapter 19: Service Organization Control Reports and COSOInternal Controls285Importance of Service Organization Internal Controls286Early Steps to Gain Assurance: SAS 70287Service Organization Control (SOC) Reports288Right-to-Audit Clauses290Internal Control Limitations292Chapter 20: Implementing the Revised COSO InternalControl Framework293Understanding What Is New in the 2013 Framework293Transitioning to the New COSO Guidance295Steps to Begin Implementing the New COSO InternalControl Framework296Index 297XPrefacePrefaceINTERNAL CONTROL IS A BASIC management concept that covers all aspects of enterprise operations, from basic accounting processes to production operations to IT systems and more. However, in past years, it was one of those nice-sounding expressions where no one really had a consistent definition about what was meant by effective internal controls. Then, after a series of accounting scandals in the early 1990s. a group of professional accounting and finance organizations, including the American Institute of Certified Public Accountants (AICPA). formed what has become the Committee of Sponsoring Organbations (COSO) to develop a consistent framework to define the concept of interna controls.After a lengthy period of review and comments as a public exposure docume nt. the initial COSO internal control framework was released in 1992. It is not a formal standard or a set of govern me ntal regulations but a framework outlini ng the characteristics and concepts of an effective system ofinternal control for enterprises of all types and sizes. It was soon adapted as a requirement for external auditors in their assessments offinancin】 statement internal controls, and it became a key measure for assuring SarbanesOxley Act (SOx) complianceAlthough this framework has remained unchanged and in effect since its 1992 release, that original framework no longer really reflected some of the massive changes in IT and business systems since then. as well as the more collaborative and international nature of business today and growing concerns for improved enterprise governance processes. As a result. COSO has recently revised its internal control framework, with a beginning draft and comment period, and the new revised COSO internal control framework was released in May 2()13This book provides an executive-level description of the new COSO internal control framework. Tn the following chapters, we describe the components of the new framework and the elements that are particularly import ant to enterprise business operations. We have also taken COSOs three-dimensional framework and rotated it aro und to better explain the importance of all of the internal control framework s elements. Various chapters also look at such supporting guidance materials as COBIT and both ISO internal control and risk management standards, with an emphasis on building and iinplementing effective enterprise internal controls.One of this books objectives is to introduce and explain this revised COSO internal control framework in such a manner that Bn enterprise executive can use this internal control guidance material to understand and implement effective internal controls processes, as well as to explain the importance of COSO internal controls to board and aud让 comm让tee members, to other members of the staff, and to IT management, as well as to retain an overall understanding of the importance of COSO internal controls. In add让ion. we will discuss transition and implementation rules for using this revised COSO framework to achieve Stirbanes-Oxley internal control complicinceAt first glance, the COSO internal control framework looks complex and confusing, but 让 is an important management tool that should be with us for some years to come. Enterprises may adopt this new framework immedicitely or may continue to use the old fr ci me work until December 15, 2()14. at which point the updated framework will supersede the original frameworkWhat Are Enterprise Internal Controls?5CHAPTER ONEImportance of the COSO Internal Control FrameworkT IS NOT A STANDARD or detailed requirement but only a framework. Some business executives may ask then, uVVho or what is COSO?” In our business world of multiple rules and regulations that have been established by numerous governmental and other agencies that often use hard-to-remember acronyms, it is easy to roll our eyes or shrug our shoulders at yet another set of standards. In addition. COSO (Committee of Sponsoring Organizations) internal controls are only a framework model outlining professional practices for establishing preferred business systems and processes that promote efficient and effective internal controls. Also, the sponsoring organizations that issue and publish this material are neither governmental nor some other regulatory agencies. Nevertheless, the COSO internal control framework is an important set or model of guidance materials that enterprises should follow when developing their systems and procedures, as well as when establishing Sarbanes-Oxley Act (SOx) complianceThis COSO internal control framework was originally launched in the United States in 1992. now a long time ago. This was yet another period of notable fraudulent business practices in the United States and elsewhere that identified a well-recognized need for improved internal control processes and procedures to help and guide The 1992 COSO internal control framework soon became a fundamental element of American Institute of Certified Public Accountants (AICPA) auditing standards in the United States, and eventually became the standard for enterprise external auditors in their reviews certifying that enterprise internal controls were adequately following the Sarbanes-Oxley Act (SOx) rules Because of its general nature describing good internal control practices, the COSO framework had never been revised until the presentSince the release of that original COSO framework, a whole lot has changed for business organizations and particularly for their IT processes during these interim years For exampl匕 mainframe computer systems with lots of batch-processing procedures were common then but have all but gone away, to be replaced by client-server systems. Also,while the World Wide Web was just getting started then, it was not nearly as developed as it is today. Because of the Internet, enterprises* organization structures have become much more fluid, flexible, and international. In addition, things such as social network computing, powerful handheld devices, and cloud computing did not exist back thenAlthough some might wonder why 让 took so long. COSO cinnounced in 2011 that it was revising its in ter mil control framework with a draft version, which was issued in early 2012. That COSO internal control draft was circulated to a wide range of internal and external auditors, academics, and enterprise financial nicinagement, and 让 went through an extensive public comment period. The final revised COSO internal control friimework description was released in mid-Mciy 2013The following chapters describe the revised COSO internal control frcimework in some detciil and explain why its concepts are very important for enterprise management today. This chapter begins with some background information on the COSO internal control framework from a senior executive management perspective The COSO internal control framework sets the stage for achieving S()x compliance and will continue to be even more important with its new revised version. This book will conclude with some guidance and rules for implementing the new revised COSO internal control framework.THE IMPORTANCE OF ENTERPRISE INTERNAL CONTROLSAn effective internal control system is one of the best defenses against business fciilure. An internal control system is an important driver ofbusiness performance, which manages risk and en ables the creation and preservtition of enterprise value. Internal controls are an integral part of an enterprise s governance system and ability to manage risk, which is understood, effected, and actively monitored by an enterprise governing body, 让s mantigement:, and other personnel to take cidvantage of the opportunities and to counter the threats to achieving an enterprise s objectives()n a very high-level concep- tucil manner. Exhibit 1.1 shows the relationship of interned controls as a component of risk-management processes and as a key element of enterprise governanceInternal controls are a crucial component of an enterprise s governance system and ability to manage risk, and it is fundamental to supporting the achievement of an enterprise s objectives and creating, enhancing, and protecting stakeholder value. High-profile organizational failures typically lead to the imposition of additional rulesEn terpriseGover nanceRiskManageme ntIn ternalControlsEXHIBIT 1.1 Importance of Enterprise Internal Controlsand requirements, as well as to subsequent time-consuming and costly compliance efforts However, this obscures the fact that the right kind of internal controlswhich enable an enterprise to capitalize on opportun让ies. while offsetting threatscan actually save time and money and promote the creation and preservation of Vcilue. Effective interncil controls also create a competitive cidvantcige. becciuse an enterprise with effective controls can take on additional risks.Internal controls are designed to protect an enterprise and its related business units from the loss or misuse of its assets. Sound internal controls help ensure that transac tions cire properly authorized, that supporting IT systems are well-managed and that the in formation contciined in financial reports is reliable. An internal control is a process through which an enterprise and one of its operating units attempts to minimize the likelihood of ciccounting-related errors, irregularities, cind illegal acts. Internal controls help Scifeguard funds, provide for efficient and effective management of assets, and per- m 让 accurate financial accounting I nternal controls can not eliminate all errors and irregularities, but they can alert management to potenticil problemsWHAT ARE ENTERPRISE INTERNAL CONTROLS?A classic definition states that internal controls consist of the plan of organization cind all of the coordinate methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encounige adherence to prescribed managerial policies. This definition reco