Chapter 2 Control Models

Chapter 2
Control Models
Copyright: Internal Auditing: Assurance and Consulting Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.
1
Chapter 2 Learning Objectives
This chapter presents an overview of the most commonly used

and globally accepted model of governance.
2
Internal Control-Integrated
Framework
In response to a wave of financial reporting

scandals in the United States during the
1980s, five professional organizations came
together to form the Committee of
Sponsoring Organizations of the Treadway
Commission (COSO).
As they discussed the control breakdowns
that led to the scandals, they realized that
traditional concepts of internal control were
inadequate.
3
Framework
Many of the organizations involved in the

scandals had sound controls procedures.
The breakdowns happened either because
management lacked integrity or because the
organization did not fully comprehend and deal
with the risks inherent to its business model.
4
Framework
In 1992, COSO published Internal ControlIntegrated Framework.

COSO defines internal control as follows:
Internal control is a process, effected by an
entitys board of directors, management and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
5
Framework
Effectiveness and efficiency of operations

Reliability of financial reporting
Compliance with applicable laws and
regulations
The implication of internal auditors is that
control must be evaluated over all three
categories of objectives in order to render an
opinion on the adequacy and effectiveness of
the overall system of internal control.
6
Framework
The document goes on to say: This definition

reflects certain fundamental concepts:
Internal control is a process.
Internal control is effected by people. Its not
merely policy manuals and forms, but people
at every level of an organization.
Internal control can be expected to provide
only reasonable assurance, not absolute
assurance, to an entitys management and
board.
7
Framework
The essence of the COSO framework is what

it calls the five components of internal control:
Control Environment
Risk assessment
Control Activities
Information and Communication
Monitoring
8
Framework
Control environment- The core of any

business is its people-their individual
attributes, including integrity, ethical values
and competence-and the environment in
which they operate.
The control environment contains seven
factors:
1. Integrity and ethical values

2 Commitment to competence
3. Board of Directors and Audit Committee
9
Framework
4. Management Philosophy and Operating Style
5. Organizational Structure
6. Assignment of authority and responsibility
7. Human Resource policies and practices
The glossary of the International for the Professional
Practice of Internal Auditing aligns closely with
COSO. The factors included in the definition of the
Control Environment are identical except that the
board is not included.
10
Framework
Control environment The attitude and actions of

the board and management regarding the
importance of control within the organization. The
control environment provides the discipline and
structure for the achievement of the primary
objectives of the system of internal control. The
control environment include the following elements:
Integrity and ethical values
Managements philosophy and operating style
11
Framework
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
Competence of personnel
12
Framework
The COSO components can be summarized

briefly:
Risk assessment- The organization must
define its objectives, which should be aligned
top-down and across the organization. The
organization must also systematically identify
assess, and manage the risk to accomplish
those objectives.
13
Framework
Control Activities- Control policies and procedures

must be put in place to ensure that risk
management actions are effectively carried out.
Information and Communication- Both are
needed for people to effectively conduct, manage,
and control operations.
Monitoring- Ongoing monitoring is needed so the
organization can dynamically react to change.
Separate evaluations are needed to provide
assurance that the components are well designed
and operating effectively.
14
Framework
These four components are the essence of

the risk management process. Most
commentators have credited the COSO
framework as being one of the major drivers
of the enterprise risk management movement
discussed later in this chapter.
15
Risk Management Models
In 2004, COSO published Enterprise Risk

Management-Integrated Framework-This
framework defines risk management similarly to the
way COSOs Internal Control-Integrated frameworkCOSO defines enterprise risk management as
follows: Enterprise risk management is a process,
effected by the entitys board of directors,
management and other personnel, applied in
strategy setting and across the enterprise,designed
to identify potential events that may affect the entity,
and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the
achievement of entity objectives
16
Finally it expands from the five components

of internal control to eight components of
enterprise risk management.
1. Internal environment- This is the control
enviroment with the additional concepts of
risk management philosophy and risk
appetite. It forms the basis for how risk and
control are understood and dealt with by the
organizations people.
17
2. Objective setting- This is the first of four

components that are all more or less
contained in the control frameworks Risk
Assessment component. For an organization
practicing ERM, these elements become
important enough to be components in
themselves.
18
3. Event identification- One meaningful

difference is that risk identification becomes
event identification. Events can be either
risks or opportunities. Opportunities are
funneled back into strategy or objectivesetting process. Risk are carried forward into
the rest of the risk management process.
19
4. Risk assesment- Risks are assessed as

to their likelihood and impact, on both and
inherent and residual basis
5. Risk response- Risks responses include
avoiding, accepting, reducing, and sharing
the risk. The risk responses should align
residual risk with the organizations risk
tolerance and risk appetite.
20
6. Control activities- Policies and procedure must

be put in place to ensure that risk management
actions are effectively carried out.
7. Information and communication- Both are
needed for people to effectively conduct, manage
and control operations.
8. Monitoring- Ongoing monitoring is needed so the
organization can dramatically react to change.
Separate evaluations are needed to provide
assurance that the components are well designed
and operating effectively.
21
ISO3100 Risk ManagementPrinciples and guidelines
The International Organization for Standardization

(ISO) is a network of national standards institutes of
162 countries that issues globally accepted
standards for industries, processes, and other
activities.
ISO 3100 is not as specific aso some ISO
standards.
This is because it recognizes that, to be effective,
risk management must be tailored to each
organizations size, industry, culture, and
legal/regulatory environment.
22
Also, it should be integrated into the existing

management practices and processes, which
will be unique to each organization.
Instead, it provides a set of 11 core
principles, a risk management framework,
and a high level process that is required for
best practice risk management.
23
ISO 31000s 11 core principles should apply

at all levels of the organizations. These
principles include, among others that risk
management should create and protect
value, be tailored to the organization, be
integrated in the organizations processes
and decision making, be systematic, dynamic
and responsive to change, and take human
and cultural factors into account.
24
Like the COSO framework, ISO 3100 defines

risk management terminology.
This terminology is similar to COSOs and is
likely to become universally accepted. Most
of these terms are defined similarly in COSO
and are commonly used by risk managers.
25
Risk, as defined by ISO 31000, is the effect

of uncertainty on objectives. This effect can
be positive or negative and includes
outcomes that increase the likelihood and/or
consequence that objectives will be achieved.
COSO and many risks managers define risk
only as negative.
26
Risk attitude, as defined by ISO 31000, is an

organization approach to assess and
eventually pursue, retain, take or turn away
from risk. COSO and many risk managers
use the terms risk appetite and risk tolerance,
which lend themselves to quantification.
While potentially useful, this quantification is
difficult to do in practice. ISO 31000 avoids
this difficulty by using the more general term
risk attitude.
27
Internal Auditors use of Control

and Risk Models
The two COSO integrated frameworks are

conceptual frameworks. They give the user a
clear understanding of what internal control
and risk management are, as well as
terminology to facilitate discussion.
They tell the auditor what must be evaluated.
For example, the control framework says that
all five components and all three categories
of objectives are included in internal control,
so all of these things should be evaluated.
28

and Risk Models
This statement does not apply to individual

audit projects. It does apply to the
organization as a whole.
If the internal audit activity never does
anything to evaluate, for example the control
environment, this is a scope limitation
The governing board should be made aware
of this and formally accept the limitation or
have it addressed.
29

and Risk Models
The two COSO frameworks are not, however,

implementation guides. They do not tell the
internal audit activity how to evaluate internal
control or risk management.
Many risk managers find ISO more useful
than the COSO enterprise risk management
framework, and the IIA chose it as the basis
for the Practice Guide, Assessing the
Adequacy of Risk Management Using ISO
31000.
30

Chapter 2 Control Models

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 2 Control Models

Uploaded by

Copyright:

Available Formats

Chapter 2

Chapter 2 Learning Objectives

This chapter presents an overview of the most commonly used

In response to a wave of financial reporting

Many of the organizations involved in the

In 1992, COSO published Internal ControlIntegrated Framework.

Effectiveness and efficiency of operations

The document goes on to say: This definition

The essence of the COSO framework is what

Control environment- The core of any

1. Integrity and ethical values

Control environment The attitude and actions of

The COSO components can be summarized

Control Activities- Control policies and procedures

These four components are the essence of

Risk Management Models

In 2004, COSO published Enterprise Risk

Risk Management Models

Finally it expands from the five components

Risk Management Models

2. Objective setting- This is the first of four

Risk Management Models

3. Event identification- One meaningful

Risk Management Models

4. Risk assesment- Risks are assessed as

Risk Management Models

6. Control activities- Policies and procedure must

ISO3100 Risk ManagementPrinciples and guidelines

The International Organization for Standardization

ISO3100 Risk ManagementPrinciples and guidelines

Also, it should be integrated into the existing

ISO3100 Risk ManagementPrinciples and guidelines

ISO 31000s 11 core principles should apply

ISO3100 Risk ManagementPrinciples and guidelines

Like the COSO framework, ISO 3100 defines

ISO3100 Risk ManagementPrinciples and guidelines

Risk, as defined by ISO 31000, is the effect

ISO3100 Risk ManagementPrinciples and guidelines

Risk attitude, as defined by ISO 31000, is an

Internal Auditors use of Control

The two COSO integrated frameworks are

Internal Auditors use of Control

This statement does not apply to individual

Internal Auditors use of Control

The two COSO frameworks are not, however,

You might also like