Professional Documents
Culture Documents
1
Why ?
n COSO (1992)
n CoCo (1995)
n Sarbanes Oxley (2002)
– PCAOB
– Rule 404
n Canada - CPAB
2
Where Did it Come From?
n COSO
– Committee of Sponsoring Organizations
of the Treadway Commission
– Precludes the major corporate scandals
– One of the Frameworks to apply CSA
against
3
Where Did it Come From?
n COSO Example of Framework: Control Environment
n CoCo
– CICA, now “Risk Management and Governance”
– No longer interested in detailed framework – will
leave to COSO
n Sarbanes – Oxley
– Legislates need to assess internal control relative
to “a” framework – most will use COSO
n PCAOB (US)/CPAB (Canada)
– Monitoring of firms and functions
4
How Reporting on Internal
Control Mandated?
n US Large public companies – now
n Other US public companies – coming
n Canadian public companies – expected that will be
something similar
n Public sector
– Some US states have mandated that public sector entities
must adopt
– Quite a number of universities have adopted
– Local government
n No legislated requirement
n Nothing in Canada on immediate horizon
n Best practices
Tools Used to
Monitor/Report on Internal
Control
n CSA is just one – it does not
necessarily have to be used
n Direct testing
– Internal audit and external audit
– Test controls
– Test results
n Monitoring
n Continuous Audit
5
Code of Ethics
n Teams
– Multi-level
– Clerks, etc. important – are we really
doing what process says?
n Control environment
n Fraud risks and controls
n IT controls
n Results and Follow-up
6
Management of CSA
n Senior management
n Audit Committee oversight
– (throughout process)
n Internal audit
– (may lead)
n External audit
– (advisory)
6 methods of CSA
7
Different CSA Interactive
Workshop Formats
n Risk-based
– Work teams focus on identifying risks
n Objective-based
– Work teams focus on ways to accomplish an objective
n Control-based
– Work teams focus on how well controls in place are
working
n Process-based
– Work teams examine a process from beginning to end and
identify strengths and weaknesses of each step
n Departmental-based
– Work teams evaluate a departments overall situation and
items that will help or hinder dep from reaching goals
8
CSA Workshop Plan
9
CSA – Travel Exp – Q’s
n Is the municipal policy for travel expenses complete
and in line with corporate ethics
n Is there clear distinction between business and
personal expenses and only business reimbursed
n Do expense claims include written documentation
of dates, purpose, attendees
n Are those who approve knowledgeable of policy
and of staff’s activities
n Are payments made only on original invoices?
n Are expense claims made within 2 weeks of
expense being incurred?
n Is air travel economy?
CSA - Review
n Discussion/documentation on each
point throughout staff level
n Degree of compliance discussed,
reasons for non-compliance discussed
n Action plan for improvement
n Follow-up report and monitoring
10
CSA Pitfalls
CSA Benefits
11
Reasons Why CSA is Likely
to Continue to Expand
n Many organizations have a legislative
requirement for reporting on controls – CSA
a good tool for this
n Helps foster management responsibility for
controls
n CSA is both a collaborative and empowering
process
n Restraints on internal audit and costs of
external audit make this a useful tool
Comparison of Auditing
and CSA
n CSA differs by
– Use of line employees to evaluate risks and
controls not internal/external auditors
– Workgroups issue report on risks and controls –
not third party mgmt letter
– Mgmt and staff more likely to accept results as
they sourced it
n CSA proactive, auditing reactive
n CSA prevent/monitor, auditing
detect/correct
12
Accountants’ Misplaced
Values
A very successful accountant parked his brand-new Lexus in front of his office, ready to show
it off to his colleagues. As he got out, a truck passed too close and completely tore off
the door on the driver's side. The accountant immediately grabbed his cell phone, dialed
911, and within minutes a policeman pulled up.
Before the officer had a chance to ask any questions, the accountant started screaming
hysterically. His Lexus, which he had just picked up the day before, was now completely
ruined and would never be the same, no matter what the body shop did to it.
When the accountant finally wound down from his ranting and raving, the officer shook his
head in disgust and disbelief. "I can't believe how materialistic you accountants are," he
said. "You are so focused on your possessions that you don't notice anything else."
The cop replied, "Don't you know that your left arm is missing from the elbow down? It must
have been torn off when the truck hit you."
Summary
n Legislative req’mnts and best practices
suggest internal reporting on risks and
controls
n This can be managed by a few methods
such as direct testing, continuous audit and
review of control environment
n CSA is a tool aimed at review of control
environment
n CSA involves multi-level teams working
together to evaluate, document, report and
facilitate change and improvement
13
14