The history of internal control shows that its origin was purely practical and at operational levels. For this reason, traditional methodologies have been associated with it.
The practical effects of this showed that they made a positive contribution to the organizations, that cannot be denied, but they also pointed out that it has not been a sufficient contribution and it is not necessarily effective either.
Things started to change substantially.
First, with the introduction of reference parameters (control criteria or conceptual structures. And then with the imposition of strategic methodologies (from top to bottom; risk-based at the entity level).
In this sense, the contribution of COSO and the other control criteria that has been consolidated has been key. But also, the regulatory contribution based on the determinations of the SOX Law and made concrete, initially from AS-2 and now AS-5.
COSO - Integrated Conceptual Structure.
Explanatory note
1. Internal Control Objectives:
• Effectiveness and efficiency of operations.
• Reliability of the financial information.
• Compliance with regulations and obligations.
• Safeguarding of assets.
2. Internal Control Components:
• Control environment.
• Risk assessment.
• Control activities.
• Information and communication.
• Monitoring.
3. Internal Control Levels:
They depend on each organizational structure.
How to evaluate a CI COSO System - Evaluation tools.
Introduction
1. The tools can be used in any of the following different ways:
• Individually, when evaluating a particular component.
• Together, when all components are evaluated.
• Composite tools that show how they should be made.
2. These evaluation tools are proposed to provide help and assistance in estimating the internal control system in relation to the criteria for effective internal control.
Model Tools
1. Tools that compose it:
• A brief introduction that identifies each significant factor or element.
• The essential issues to be addressed.
• Comments to write how important is directed at the point to focus.
• Conclusion about the effectiveness of related controls.
2. Particular aspects:
• Assessment of risks and control activities in the worksheet, establishing objectives for each activity, analyzing risks, establishing plans, programs and other actions to direct risks.
• Overall evaluation of the internal control system, provided to serve as a summary of the results and conclusions of each of the components.
Reference Manual
1. Designed to assist the assessor in completing the Risk Assessment Worksheet and control activities.
2. Present activities for common businesses, illustrative objectives, risks and points to focus on for control activities.
How to value an IC System
SEC Guidance (Home).
Introduction
1. Management is responsible for maintaining an Internal Control System for Financial Information (CIIF.) That provides reasonable security.
2. The rules that the SEC adopted to implement section 404 of the SOX Act require that the administration evaluate the CIIF annually.
Inherent limitations of the CIIF
1. The CIIF cannot provide absolute security, it is a process that involves human diligence and compliance, and is subject to errors in judgment and noncompliance resulting from human failure.
2. The ICFR may also be circumvented by collusion or by being overridden by management.
3. The CIIF cannot prevent or detect all misstatements, whether they be unintentional errors or fraud.
Central elements of the Orientation
1. Explain how assessment approaches vary for obtaining evidence based on risk assessments.
2. Explain the purpose of documentation and how management has flexibility in the approaches to documentation that underpins its assessment.
3. Allows management and the auditor to have different approaches to applying tests.
Guiding Principles
1. Management should assess whether it has implemented controls that adequately cover the risk that a misstatement of the financial statements would not be prevented or detected in a timely manner.
2. Management's evaluation of the evidence regarding the operation of its controls should be based on its risk assessment.
How to value an IC System
SEC Guidance (Concludes).
goals
1. The Objective of Internal Control over Financial Information is to provide reasonable assurance regarding the reliability of financial information and the preparation of financial statements for external purposes according to NIF's.
2. The Purpose of the CIIF Assessment is to give management a reasonable basis for its annual assessment of whether there is any material weakness in the CIIF at the end of the fiscal year.
Identification of Risks and Controls
1. Risks of financial information.
2. Controls that manage the risks of financial information.
3. Consideration of controls at the entity level.
4. Role of general information technology controls.
5. Evidence to support the assessment.
Evaluation of the Evidence of the effectiveness of the CIIF operation
1. Determination of the evidence needed to support the assessment, in order to assess the ICFR risk of the controls it identifies.
2. Implementation of procedures to evaluate the evidence of the CIIF operation.
3. Evidence to provide reasonable support to the assessment.
Reporting Considerations
1. Assessment of control deficiencies.
2. Expression of the assessment of the effectiveness of the CIIF by the administration.
3. Disclosures about material weaknesses.
4. Impact that the re-expression of previously issued financial statements has on the administration's report on the CIIF.
5. Inability to value certain aspects of the CIIF.
How to audit an IC System
Auditing Standard No. 5 (Start).
Scope
Establish requirements and provide guidance that applies when an auditor is hired to perform an audit of management's assessment of the effectiveness of internal control over financial reporting.
Experience with applying the AS-5
1. The audit of internal control over financial information has produced important benefits, including a strong focus on corporate governance and controls, as well as higher quality financial information.
2. The costs have been greater than expected and, sometimes, the related effort has seemed greater than that necessary to carry out an effective audit of internal control over financial information.
Internal Effective Control
Effective internal control over financial information provides reasonable assurance regarding the reliability of financial information and the preparation of financial statements for external purposes.
Auditor's Objectives
1. Express an opinion regarding the effectiveness of internal control over financial information.
2. Plan and execute the audit to obtain competent evidence and reasonable assurance regarding whether there were material weaknesses at the date the assessment was made.
Integration of Audits
1. The internal control audit contemplates the audit of the financial statements, however they do not share objectives, so the auditor must plan and execute the work to achieve the respective objectives
2. In the financial statement audit, the auditor must design his test of controls to simultaneously achieve the objectives of both audits.
Planning
The auditor should appropriately plan the audit of internal control over financial reporting and adequately supervise any assistants.
How to audit an IC System
Auditing Standard No. 5 (Concludes).
Manage Fraud Risk
The auditor should assess whether the company's controls adequately manage the identified risks of material misstatement due to fraud as well as the controls that are intended to manage the risk that management circumvents controls.
Identification of controls at the entity level
The auditor has to test those controls that are important to his conclusion as to whether the company has effective internal control. The evaluation you perform can lead to increasing or decreasing the tests you would have to run.
Important accounts and disclosures and their relevant assertions
Important accounts and disclosures and their relevant financial statement assertions should be identified, for example:
• Existence or occurrence.
• Totality.
• Valuation or assignment.
• Rights and obligations.
• Presentation and disclosure.
Selection of controls to test
The auditor should test those controls that are important to its conclusion as to whether such controls sufficiently cover the assessed risk of material misstatement for each relevant assertion.
Testing of Controls
1. Design effectiveness: Determines if the controls are operated by people who possess the authority and competence necessary to effectively execute the control.
2. Effectiveness of operations: Determines if the control is operating as designed and if the person executing the control has the necessary authority and competence to execute the control effectively.
How to supervise an Internal Control System.
To date there is no reference tool.
Background
1. The supervision of internal control is an issue that is just beginning to be planned.
2. Below are the elements on which there is some progress in the present.
Internal supervision
It is the obligation of the board of directors and senior management, but particularly the audit committee, to oversee all processes related to internal control.
External supervision
1. It is the specific role of external regulation, surveillance and control activities, that is, the superintendencies.
2. Raised in the comment letters related to AS-2 and AS-5 and points out that if all those who have roles associated with internal control must use the same control criteria, it is logical that supervisory authorities also accept the same.
3. Given the extent of cross-border supervision of financial information, part of it will necessarily involve that related to internal controls.
How to present to external parties, reports on Internal Control.
COSO - Reports to external parties.
Background
1. One in four companies includes in its reports to shareholders a discussion, made by management, on aspects of internal control.
2. This report focuses on issues related to internal control in preparing an entity's published financial statement.
Scope
1. An important aspect of a report is the statement about what is being reported.
2. Apply the definitions of the conceptual structure.
3. Internal control is a process, developed by the entity's executive committee, management, and other personnel, to provide reasonable assurance about the reliability of preparing financial statements.
Elements included within the scope of the report
1. Control over compliance with laws and regulations.
2. Differentiation of control categories.
3. Control environment.
4. Risk assessment and control activities.
5. Information and communication.
6. Monitoring.
Report content
1. Management responsibility.
2. Discussion of specific elements (Audit Committee, communication of policies, organizational relations, personnel, code of conduct and internal audit program…
3. Limitations of Internal Control.
4. Management responses to deficiencies.
5. Signatures.
