COSO

FRAMEWORK
WHAT IS COSO

• In May 2013, COSO released a revised “Internal Control – Integrated Framework,” which replaced the original
version developed in 1992.
• This framework formally defined internal control and contained relevant and helpful guidance.
• In 2002, the Sarbanes-Oxley Act (SOX) was established; it mandates that U.S. listed companies report on the
effectiveness of their internal control over financial reporting (ICFR) using a suitable framework and in some
cases also requires separate audit of ICFR.
• Subsequently, most U.S. listed companies have chosen the framework as their basis for compliance with
Section 404 of SOX.
• Many countries including Japan, China, and South Korea have modeled financial reporting legislation and other
requirements related to internal control using concepts in the 1992 and 2013 versions of the framework.
• Furthermore, many organizations around the world have voluntarily used the framework to help them create,
develop, mature, and continuously improve their systems of internal control beyond just financial reporting.
• Paradigm Shift In The Role Of Internal Auditor
• From Reactive To Proactive
• From Books To Business
• From Vouchers To Systems
• From Sales To Value Addition
• From Economic Value Addition To Value Creation
• From Quantity of Earnings To Quality of Earnings
• From Delayed Accuracy To Quick Estimate
• From Internal Control To Internal Co-operation
• From Compliance with Standard Accounting To Compliance with Accounting Standards
• From Tax Planning To Tax Compliance
• From a Checker To a Consultant
• From Compliance To Competency
• From Foe To Friend
• From Fault Finder To Facilitator
• From Net Profits To Cash flow
• From Large Cash as a source of “comfort” To cause for “concern”
• From You v/s We To All of us
• From Stern Look To Smile
• From Internal Audit To External Internal Audit
• From Professional To Partner
• From Consultant To Core Group Member
• From Long Report To Crisp Elevator Pitch
• From Conceptualization To Execution
• An independent management function, involving a continuous and critical appraisal of the functioning of the
entity.
• To suggest certain improvements and value additions
• To strengthen the governance mechanism of the entity, strategic risk management and internal control system
• To provide assurance regarding transparency and reporting.
• Increased size and growing complexity of businesses
• Enhanced compliance requirements
• Focus on risk management and internal controls to manage them
• Stringent norms mandated by regulators to protect investors
• Growth of unconventional business models
• Intensive use of information technology.
• An increasingly competitive environment.
• Tells you the health & quality of the system.
• Identify the root of the problem & plan for corrective, preventive or
detective actions.
• Achieve better allocation of resources.
• Able to avoid potentially big problems.
• Learn what an auditors look for
• Continuous improvement
STANDARDS AS PROVIDED BY ICAI
• The ICAI has Prescribed 18 Standards on internal audits, which have been enumerated below:
• • SIA 1 : Planning an internal audit
• • SIA 2 : Basic principles governing Internal audit
• • SIA 3 : Documentation
• • SIA 4 : Reporting
• • SIA 5 : Sampling
• • SIA 6 : Analytical Procedures
• • SIA 7 : Quality assurance in internal audit
• • SIA 8 : Terms of internal audit engagement
• • SIA 9 : Communication with management
• • SIA 10: Internal audit evidence
• • SIA 11: Consideration of fraud in an internal audit
• • SIA 12: Internal control evaluation
• • SIA 13: Enterprise risk management
• • SIA 14: Internal audit in an information technology environment
• • SIA 15: Knowledge of the entity and it’s environment
• • SIA 16: Using the work of an expert
• • SIA 17: Consideration of laws and regulations in an internal audit.
• • SIA 18: Related Parties
IS INTERNAL AUDIT MANDATORY ?
• Internal Audit: The importance of internal audit has been well acknowledged in
Companies (Auditor Report) Order, 2003 (the ‘Order’), pursuant to which auditor of
a company is required to comment on the fact that the internal audit system of the
company is commensurate with the nature and size of the company’s operations.
• The class or classes of companies which shall be required to mandatorily appoint an
internal auditor as per the rules are as follows:
• Every listed company
• Every public company having paid-up share capital of more than 10 crore INR
• Every other public company which has any outstanding loans or borrowings from
banks or public financial institutions more than 25 crore INR or which has accepted
deposits of more than 25 crore INR at any point of time during the last financial
year.
BENEFITS OF ICS

• COSO is an Internal Control-Integrated Framework

• An internal control system encompasses the policies, processes, tasks, behaviours and other
aspects of the Company that, taken together:
• Facilitates its effective and efficient operation by enabling it to respond appropriately to significant
business, operational, financial, compliance and other risks to achieve the Company’s objectives.
• This includes the safeguarding of assets from inappropriate use or from loss and fraud and
ensuring that liabilities are identified and managed; helps to ensure the quality of internal and
external reporting.
• This requires the maintenance of proper records and processes that generate a flow of timely,
relevant and reliable information from within and outside the organization.
• Ensure compliance with applicable laws and regulations, and also internal policies with respect to
conducting business.
 THE SYSTEM OF INTERNAL CONTROL
SHOULD:
• Be embedded in the operations of the company and form part of its culture;
• Be capable of responding quickly to evolving risks to the business arising from factors within the company
and to changes in the business environment; and include procedures for reporting immediately to
appropriate levels of engagement any significant control failings or weaknesses that are identified
together with details of corrective action being undertaken.
• The system will include:
• – control activities;
• – information and communications processes; and
• – processes for monitoring the continuing effectiveness of the system of internal control.
• A sound system of internal control reduces, but cannot eliminate, the possibility of poor judgement in
decision making; human error; control processes being deliberately circumvented by employees and
others; management overriding controls; and the occurrence of unforeseeable circumstances.
• A sound system of internal control therefore provides reasonable, but not absolute, assurance that a
company will not be hindered in achieving its business objectives, or in the orderly and legitimate conduct
of its business, by circumstances which may reasonably be foreseen.
• A system of internal control cannot, however, provide protection with certainty against a company failing
to meet its business objectives or all material errors, losses, fraud, or breaches of laws or regulations.
COSO: DEFINITION OF INTERNAL
CONTROL
• Committee of Sponsoring Organizations of the Treadway Commission
(COSO) is a U.S. private sector initiative.
• COSO has defined internal controls as “a process, effected by an entity’s
board of directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives relating to
operations, reporting, and compliance”
COSO FRAMEWORK
COSOS INTERNAL CONTROL - INTEGRATED FRAMEWORK
COSO

• The Framework continues to emphasize the importance of management

judgment in designing, implementing and conducting internal control, and
in assessing its effectiveness.
• The Framework and related illustrative documents are intended to
(i) clarify the requirements of effective internal control,
(ii) update the context for applying internal control by reflecting many of the
changes in business and operating environments, and
(iii) broaden its application by expanding the operations and reporting
objectives.
FUNDAMENTAL CONCEPTS FROM
DEFINITION
• Internal control is:
• Geared to the achievement of objectives in one or more categories—operations, reporting,
and compliance
• A process consisting of ongoing tasks and activities—a means to an end, not an end in itself
• Effected by people—not merely about policy and procedure manuals, systems, and forms,
but about people and the actions they take at every level of an organization to affect
internal control
• Able to provide reasonable assurance—but not absolute assurance, to an entity’s senior
management and board of directors
• Adaptable to the entity structure—flexible in application for the entire entity or for a
particular subsidiary, division, operating unit, or business process
COSO’S INTERNAL CONTROL
FRAMEWORK
• The Framework provides for three categories of objectives, which allow organizations
to focus on differing aspects of internal control:
• (i) Operations Objectives—These pertain to effectiveness and efficiency of the
entity’s operations, including operational and financial performance goals, and
safeguarding assets against loss.
• (ii) Reporting Objectives—These pertain to internal and external financial and non-
financial reporting and may encompass reliability, timeliness, transparency, or other
terms as set forth by regulators, recognized standard setters, or the entity’s policies.
• (iii) Compliance Objectives—These pertain to adherence to laws and regulations to
which the entity is subject.
COMPONENTS OF INTERNAL CONTROL

• Internal control consists of five interrelated components. These are derived

from the way management runs a business, and are integrated with the
management process.
• The components are:
• CONTROL ENVIRONMENT
• RISK ASSESSMENT
• CONTROL ACTIVITIES
• INFORMATION AND COMMUNICATION
• MONITORING ACTIVITIES
 CONTROL ENVIRONMENT
• The component of COSO represents the culture of internal controls at the organization.
• Control activities are those procedures and internal controls put in place to mitigate
risks,
• The control environment comprises the integrity and ethical values of the
organization;
• the parameters enabling the board of directors to carry out its governance oversight
responsibilities;
• the organizational structure and assignment of authority and responsibility;
• the process for attracting, developing, and retaining competent individuals;
• and the rigor around performance measures, incentives, and rewards to drive
accountability for performance.
• The resulting control environment has a pervasive impact on the overall system of
internal control.
 RISK ASSESSMENT
• Risk assessment is an activity whereby all of the activities and associetd
risks, in an organization are looked at and each considered on a spectrum
of either low risk or high risk
• Every entity faces a variety of risks from external and internal sources.
• Risk assessment involves a dynamic and iterative process for identifying
and assessing risks to the achievement of objectives.
• A precondition to risk assessment is the establishment of objectives, linked
at different levels of the entity.
• Risk assessment also requires management to consider the impact of
possible changes in the external environment and within its own business
model that may render internal control ineffective.
CONTROL ACTIVITIES

• Control activities are the actions established through policies and

procedures that help ensure that management’s directives to mitigate risks
to the achievement of objectives are carried out.
• Control activities are performed at all levels of the entity, at various stages
within business processes, and over the technology environment.
INFORMATION AND COMMUNICATION
• This component envisages how management communicates the culture of compliance and
specific polities for individuals to follow
• Information is necessary for the entity to carry out internal control responsibilities to support the
achievement of its objectives.
• Management obtains or generates and uses relevant and quality information from both internal
and external sources to support the functioning of other components of internal control.
• Communication is the continual, iterative process of providing, sharing, and obtaining necessary
information. Internal communication is the means by which information is disseminated
throughout the organization, flowing up, down, and across the entity.
• External communication is twofold:
1. It enables inbound communication of relevant external information, and
2. It provides information to external parties in response to requirements and expectations.
MONITORING ACTIVITIES
• These activities are used to monitor processes or internal controls within the
organizations
• Ongoing evaluations, separate evaluations, or some combination of the two are
used to ascertain whether each of the five components of internal control, including
controls to effect the principles within each component, is present and functioning.
• Ongoing evaluations, built into business processes at different levels of the entity,
provide timely information.
• Separate evaluations, conducted periodically, will vary in scope and frequency
depending on assessment of risks, effectiveness of ongoing evaluations, and other
management considerations.
• Findings are evaluated against criteria established by regulators, recognized
standard-setting bodies or management and the board of directors, and deficiencies
are communicated to management and the board of directors as appropriate.
COMPONENTS AND PRINCIPLES

• The Framework sets out seventeen principles representing the fundamental

concepts associated with each component.
• Because these principles are drawn directly from the components, an entity
can achieve effective internal control by applying all principles.
• All principles apply to operations, reporting, and compliance objectives.
JUDGEMENT FOR MANAGEMENT

• Laws, rules, regulations, and standards to which the entity is subject

• • Nature of the entity's business and markets in which it operates

• • Scope and nature of the management operating model

• • Competency of the personnel responsible for internal control

• • Use and dependence on technology

• • Management's responses to assessed risks

PRINCIPLES VIS A VIS COMPONENTS

• CONTROL ENVIRONMENT
• RISK ASSESSMENT
• CONTROL ACTIVITIES
• INFORMATION AND COMMUNICATION
• MONITORING ACTIVITIES
CONTROL ENVIRONMENT

• The organization demonstrates a commitment to integrity and ethical values.

• The board of directors demonstrates independence from management and
exercises oversight of the development and performance of internal control.
• Management establishes, with board oversight, structures, reporting lines,
and appropriate authorities and responsibilities in the pursuit of objectives.
• The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
• The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
RISK ASSESSMENT

• The organization specifies objectives with sufficient clarity to enable the

identification and assessment of risks relating to objectives.
• The organization identifies risks to the achievement of its objectives across
the entity and analyzes risks as a basis for determining how the risks should
be managed.
• The organization considers the potential for fraud in assessing risks to the
achievement of objectives.
• The organization identifies and assesses changes that could significantly
impact the system of internal control.
CONTROL ACTIVITIES

• The organization selects and develops control activities that contribute to

the mitigation of risks to the achievement of objectives to acceptable
levels.
• The organization selects and develops general control activities over
technology to support the achievement of objectives.
• The organization deploys control activities through policies that establish
what is expected and procedures that put policies into action.
INFORMATION AND COMMUNICATION

• The organization obtains or generates and uses relevant, quality

information to support the functioning of internal control.
• The organization internally communicates information, including objectives
and responsibilities for internal control, necessary to support the
functioning of internal control.
• The organization communicates with external parties regarding matters
affecting the functioning of internal control.
MONITORING ACTIVITIES

• The organization selects, develops, and performs ongoing and/or separate

evaluations to ascertain whether the components of internal control are
present and functioning.
• The organization evaluates and communicates internal control deficiencies
in a timely manner to those parties responsible for taking corrective action,
including senior management and the board of directors, as appropriate.
ROLE AND RESPONSIBILITIES WITH
REGARD TO INTERNAL CONTROL
Management
• It is the role of management to implement board policies on risk and control.
• In fulfilling its responsibilities management should identify and evaluate the risks faced by the company
for consideration by the board and design, operate and monitor a suitable system of internal control
which implements the policies adopted by the board.
• The chief executive officer is ultimately responsible and should assume “ownership” of the system.
• More than any other individual, the chief executive sets the “tone at the top” that affects integrity and
ethics and other factors of a positive control environment.
• In a large company, the chief executive fulfills this duty by providing leadership and direction to senior
managers and reviewing the way they’re controlling the business.
• Senior managers, in turn, assign responsibility for establishment of more specific internal control policies
and procedures to personnel responsible for the unit’s functions. In a smaller entity, the influence of the
chief executive, often an owner-manager is usually more direct.
• In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere
of responsibility.
CLAUSE 49 (IX) OF LISTING AGREEMENT
• The CEO, i.e. the Managing Director or Manager appointed in terms of the Companies Act and the CFO i.e. the whole-time
Finance Director or any other person heading the finance function discharging that function shall certify to the Board that:
A. They have reviewed financial statements and the cash flow statement for the year and that to the best of their knowledge
and belief:
• 1. these statements do not contain any materially untrue statement or omit any material fact or contain statements that
might be misleading;
• 2. these statements together present a true and fair view of the company’s affairs and are in compliance with existing
accounting standards, applicable laws and regulations.
B. There are, to the best of their knowledge and belief, no transactions entered into by the company during the year which are
fraudulent, illegal or violative of the company’s code of conduct.
C. They accept responsibility for establishing and maintaining internal controls for financial reporting and that they have
evaluated the effectiveness of internal control systems of the company pertaining to financial reporting and they have
disclosed to the auditors and the Audit Committee, deficiencies in the design or operation of such internal controls, if any, of
which they are aware and the steps they have taken or propose to take to rectify these deficiencies.
D. They have indicated to the auditors and the Audit committee:
1. significant changes in internal control over financial reporting during the year;
2. significant changes in accounting policies during the year and that the same have been disclosed in the notes to the
financial statements; and
3. instances of significant fraud of which they have become aware and the involvement therein, if any, of the management or
an employee having a significant role in the company’s internal control system over financial reporting.
 ACCORDINGLY, IT IS THE
RESPONSIBILITY OF CEO AND CFO TO:
(a) Establish and maintain the internal controls;
(b) Evaluate effectiveness of internal control system.
The assessment of internal control system has to be made using recognized framework.
(c) Disclose deficiencies in the design or operation of internal controls they are aware of;
(d) Take steps to rectify the deficiencies in the internal control system;
(e) Inform auditors and Audit Committee of any significant changes in the internal control system and
significant fraud if any of which they have become aware.
Management is accountable to the Board of Directors, which provides governance, guidance and oversight.
The internal control system is normally judged by the management’s commitment to internal audit and
process audit function.
To be effective, the internal audit function should have financial experts, Control experts, IT experts and
persons with the knowledge of organisation business.
 BOARD OF DIRECTORS

• A strong, active Board, particularly when coupled with effective upward communication channels and capable
and adequacy.
• The board of directors is responsible for the company’s system of internal control.
• It should set appropriate policies on internal control and seek regular assurance that will enable it to satisfy
itself that the system is functioning effectively.
• The board must further ensure that the system of internal control is effective in managing those risks in the
manner which it has approved.
• In determining its policies with regard to internal control, and thereby assessing what constitutes a sound
system of internal control, the board’s deliberations should include consideration of the following factors:
• – the nature and extent of the risks facing the company;
• – the extent and categories of risk which it regards as acceptable for the company to bear;
• – the likelihood of the risks concerned materialising;
• – the company’s ability to reduce the incidence and impact on the business of risks that do materialise; and
the costs of operating particular controls relative to the benefit thereby obtained in managing the related
risks.
• Reviewing the effectiveness of internal control is an essential
part of the board’s responsibilities.
• The board will need to form its own view on effectiveness based on the
information and assurances provided to it, exercising the standard of
care generally applicable to directors in the exercise of their duties.
• Management is accountable to the board for monitoring the system of
internal control and for providing assurance to the board that it has
done so.
• Effective monitoring on a continuous basis is an essential
component of a sound system of internal control.
• The board cannot, however, rely solely on the embedded monitoring
processes within the company to discharge its responsibilities.
• It should regularly receive and review reports on internal control.
• In addition, the board should undertake an annual assessment for
THE BOARD’S ANNUAL ASSESSMENT
SHOULD, IN PARTICULAR, CONSIDER:
• the changes since the last annual assessment in the nature and extent of significant
risks, and the company’s ability to respond to changes in its business and the
external environment;
• the scope and quality of management’s ongoing monitoring of risks and of the
system of internal control, and, where applicable, the work of its internal audit
function and other providers of assurance;
• the incidence of significant control failings or weaknesses that have been identified
at any time during the period and the extent to which they have resulted in
unforeseen outcomes or contingencies that have had, could have had, or may in the
future have, a material impact on the company’s financial performance or condition;
and
• the effectiveness of the company’s public reporting processes.
 COMPANIES ACT 2013 SECTION
134(5) (E)
• The Directors’ Responsibility Statement referred shall state that— the directors, in
the case of a listed company, had laid down internal financial controls to be
followed by the company and that such internal financial controls are adequate
and were operating effectively.
• Explanation.—For the purposes of this clause, the term “internal financial
controls” means the policies and procedures adopted by the company for
ensuring the orderly and efficient conduct of its business, including adherence to
company’s policies, the safeguarding of its assets, the prevention and detection of
frauds and errors, the accuracy and completeness of the accounting records, and
the timely preparation of reliable financial information;
EMPLOYEES

• All employees have some responsibility for internal control as part of their accountability for achieving objectives.
• They, collectively, should have the necessary knowledge, skills, information, and authority to establish, operate and monitor the
system of internal control.
• This will require an understanding of the company, its objectives, the industries and markets in which it operates, and the risks
it faces.
• In an organization, internal control is the responsibility of everyone and it should be a part of everyone’s job description.
• All employees produce information used in the internal control system or take other actions needed to effect control.
• Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of
conduct, or other policy violations or illegal actions.
• A number of external parties often contribute to achievement of an entity’s objectives.
• External auditors, bringing an independent and objective view, contribute directly through the financial statement audit and
indirectly by providing information useful to management and the board in carrying out their responsibilities.
• Others providing information to the entity useful in effecting internal control are legislators and regulators, customers and
others transacting business with the enterprise, financial analysts, rating agencies and the news media.
• External parties, however, are not responsible for, nor are they a part of, the entity’s internal control system.
TYPES OF IA
• Operational Audits
• Financial Audits
• Information Systems Audits
• Compliance Audits
• Follow-up Audits
THE PROCESS
THE PROCESS MODEL
REGULATORY FRAMEWORK
• Section 177 (5) The Audit Committee may call for the comments of the auditors about internal
control systems, the scope of audit, including the observations of the auditors and review of
financial statement before their submission to the Board and mayalso discuss any related issues
with the internal and statutory auditors and the management of the company
• Section 134 (3) (n) stipulates that a proclamation demonstrating development and
implementation of a risk management policy for the Company comprising identification of
element of risk, if any, which in the opinion of the Board may impend the existence of the
Company to be reviewed by Board.
• The director’s responsibility statement vide section 135(5)(e) of listed Companies entrusts the
implementation of adequacy and effectiveness of financial controls. Additionally, the enactment of
section 135(5)(f) ensures compliance with the provisionsof all applicable laws with robust thrust
• Auditor’s Report Section 143 (3)(i) whether the company has adequate internal financial controls
system in place and the operating effectiveness of such controls
• Section 177(4)(vii) guarantees evaluation of internal financial controls and risk management
systems
• Schedule IV –Code of Independent Directors. Clause II Role and functions -sub-clause (4) –
Independent Directors need to satisfy themselves on the integrity of financial information and that
financial controls and the system of Risk Management
THE INSTITUTE OF INTERNAL
AUDITORS
• The Institute of Internal Auditors (IIA) defines Continuous Auditing as “any method
used by Auditors to perform audit-related activities on a more continuous or continual
basis. It is the continuum of activities ranging from continuous controls assessment to
continuous risk assessment–all activities on the control-risk continuum.”
• Replacement of static Risk Based Internal Audit (RBIA) plan with a dynamic
approach
• Risk bases are reviewed time and again for validation purposes, instead of
Audit plan based on fixed risk matrix
• Drawing immediate attention to changed risk scope
• Completion of Annual Audit Plan by bifurcating into time horizon (e.g. quarterly
coverage) not relevant; unplanned audits are more significant than the
planned ones
• ‘Need based’ assignments (pro-active engagement)