1
IA Definition
Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organizations operations. It helps organization accomplish its
objectives by bringing a systematic, diciplined approach to
evaluate and improve the effectiveness of risk management,
control, and governance process
2
The Committee of Sponsoring Organizations
of the Treadway Commission (COSO)
3
Internal Control-Definition (COSO)
4
Benefits and Costs of Internal Control
Benefits
added confidence regarding the achievement of objectives
provides feedback on how a business is functioning
helps to reduce surprises
meet certain requirements to access capital markets
reliable reporting for decision making
consistent mechanisms for processing transactions
increased efficiency within functions and processes
a basis for decisions
ability and confidence to accurately communicate business performance
Costs
Direct costs
Indirect costs
Opportunity costs
5
Roles and Responsibilites
Responsible Parties
The Board of Directors and Its Committees
Senior Management
Business-Enabling Functions
Other Personnel
Internal Auditors
External Parties
Outsourced Service Providers
Other Parties Interacting with the Entity
Independent Auditor
External Reviewers
Legislators and Regulators
Financial Analysts, Bond Rating Agencies, and the News Media
6
7
Limitations of Internal Control
Preconditions of Internal Control
Judgment
Breakdowns
Management Override
Collusion
8
COSO Internal Control Framework
9
COSO Internal Control Framework
10
COSO IC Framework 2013
Components & Principles
11
Control Environment
12
Control Environment
13
Control Environment
14
Control Environment
15
Control Environment
16
Control Environment
Enforces accountability
17
Risk Assessment
18
Risk Assessment
19
Risk Assessment
20
Risk Assessment
21
Risk Assessment
22
Risk Assessment
23
Control Activities
24
Control Activities
10. The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology
to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into place.
25
Control Activities
26
Control Activities
27
Control Activities
28
Information & Communication
29
Information & Communication
13. The organization obtains or generates and uses relevant, quality information
to support the functioning of internal control.
14. The organization internally communicates information, including objectives
and responsibilities for internal control, necessary to support the functioning
of internal control.
15. The organization communicates with external parties regarding matters
affecting the functioning of internal control.
30
Information & Communication
31
Information & Communication
Communicates internally
32
Information & Communication
Communicates externally
33
Monitoring Activities
34
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present
and functioning.
17. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.
35
Monitoring Activities
36
Monitoring Activities
Assesses Results
Communicates Deficiencies
Monitors Corrective Actions
37
COSO Internal Control Framework vs
COSO ERM Framework
38