COSO’s
Internal Control
Integrated Framework
An Overview..
Source: COSO’s Internal Control Integrated Framework
Bibi Consulting
www.bibiconsulting.com
Prepared by
Wa'el Bibi,CPA,CIA,CISA
1
What is COSO?
Who are the sponsors?
Prepared by
Wa'el Bibi,CPA,CIA,CISA
2
What Is Internal Control ?
“A process effected by an entity’s board of
directors,management and other
personnel,designed to provide reasonable
assurance regarding the achievements of
objectives in the following categories:
 Effectiveness & efficiency of operations.
 Reliability of financial reporting.
 Compliance with applicable laws and regulations.”
Prepared by
Wa'el Bibi,CPA,CIA,CISA
3
 Internal control is a process. It is a means
to an end, not an end in itself.
 Internal control is effected by people. It’s
not merely policy manuals and forms, but
people at every level of an organization.
 Internal control can be expected to
provide only reasonable assurance, not
absolute assurance, to an entity’s
management and board.
 Internal control is geared to the
achievement of objectives in one or more
separate but overlapping categories.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
4
Components Of Internal Control
 Control Environment.
 Risk Assessment.
 Control Activities.
 Information & Communication.
 Monitoring.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
5
Prepared by
Wa'el Bibi,CPA,CIA,CISA
6
17 Principles
Source: Deloitte
Prepared by
Wa'el Bibi,CPA,CIA,CISA
7
Control Environment
 Sets the tone of the organization.
 The foundation for all other
components.
 It includes the integrity, ethical values
and competence of the people.
 Reflects: management’s philosophy &
operating style, the way management
assigns authority and responsibility and
organizes and develops its people, and
the attention and direction provided by
the board of directors.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
8
Risk Assessment
 Every entity faces internal
&external risks.
 Every entity sets objectives.
 Risk assessment is the
identification and analysis of
relevant risks to achievements of
the objectives.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
9
Control Activities
 The policies and procedures that help
ensure management directives are
carried out.
 They help ensure that necessary actions
are taken to address risks.
 Control activities occur throughout the
entity at all levels and in all functions.
 They include activities such as
approvals , authorization,
reconciliations and segregation of
duties.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
10
Information & Communication
 Relevant information must be identified ,
captured and communicated in a form &
timeframe that enables people to carry out
their responsibilities.
 Information systems produce reports
containing operational, financial and
compliance –related information that make
it possible to run and control the business.
 Effective communication must occur in a
broader sense, flowing down, across and up
the organization.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
11
Monitoring
 Internal control systems need to
be monitored.
 Types of monitoring:
- ongoing during the course of
operations.
- evaluation for which the scope
and frequency will depend
primarily on an assessment of
risks and the effectiveness of
ongoing monitoring procedures.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
12
Responsibilities
Who is responsible for internal control ?
Everyone !
Board of Directors :Governance,guidance & oversight
Management : CEO is the owner
Internal Auditors: evaluate & monitor
Other personnel :information and communication
Prepared by
Wa'el Bibi,CPA,CIA,CISA
13
What Internal Control Can Do
 It can help achieve performance & profitability
targets.
 It can help prevent loss of resources.
 It can help ensure reliable financial reporting.
 It can help ensure compliance with laws.
It can help an entity get to where it wants to
go,and avoid pitfalls and surprises along the
way.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
14
What Internal Control Cannot Do
 It cannot ensure success.
 It cannot ensure the reliability of financial
reporting.
 It cannot ensure compliance with laws and
regulations.
Internal controls ,no matter how well designed and
operated,can provide only reasonable assurance to
management regarding achievements of an
entity’s objectives.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
15
Limitations of Internal Control
 Judgement.
 Breakdowns.
 Management override.
 Collusion.
 Costs Versus Benefits.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
16
End of COSO Presentation
Prepared by
Wa'el Bibi,CPA,CIA,CISA
17
Types of Controls
 Preventive
 Detective
 Corrective
 Directive
Prepared by
Wa'el Bibi,CPA,CIA,CISA
18
Preventive Controls
 Are designed to discourage errors or irregularities
from occurring.
 They are more cost-effective than detective
controls.
 Examples:
- Segregation of duties
- Authorization
- Firewalls
- Passwords
Prepared by
Wa'el Bibi,CPA,CIA,CISA
19
Detective Controls
 Are designed to search for and identify errors after
they have occurred.
 They are more expensive than preventive controls
.
 Examples:
- Reconcilaitions
- Analysis
- Periodic Inventory
- Surveillance cameras
- Audit
Prepared by
Wa'el Bibi,CPA,CIA,CISA
20
Corrective Controls
 corrective controls are designed to restore a
system to an approved/last known good
state.
 Examples:
- Anti Virus software.
- Adjusting entries.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
21
Directive Controls
 Are designed to provide direction from
management. (Actions taken to cause or
encourage a desirable event to occur).
 Examples:
- Job Description
- Training
- Policies and procedures.
Prepared by
Wa'el Bibi,CPA,CIA,CISA
22