PD F-Xchange PD F-Xchange ! W N O y bu to k C lic m C lic k to bu y N O . C W w ! . D o w the . D o c u-tra c k c u-tra c k .

C COSO In 1975 it was created in the United States, the National Commission on Fraudule nt Financial Reporting (National Commission on Fraud in Financial Reports), an i

ndependent initiative to study the causes of the occurrence of fraud in financia l reports / statements. This committee was composed of representatives of major trade associations of professionals involved in the financial area. His first ob ject of study were the internal controls. In 1992 he published the work Internal Control - Integrated Framework (Internal Controls - An Integrated Model). This publication has become a world reference for the study and application of intern al controls. It subsequently peanut in Committee, which became known as COSO - T he Comitee of Sponsoring Organization (Committee of Sponsoring Organizations). T he COSO is a nonprofit organization dedicated to improving financial reporting t hrough ethics, effective internal controls and corporate governance. It is spons ored by five leading trade associations of professionals connected to the financ ial district in the United States, namely: AICPA American Institute of Certified Public Accounts American Accounting Association Financial Executives Internatio nal The Institute of Internal Auditors Institute of Management Accountants Ameri can Institute of Certified Public Accountants . American Association of Accounta nts Financial Executives International Institute of Internal Auditors Institute of Management Accountants FEI AAA IIA IMA The Committee works independently, for their funders. Its members are representa tives from industry, accountants, investment firms and the Stock Exchange of New York. Job Purpose The COSO - Internal Control. It is understood by the Internal Control a process developed to ensure, with reasonable certainty to be achieved the company objectives in the following categories: efficiency and operational effectiveness - goals and strategy and performance: This category relates to the basic objectives of the entity, including the objectives and goals of performan ce and profitability, as well as the safety and quality of assets; the m w w w w PD F-Xchange PD F-Xchange ! W N O y bu to k

C lic m C lic k to bu y N O . C W w ! . D o w the . D o c u-tra c k c u-tra c k . C Confidence in the accounting records / financial - goals of information: all tra nsactions must be recorded, all records must reflect actual transactions as refl ected by the values and frameworks correct. Compliance - compliance objectives: the laws and regulations applicable to the entity and its area of operation. By COSO, Internal Control is a process consisting of five elements, which are inter related and present throughout the internal controls: • • • • • Control Environm ent, Risk Assessment and Management, Active Control, Information and communicati on Monitoring. Control Environment is the awareness of control of the entity, its culture of co ntrol. Environment Control is effective when people of authority know what their responsibilities, the limits of their authority and have the awareness, compete nce and commitment to do what is right the right way. Control Environment involv es technical competence and ethical commitment, is an intangible factor, essenti al to the effectiveness of internal controls. The attitude of top management pla ys a decisive role in this component. She must make clear to his men what are th e policies, procedures, the Code of Ethics and Code of Conduct to be adopted. Th ese settings can be done formally or informally, the important thing is that the y are clear to officials of the organization. The main functions of the Internal Control are related to the fulfillment of the objectives of the entity. Therefo re, the existence of goals and objectives is vital to the existence of internal controls. If the entity does not have clear objectives and goals, there is no ne ed for internal controls. Assessment and risk management is the identification a nd analysis of the risks associated with not meeting the goals and operational o

bjectives, reporting and compliance. This set forms the basis for how risks are managed. Administrators should define levels of operational risk, information an d compliance that are willing to take. Risk assessment is a management responsib ility, but it is for Internal Audit to make a proper evaluation of risks,€compar ing it with the assessment made by administrators. the m w w w w PD F-Xchange PD F-Xchange ! W N O y bu to k C lic m C lic k to bu y N O . C W w ! . D o

w the . D o c u-tra c k c u-tra c k . C Identification and management of risks is a proactive action that prevents unple asant surprises. Risk is the probability of loss or uncertainty associated with the fulfillment o f a goal. For each objective proposed to be made a process of identifying risks. Analysis Once you have identified the risks, we must evaluate them, taking into account the following aspects: What is the probability (frequency) to occur? In the event of what would be its impact on operations, considering the quality an d quantity? Check in your opinion, what actions would be needed to manage the id entified risks. Control activity are those activities that when implemented on t ime and properly, allowing the reduction or management of risks. Can be of two k inds: the prevention and detection. The main activities of control and their nat ures are listed below: • heave (prevention) are the limits determined to be an o fficial, as to whether this amounts to approve or take positions on behalf of th e institution. the m w w w w PD F-Xchange PD F-Xchange ! W N O y bu to k

C lic m C lic k to bu y N O . C W w ! . D o w the . D o c u-tra c k c u-tra c k . C Examples: Establishing maximum value for a cash payment of a check; Establishmen t of roofs made by a trader for each investment horizon; Establishment of author ity for operating the Credit Committee of the agency. • Commitments (prevention) administration determines the activities and transactions that require approval from a supervisor to take effect. The approval of a supervisor in a manual or e lectronic means that he checked and validated the activity or transaction, and e nsured that it complies with the policies and procedures. Those responsible for the authorization should check the relevant documentation, to question unusual i tems and ensure that the information necessary for the transaction were checked, before giving its authorization. Conciliation (detection) is the confrontation of the same information with data from different bases, taking corrective action s when necessary. Performance reviews (detection): monitoring of an activity or process to evaluate its suitability and / or performance against goals, objectiv es and benchmarks outlined, as well as continuous monitoring of the financial ma rket (for banks) in order to anticipate changes that may negatively impact the e ntity. Examples: monitoring the behavior of credit card users (unusual places, d ifferent products, etc..) Monitoring and questioning of abrupt fluctuations in t he results of agencies, products, proprietary trading and third parties; Monitor ing realized values and budgeted in units with the aim of identifying problems / issues; monitoring the competition, aiming to launch new products. • • •

Physical Security (prevention and detection): the values of an entity should be protected from use, purchase or sale is not authorized. One of the best controls to protect assets is physical security, which includes access control, control of entry and exit of staff and materials, passwords to electronic files, call-ba ck for remote access, encryption, and others. Included in this control, the proc esses of inventory of the items most valuable to the entity (eg, conference cash ). the m w w w w PD F-Xchange PD F-Xchange ! W N O y bu to k C lic m C lic k to bu y N O . C W w

! . D o w the . D o c u-tra c k c u-tra c k . C • Segregation of duties (prevention): segregation is essential for the effectivene ss of internal controls. It reduces both the risk of human error as the risk of unwanted actions. Accounting and reconciliation, reporting and authorization, cu stody and inventory, procurement and payment, management of own resources and ot hers, normalization (risk management) and monitoring (audit) should be segregate d among employees. Computer systems (detection and prevention): controls made th rough computerized systems are divided into two types: General Controls: Control s require the centers of data processing and controls the acquisition, developme nt and maintenance of programs and systems. Examples: Organization and maintenan ce of back-up files, log file system, contingency planning;€Controls the applica tions: are the controls that exist in enterprise applications, which are intende d to ensure the integrity and veracity of data and transactions. Examples: valid ation of information (check the information with records stored in databases). • • Internal standardization (prevention) is the definition of a formal, internal ru les for the operation of the entity. Standards should be easily accessible to em ployees and the organization should define responsibilities, corporate policies, operational flows, functions and procedures. Control activities should be imple mented on a weighted, conscious and consistent. Pointless to implement a control procedure if it is executed in a mechanical way, without focusing on the condit ions and problems that motivated its deployment. Information and Communication Communication is the flow of information within an organization, understanding that this flow occurs in all directions - the hiera rchical levels above the lower hierarchical levels, the lower and upper levels a nd horizontal communication between hierarchical levels equivalent. Monitoring i s the evaluation of internal controls over time. He is the best indicator of whe ther internal controls are being effective or not. It is done both through the o ngoing monitoring of activities as for occasional assessments such as self-asses sment, review and any internal audit. The function of monitoring is to ensure th at internal controls are adequate and effective. Adequate controls are those in which the five elements of control (environmental assessment the m w

w w w PD F-Xchange PD F-Xchange ! W N O y bu to k C lic m C lic k to bu y N O . C W w ! . D o w the . D o c u-tra c k c u-tra c k

. C risks, control activities, information & communication and monitoring) are prese nt and functioning as planned. Controls are effective when senior management has a reasonable certainty: • • • The degree of achievement of operational objectiv es proposed, a statement that the information provided by the reports and corpor ate systems are reliable, and What laws, regulations and standards are being met . the m w w w w