COSO MODEL AND COCO

MODEL AS CONTROL
FRAMEWORKS
METALANGUAGE

1. COSO framework – is a concept that describes internal control as process

effected by the entity’s Board, management and other personnel that is
designed to provide reasonable assurance on the achievement of the
organization’s objectives.
2. CoCo framework – is a concept that describes internal control as action that
promotes, supports and ensures achievement of the organization’s
objectives.
3. Control environment – refers to an internal control component that sets the
tone of an organization, influencing the control consciousness of its people.
METALANGUAGE
4. Risk assessment – refers to an internal control component that is responsible
for the identification and analysis of relevant risks critical to the achievement of
objectives; development of test of controls and substantive procedures; and the
determination of how the risks should be managed.
5. Control activities – refers to an internal control component that encompasses
the policies and procedures designed to ensure that management directives are
carried out.
6. Information and communication – refers to an internal control component
that ensures all pertinent information are identified, captured and
communicated in a form and timeframe needed for decision making.
7. Monitoring – refers to an internal control component designed to assess the
quality of the control system’s performance over time.
ESSENTIAL KNOWLEDGE

CONTROL FRAMEWORK
• Basis for control system and promote the right control environment.
ESSENTIAL KNOWLEDGE
ESSENTIAL KNOWLEDGE

THE COSO MODEL

ESSENTIAL KNOWLEDGE
Control Environment
(Do we have the right foundations to control our business?)
The control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for all other components
of internal control, providing discipline and structure. Control environment
factors include:
a. The integrity, ethical values and competence of the entity’s people
b. Management’s philosophy and operating style
c. The way management assigns authority and responsibility and organizes and
develops its people
d. The attention and direction provided by the board of directors.
ESSENTIAL KNOWLEDGE
Risk Assessment
(Do we understand all those risks that stop us from being in control of the
business?)
Every entity faces a variety of risks from external and internal sources that must
be assessed. Risk assessment is the identification and analysis of relevant risks
critical to the achievement of objectives; development of test of controls and
substantive procedures; and the determination of how the risks should be
managed. Risk Assessment procedures for internal control includes:
1. Inquiries of management and related parties
2. Observation on the application of controls
3. Inspecting documents and records
4. Tracing transactions through information system
ESSENTIAL KNOWLEDGE
Control Activities
(Have we implemented suitable control activities to address the risks to our
business?)
Control activities are the policies and procedures that help ensure management
directives are carried out. They help ensure that necessary actions are taken to
address risks to achievement of the entity’s objectives. Control activities occur
throughout the organization, at all levels and in all functions. They include a
range of activities as diverse as:
a. Approvals, authorizations, verifications, reconciliations
b. Reviews of operating performance
c. Security of assets and segregation of duties.
ESSENTIAL KNOWLEDGE

Information and Communication

(Is the control message driven down through the organization and associated
problems and ideas communicated upwards and across the business?)
Pertinent information must be identified, captured and communicated in a form
and timeframe that enable people to carry out their responsibilities. Information
systems produce reports, containing operational, financial and compliance-
related information, that make it possible to run and control the business.
Effective communication also must occur in a broader sense, flowing down,
across and up the organization. All personnel must receive a clear message from
top management that control responsibilities must be taken seriously.
ESSENTIAL KNOWLEDGE
Monitoring
(Are we able to monitor the way the business is being controlled?)
Internal control systems need to be monitored—a process that assesses the
quality of the system’s performance over time. This is accomplished through on-
going monitoring activities, separate evaluations or a combination of the two.
On-going monitoring includes regular management and supervisory activities,
and other actions personnel take in performing their duties. The scope and
frequency of separate evaluations will depend primarily on an assessment of
risks and the effectiveness of on-going monitoring procedures. Separate
evaluations include monitoring about strengths, weaknesses and
recommendations for improving internal control. It can be performed by outside
parties or a specialist.
ESSENTIAL KNOWLEDGE

THE COCO MODEL

ESSENTIAL KNOWLEDGE
Purpose
The model starts with the need for a clear direction and sense of purpose. This
includes objectives, mission, vision and strategy; risks and opportunities;
policies; planning; and performance targets and indicators. The crucial link
between controls and performance targets is established here as controls must
fit in with the way an organization measures and manages performance.
Commitment
The people within the organization must understand and align themselves with
the organization’s identity and values. This includes ethical values, integrity,
human resource policies, authority, responsibility and accountability, and
mutual trust.
ESSENTIAL KNOWLEDGE

Capability
People must be equipped with the resources and competence to understand
and discharge the requirements of the control model. This includes knowledge;
skills and tools; communication processes; information; co-ordination; and
control activities. Capability is about resourcing the control effort by ensuring
staffs have the right skills, experience and attitudes not only to perform well but
also to be able to assess risks and ensure controls make it easier to deal with
these risks.
ESSENTIAL KNOWLEDGE

Action
This stage entails performing the activity that is being controlled. Before
employees’ act, they will have a clear purpose, a commitment to meet their
targets and the ability to deal with problems and opportunities. Any action that
comes after these prerequisites has more chance of leading to a successful
outcome.
ESSENTIAL KNOWLEDGE
Monitoring and Learning
People must buy into and be part of the organization’s evolution. This includes
monitoring internal and external environments, monitoring performance, challenging
assumptions, reassessing information needs and information systems, follow-up
procedures, and assessing the effectiveness of control. Monitoring is a hard control in
that it fits in with inspection, checking, supervising and examining. Challenging
assumptions is an important soft control in that it means people can develop and excel.
Documentation of understanding internal control may be in the form of:
a. Narrative memoranda -written description of a particular phase of a system or a
system itself. Appropriate for uncomplicated systems and infrequent change in the
system.
b. Flowchart -consists of interrelated symbols that diagram the flow of transactions
and events through the system. Powerful tool to capture the complexity of a
system.
c. Questionnaire -series of questions designed to detect control deficiencies and
potential misstatements. Can result in an unreliable documentation since
respondents can give inaccurate responses and or false information.
OPEN FORUM
THANK
YOU…