I appreciate the opportunity to be with you here today in Tysons Corner. When my friend Rick Knop who, as many of you know, serves on the Board of Directors of this chapter of the Association for Corporate Growth, asked me to be the keynote for this conference, it was a pleasure to accept. Given your organization's focus on corporate growth, and concerns I have heard that the current regulatory environment is inhibiting corporate risk taking and growth, I thought I would give you my perspective on goals and expectations in the post-Sarbanes-Oxley environment.
If the internal audit function is combined Coso framework release pr may 14 any of the second line functions, senior management and the board of directors should make certain that the functions are not combined or coordinated in a manner that could compromise the organizational independence or objectivity of the internal audit function.
Internal auditors normally should not assume any managerial responsibilities for 11 operations that they audit; and in organizations where internal audit is involved in second line activities, this involvement should generally be short term with conflicting roles allocated to different individuals or groups.
Coordinating the Three Lines of Defense The three lines each have the same ultimate objective: They serve the same ultimate stakeholders, and they often deal with the same risk and control issues.
For example, many organizations have put in place board level or management level risk policies to articulate these expectations. Coordination and communication is not to be confused with organizational structure.
While they have the same objective, each line has its own unique roles and responsibilities. They are separate lines but should not operate in silos. They should share information and coordinate efforts regarding risk, control and governance.
In many situations there could be a shared perspective regarding risk and control. In operationalizing this coordination, it is critical that the key roles of executives such as a chief risk officer, a chief compliance officer, or a chief audit executive are carefully reviewed and structured so each can accomplish their unique responsibilities while coordinating and communicating with the other risk and control executives.
The first line of defense has primary ownership of risks and the methods used to manage those risks.
The second line provides expertise in risk, helps set implementation strategy, and assists in implementation of policies and procedures. Careful coordination is necessary to avoid unnecessary duplication of efforts while assuring that all significant risks are addressed appropriately.
The Institute of Internal Auditors Inc, Also available at na. Internal audit should also coordinate their efforts with those of the second line of defense. This coordination could take a variety of forms depending on the nature of the organization, the specific work done by each party, the organizational independence of the second line functions, and the expectations by senior management and the board of directors.
In some cases internal audit may be able to base a portion of their assessment on work performed by a second line function. In this situation, internal audit should confirm the work is appropriately designed, planned, supervised, documented, and reviewed. The extent of use and level of reliance on the work of other functions will vary based on specific circumstances.
Internal audit also needs to pay careful attention to the organizational independence of the second line functions on which they plan to base a portion of their assessment work.
As internal audit is structured with organizational independence to provide unbiased and objective assessments, the function performing the work on which internal audit plans to rely should exhibit a sufficiently high level of organizational independence and objectivity.
Capability and efficiency are not the only criteria. Capability of the first or second lines of defense to perform work for internal audit does not mean they bring a requisite level of independence and objectivity.
Similarly, the capability of internal audit to perform work of the first or second lines does not mean internal audit performing the work of the first or second lines would necessarily preserve the organizational independence and objectivity of internal audit.
To help establish that work can be coordinated efficiently, the internal audit charter should specify that internal audit has the responsibility to assess the performance and effectiveness of the work of other second line of defense functions or any activity provided by a third party.
Coordination may extend beyond the three lines of defense, to include other external parties such as external auditors. Internal auditors may be able to rely on or use the work of other internal or external providers in providing governance, risk management, and control assurance if they have a sufficient understanding of the work performed, the detailed results, and the independence and competency of the external party.
Conversely, internal audit work might intentionally be planned and performed to meet the requirements of external parties.
Coordinating efforts with external parties can lead to enhanced efficiency; however, chief audit executives and the board of directors should consider the costs as well as the potential benefits of designing internal audit work for the benefit of external parties.
Leveraging COSO across the Three Lines of Defense The Framework defines five components of internal control and 17 principles representing the fundamental concepts associated with these components. The COSO publication, Internal Control — Integrated Framework states that because the 17 principles are drawn directly from the five components of internal control, effective internal control can be achieved by applying each of these principles.
Management has the responsibility to assign the essential duties related to the 17 principles and confirm duties are performed as intended. The information in the Appendix is intended to provide an example of how duties may be allocated among the three lines of defense. Because every organization is unique, organizations may have sound reasons for defining roles and responsibilities differently.
Regardless of how duties are assigned within an organization, specific roles and responsibilities regarding all of the 17 principles should be clearly established and communicated to all relevant parties to mitigate gaps in coverage of internal controls and no unnecessary duplication of effort.
The Appendix provides examples of how responsibility for the 17 principles may be allocated among the three lines of defense. Since many of the points of focus represent key responsibilities of individuals within the three lines of defense, readers who are familiar with Internal Control — Integrated Framework will find that many of the points of focus are reflected throughout the following section.COSO Framework Release PR May 14 F.
[email protected] COSO Issues Updated Internal Control-Integrated Framework and Related Illustrative Documents ALTAMONTE SPRINGS, Fla., May 14, – The Committee of Sponsoring Organizations of the Treadway Commission.
COSO Framework Release PR May 14 Final PDF. Coso Icif Faqs_january _12 22 Money. PB. Thesis Chapter1.
Understanding Internal Control and Internal Control blog-mmorpg.com COSO Framework. The Role of Internal Control in Fraud Prevention. InternalControlQuestionnaire coso.
Risk Assessment from COSO’s Perspective. September 4, Measuring and Assessing Culture in Regards to Risk Management.
May 17, Mark Beasley, Deloitte Professor of Enterprise Risk Management at NC State University interviews Takis Martakis, Global Head of People Risk and Culture at Credit Suisse, about how the company is. Enterprise Risk Management (ERM) framework was provided through the Commission of Sponsoring Organizations of the Treadway Commission’s (COSO).
The framework strives to. “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to the functioning of internal control.” (COSO Principle 14 – Communicates Internally COSO Framework) is the second of the three principles relating to the Information & Communication component of internal control..
For those who view the COSO framework . [email protected] COSO Issues Updated Internal Control-Integrated Framework and Related Illustrative Documents ALTAMONTE SPRINGS, Fla., May 14, – The Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence – issued today its updated Internal Control– Integrated Framework (Framework.