APPENDIX 4: LIST OF SCHEDULE 1 OFFENCES 270
5.6 COSO
According to the COSO website (COSO 2014), the organisation was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting in the United States of America. This was an initiative that was implemented by the private-sector to establish what root causes led to fraudulent financial reporting by organisations. COSO was sponsored by the following prominent organisations: American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Internal Auditors,
and National Association of Accountants. Due to the fact that the first chairman of this Commission was James Treadway, the Commission was aptly named the “Treadway Commission”.
The mission of COSO is to provide leading benchmarks by developing frameworks for enterprise risk management, internal control and fraud deterrence with the objective of improving the overall performance and governance of organisations as well as the reduction of fraud (COSO, 2014). The COSO Internal Control Integrated Framework is cited by various influential organisations on the subject of internal control, as evidenced by some organisations, such as the IIA (2009:20) and the American Institute of Certified Public Accountants (AICPA, 2005:2).
5.6.1 COSO Internal Control Integrated Framework
The COSO Internal Control Integrated Framework was originally issued in 1992. According to the Foreword to the COSO Internal Control Integrated Framework (2013), the original framework that was issued in 1992 is regarded globally as a leading framework to design, implement, conduct and assess the effectiveness of internal control. The framework was revised and updated during 2013. The revision was necessitated by the demands of a changing business environment, such as complexity of business operations, stakeholder expectation in respect of governance, technological advancement and globalisation of markets.
According to COSO (2013:5), there are five components to the COSO Internal Control Integrated Framework, which are applicable to the whole organisation, including different divisions, units or other functions. These components are:
Control environment;
Risk assessment;
Control activities;
Information and communication, and
Monitoring activities.
All five constructs of the framework are essential and relevant. For purposes of this study only three constructs were prioritised. These three constructs can be directly linked to the
prevention of fraud, which is the focus of this study. Hence, the following three constructs were chosen for purposes of this study:
Control environment;
Risk assessment, and
Control activities.
The constructs of the COSO Internal Control Integrated Framework enabled the exploration of internal controls, management responsibility as well as the responsibility of auditors and the audit committee. COSO (2013:2) describes internal controls as a process which is implemented by the board and management of an organisation to assure stakeholders that the objectives of the organisation will be achieved. The selected constructs are elaborated on in this chapter as they are pertinent to employee fraud and prevention strategies at universities in KwaZulu- Natal. Figure 5.2 below depicts the Cube that is used by COSO to illustrate the Internal Control Integrated Framework:
Figure 5.2: Internal Control – Integrated Framework Cube
Source: COSO (2013:5)
The COSO (2013:5) framework sets out the three organisational objectives that need to be considered in an internal control environment. These objectives are operations, reporting and compliance and they permeate throughout the organisation irrespective of the varying organisational structure. The internal control process is integrated as each part of it affects the
other parts (COSO 2013:6). According to COSO (2013:12), there are seventeen principles in total that are linked to the five components. There are twelve principles linked to the three chosen components for this study, which are elaborated on further in this chapter. Figure 5.3 shows the components that constitute internal control:
Figure 5.3: Adapted from the Internal Control – Integrated Framework
Source: COSO (2013:12)
5.6.2 Control Environment
The control environment, according to COSO (2013:12), comprises standards, processes and structures which form the foundation upon which internal control is constructed in an organisation. This is augmented by the board and management setting a strong tone at the top about the importance of internal control and level of conduct that is expected from employees.
The following five principles underpin the control environment component.
5.6.2.1 Integrity and Ethical Values
The organisation espouses integrity and high ethical values. This principle is premised on the four essential points listed below:
The tone at the top is set by the board and all levels of management leading by example and acting ethically and with integrity.
Standards of conduct remind employees and service providers that they are expected to act ethically and with integrity.
Adherence to the standards of conduct is evaluated during performance reviews.
Components of Internal
Control Control Environment
Risk Assessment Control
Activities
Deviation from the standards of conduct is identified and addressed timeously.
5.6.2.2 Oversight
The board exhibits its independence from management and oversees to ensure that internal controls are developed and remain effective and adequate. This principle is premised on the four essential points that are listed below, where the board of directors:
Establish and accept responsibility for oversight of internal control within the organisation.
Determine, maintain and evaluate the expertise of its members to ensure that these are appropriate to equip them to ask sceptical questions of management and take corrective action.
Is made up of independent members who are objective in carrying out their tasks.
Play an oversight role over the design, implementation, and conduct of internal control by management.
5.6.2.3 Structure, Authority and Responsibility
In order to achieve organisational objectives, management implements an operational structure with clear reporting lines and delegated authority and responsibility to employees; which is overseen by the board. The three points on which this principle is premised are:
Consideration is given by the board and management to all structures of the organisation that contribute to the achievement of organisational objectives.
Reporting lines are designed and evaluated by management for all structures.
It is the role of the board and management to delegate authority, allocate responsibility and segregate duties by means of appropriate systems and processes.
5.6.2.4 Competence
Suitably competent employees are recruited, trained and retained by the organisation in order to achieve its objectives. There are four points on which this principle is premised, which are:
Policies and procedures are established which indicate the expected competence required.
The board and management evaluate competence throughout the organisation, as well as service providers, based on extant policies and procedures and rectifies where required.
Competent employees and service providers are recruited, developed and retained.
The board and management plan for the succession of employees in essential areas of internal control.
5.6.2.5 Accountability
Employees are held accountable for their internal control responsibilities. There are five characteristics on which this principle is premised. The board and management:
Establish processes in which to communicate with, and hold people accountable for internal controls and initiate corrective action where appropriate.
Establish performance measures and rewards for the achievement of objectives.
Evaluate performance measures and align incentives and rewards with the fulfilment of internal control responsibilities and the achievement of objectives.
Assess and address pressures that are linked with the achievement of objectives.
Evaluate responsibility for the performance of internal control, compliance with standards of conduct and the level of competence when remunerating or punishing employees.
5.6.3 Risk Assessment
According to COSO (2013:13), the ongoing process to identify and classify risks is regarded as the risk assessment process which informs the decision-making related to the management of the particular risk based on knowledge about internal and external influences. The following four principles underpin the risk assessment component.
5.6.3.1 Specific Objectives
The specific objectives of the organisation are clearly communicated to enable the identification and evaluation of risks that impact on the achievement of determined objectives.
The following thirteen characteristics are related to operations, reporting and compliance:
Operational objectives are determined by management.
Management considers the level of risk that the organisation is willing to tolerate.
Levels of operations and financial performance are communicated by the organisation.
Operational objectives are considered by management when allocating resources.
External financial reporting objectives are in line with accounting principles for similar organisations.
Materiality is taken into consideration when preparing the financial statement.
External reporting is a reflection of essential transactions and events of the organisation.
Objectives are determined by considering relevant laws, rules and recognised standards and frameworks.
Requisite levels of precision and accuracy are considered when reporting.
Internal reporting entails complete and accurate information about choices made by management and information to operate the organisation.
Internal reporting objectives indicate the level of precision and accuracy required in non-financial reporting objectives.
Laws and rules are integrated into the compliance objectives, as minimum standards of conduct.
Management considers its tolerance for risks in line with its objectives.
5.6.3.2 Identify and Analyse Risk
Risks are identified and analysed throughout the organisation, in order to determine how they should be addressed. The following five characteristics highlight this principle:
Risks are identified and analysed at all levels, including subsidiaries, divisions, units and functional departments.
Risks from both internal and external sources are identified and analysed.
Risk assessment occurs with the involvement of appropriate levels of management.
Identified risks are analysed for its significance.
Consideration is given to how a risk should be managed.
5.6.3.3 Fraud Risk
The potential for fraud is taken into consideration during the risk identification and assessment process. The four salient characteristics of this principle are:
Consideration of various types of fraud such as fraudulent reporting, asset misappropriation and corruption.
Incentive and pressure to commit fraud are taken into consideration.
Opportunity to commit fraud is taken into consideration.
Rationalisation to commit fraud is a means which employees may use to attempt to justify their act.
5.6.3.4 Identify and Analyse Change
Changes that impact the control environment are identified and assessed based on the significance of its impact on internal control. The three essential characteristics are:
Consideration should be given to changes to regulations, laws, economy and the physical environment.
Consideration should be given to the impact of new business products, changes to existing products, swift growth, business with foreign organisations and new technology.
Changes in management and their attitudes towards internal control should also be considered.
5.6.4 Control Activities
The control activities, according to COSO (2013:13), are actions that are determined by policies and procedures implemented by management to ensure risks are mitigated in order to achieve organisational objectives. These activities span across all levels of the organisation, in different stages of the processes and including all technology environments. The following three principles underpin the control activities component:
5.6.4.1 Select and Develop Control Activities
Control activities are identified and implemented by management to assist in the mitigation of spacing risks and achievement of objectives. There are six essential characteristics of this principle, which are:
Control activities ensure that risk mitigation is carried out.
Control activities are impacted by the characteristics of the organisation, the operating environment, business complexity, nature and scope of operations.
Management is responsible for deciding the areas of operation requiring control activities.
Control activities include various control types as well as a combination thereof.
Control activities should be considered at various levels within the organisation.
Incompatible duties should be segregated or alternative controls implemented.
5.6.4.2 General Control Activities over Technology
General control activities are identified and implemented by management over technology to assist in the mitigation of risks and achievement of objectives. These four aspects characterise this principle:
Determine how dependent the organisational processes are and how they interrelate in terms of processes, automated control activities and technology general controls.
Management designs controls over technology infrastructure.
Management designs controls to restrict the access of unauthorised employees to technology and also to protect the organisation from external threats.
Management designs controls over the procurement, development and upkeep of technology infrastructure.
5.6.4.3 Policies and Procedures
Policies and procedures are implemented to ensure that organisational objectives are achieved.
There are six characteristics that underpin this principle, namely:
Management designs policies and procedures which stipulate the processes and routine employee activities required to achieve its objectives.
Accountability and responsibility are assigned to relevant levels of management for control activities.
Control activities are carried out timeously by responsible employees as prescribed in the policies and procedures.
Corrective action is taken by responsible employees after they investigate issues emanating from control activities.
Competent employees are deployed to perform control activities on an on-going basis.
Policies and procedures are reviewed on a regular basis and amendments are made where appropriate.
The COSO Internal Control Integrated Framework is particularly relevant to employee fraud and prevention strategies at universities in KwaZulu-Natal.