The Canadian Institute of Chartered Accountants (CICA) is the professional financial auditing and accounting organization in Canada. Similar to the AICPA’s CPA certificate, the CICA awards Chartered Accountant certifications. After the release of the COSO framework and the AICPA’s incorporation of it in U.S. audit standards, the CICA established a study group in 1995 to issue guidance on designing, assessing, and reporting on the control systems of organizations. The result is what is called the Criteria of Control (CoCo) framework.
According to CoCo, control comprises those elements of an organization—
including its resources, systems, processes, culture, structure, and tasks—that, taken together, support people in the achievement of the organizations’ objec-tives. Just as a U.S. native can often identify a Canadian resident through slightly different verbal expressions, there are some slightly different words in CoCo when compared to the U.S.-oriented COSO. While CoCo defines control objec-tives in terminology similar, but not identical to COSO, it emphasizes that the essence of control can be viewed as four connected high-level processes, as described in Exhibit 7.9:
• Monitoring and learning internal and external environments as well as monitoring assumptions
• Internal control purposes including understanding risks and policies, and establishing performance targets
• A commitment to ethical values, appropriate human resources policies, and an atmosphere of mutual trust
• A capability based on appropriate information processes, control activi-ties, and information coordination
Assist and advise customers
Manage the configuration X X X
Manage problems and incidents X X X
Manage data X X
Manage facilities X
Manage operations X X
Monitor and Evaluate
Monitor the processes X X
Assess internal control adequacy X
Obtain independent assurance X X
Provide for independent audit
Source: Control Objectives for Information and Related Technology (COBIT®), 3rd Edition, © Copyright 1996, 1998, 2000, the IT Governance Institute® (ITGI), http://isaca.org and http://itgi.org, Rolling Meadows, IL 60008 USA. Reprinted by permission.
EXHIBIT 7.8 (CONTINUED) COSO and CobiT Relationships
䡲 162 䡲
EXHIBIT 7.9 CoCo Framework Source: Robert R. Moeller, Sarbanes-Oxley and the New Internal Auditing Rules, © copyright 2004, John Wiley & Sons. Used with per
PurposeCommitmentCapabilityMonitoring and Learning – Objectives (including mission, vision and strategy) – Risks – Policies – Planning – Performance targets and indicators – Ethical values including integrity – Human resource policies – Authority, responsibility, and accountability – Mutual trust – Knowledge, skills, and tools –Communication processes – Information coordination – Control activities
– Monitoring inter environments – Monitoring perf – Challenging assumptions – Reassessing inf and infor – Follow-up procedures – Assessing the eff control
ACTION
MONITORING & LEARNING
PURPOSE COMMITMENT CAPABILITY
fm Page 162 Wednesday, December 1, 2004 10:03 AM
The CoCo framework has evolved since its inception from a prime focus on internal controls to more emphasis on risk management and corporate gover-nance, and CICA has been shaping internal control concepts and developing a new terminology that will probably become codified in CICA future standards.
The CoCo guidance states that it is management’s overriding objective to ensure, as far as practical, the orderly and efficient conduct of the entity’s busi-ness. Management discharges its internal control responsibilities through actions directed to:
• Optimizing the Use of Resources. Internal control assists management in optimizing the use of resources by ensuring, as far as practical, that reli-able information is provided to management for the determination of business policies, and by monitoring the implementation of those policies and the degree of compliance with them.
• Prevention or Detection of Error and Fraud. A management internal con-trols objective is the prevention and detection of unintentional mistakes or errors and fraud—the intentional misrepresentation of financial infor-mation or misappropriation of assets. The guidance goes on to state that any controls here should be cost-effective. The cost of a possible control should be weighed against the relative likelihood of error and fraud occurring and the consequences if any were to occur, including their effect on the financial statements.
• Safeguarding of Assets. An organization’s assets should be safeguarded partly through internal controls and partly through business policies.
Internal control protects against loss arising from unintentional exposure to risk in processing transactions or handling related assets. The degree of intentional exposure to risk is determined by business policies.
• Maintaining Reliable Control Systems. These are the policies and proce-dures established and maintained by management either to collect, record, and process data and report the resulting information or to enhance the reliability of such data and information. Management requires reliable con-trol systems to provide information necessary to operate the entity and produce such accounting and other records necessary for the preparation of financial statements.
The preceding paragraphs have briefly outlined the CoCo framework.
CoCo provides a framework for control assessments, but really is not an assess-ment methodology along the line of the CobiT approaches discussed earlier in the chapter. CoCo targets all stakeholders and is intended to be “creatively interpreted and applied.” Internal auditors use various assessment tools that range along a continuum. At one extreme, an audit approach can be based on searching for concrete evidence with no involvement of those responsible for the activities and processes under review. This approach would be most appro-priate in the case of a forensic investigation into questionable or fraudulent activities as discussed in Chapter 11, “Fraud Detection and Prevention.” At the
opposite other extreme are self-assessment approaches that place responsibility for identifying issues and solutions with those who manage the activities and processes.
CoCo reviews are most effective when they incorporate a self-assessment approach. Only by soliciting perceptions of employees and management through such an approach can an internal auditor gain evidence about such control fac-tors as shared ethical values and mutual trust. CoCo-based self-assessments are not appropriate for every circumstance. There are occasions in which audit objec-tives are specific and best addressed by a review of data and documents. How-ever, CoCo provides a way to deal with issues that have their origins in overall management systems—which, we now recognize, are critical to the good func-tioning of overall control. In some respects, the CoCo self-assessment approach to evaluating internal controls has some similarities to the IIA’s Control Self-Assessment approach discussed in Chapter 26.
While it is very consistent with the U.S. framework, CoCo represents a less structured model of internal control than the U.S.’s COSO. It certainly stands in stark contrast to the CobiT model. The CoCo control framework represents a different and less stringent way of thinking about internal control and provides a good way for management to think about how its organizations are perform-ing. It is recommended that all internal auditors take a more detailed look at the CoCo model. A good starting point is www.cica.ca.