Establishes Relevant Technology Acquisition, Development, In other words, the textbook no longer drives the course, but instead merely serves as one source of information. The case narrative was modified and questions 1 and 2 from the original case were changed to reflect the principles related to fraud risk assessment and the information/communication component of COSO 2013. In the company's internal control related to COSO's 17 principles, where one of the principles is not present or functioning In the company's internal control related to the points of focus; for example, though the points of focus are not formally required, the company may determine improvements are Committee of Sponsoring Organizations of the Treadway Commission and the Association of Fraud Examiners. }[7OsBK"BrY5G qml#Sj?DDNe~w@s=`=,8 @jS@H0 H>9 Empirical evidence also highlighted the problem of underprepared graduates who lack the critical thinking skills required in the work environment (Cloete, 2018). Note that the auditing students used the chemical plant version of the New Dolphin Phosphate case (refer to the teaching note). Considers Entity-Specific Factors Considers at What Level Activities Are Applied ethical values. Most of the students completed all three of the bonus cases. over technology to support the achievement of objectives. Something went wrong. Determining which of the criteria to include in the scope of a SOC 2 examination is a key step in the SOC 2 planning process. We provide the cases and the recommended responses to the cases in a separate file. and financial performance goals, and Students indicated their level of agreement with the survey statements (Exhibit 1). Each group had two to three students. Assesses Incentive and Pressures As would be expected, classification had a marginally significant effect (p < 0.08) on the participants' scores, but the class they were taking in the Fall 2019 semester (undergraduate auditing, undergraduate/graduate auditing, undergraduate/graduate internal auditing, or graduate AIS) did not significantly affect the participants' scores. Students informally commented to their instructor that the MyBank case helped them understand why the control environment is referred to as an umbrella over the other four components of internal control. OF FOCUS OF The organization specifies objectives with sufficient clarity to Risk Assessment This criteria is comprehensive enough that including it in the scope of the examination alone will likely be enough for service organizations clients to get the assurance they need with respect to the security of their information/data. Considers a Mix of Ongoing and Separate Evaluations Denver, CO 80202, SOC 1 Report (f. SSAE-16) about COSO, visit coso.org. endstream endobj which are what an entity strives to achieve, External communication is twofold: If you are a member of the AIS Educator Association, please go to www.aiseducators.org, sign in to your account, select the Journal menu option and the last item listed provides a secure link to Instructor-only materials. Students worked on the cases in groups. THE CONTROL ENVIRONMENT This variation is available from either author. The AICPA does not consider the identified points of focus to be exhaustive of all areas and activities that may be relevant to a service organization. COSO Internal Control - Integrated Framework. 4~wrV.Bt;C%aDXIpCh$ n} v;x;G]d|tY_9K:n FA%V}:oI[nFY[8j'08*||wmup=j0FD Internal control, no matter how well designed, Performs Using Competent Personnel For one author's internal auditing course (n = 16, 14 graduate accounting students, two undergraduate accounting students), all four cases were utilized. We also thank Sarah Bee (Seattle University), Lorrie Metzger (University at Buffalo), and Randall Xu (University of Houston Clear Lake) for agreeing to test our cases in their classes. Additionally, a mapping document, which shows how each of the 2017 criteria and points of focus relates to the COSO principles can be downloaded from the AICPA. Plans and Prepares for Succession, OF FOCUS OF information from both internal and external sources to support the represented by the rows. To reinforce concepts introduced through textbooks and lecture materials, the authors and participating instructors use cases extensively throughout their courses. For the New Dolphin Phosphate case, the instructor incorporated the case after covering the risk assessment and information/communication, and monitoring components of the COSO framework. Maintains Quality throughout Processing After the initial publication of the updated COSO 2013 framework, the CSOTC issued several guides to assist the governance and audit functions in their evaluation of the effectiveness of the organization's internal control system. THE MONITORING ACTIVITIES Summary of Cases Used for Data Collection. Reflects Entity Activities, OF FOCUS OF Considers the Required Level of PrecisionManagement reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting. for carrying out internal control across the managements directives to mitigate risks to the Forms a Basis for Committing of Resources, OF FOCUS OF Again, having the students work this case in small groups has been found to be an effective approach. achievement of objectives relating to Provides Separate Communication Lines The project garnered global, cross-industry and both public and private sector interest. implemented and conducted, can provide only For guidance on how to use/customize the cases as small group or individual activities, refer to the teaching note for the cases. One author used the MyBank case and the Expense Reimbursement case12 in the graduate fraud examination course as in-class assignments. Finally, in November 2022, the AICPA released an updated SOC 2 guidance (Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. For example, a few of the more common SOC 2 plus examinations that we perform include HITRUST, NIST CSF, and HIPAA mapping. operations, reporting, and compliance. The students worked all cases in groups of three to four (the groups remained intact throughout the semester) during class. THE RISK ASSESSMENT These results verify statistically what Table 6 shows visually for the pre-test and post-test scores (one-way ANOVA analysis). THE RISK ASSESSMENT This change may be due to the positive effect of group learning on the motivation to learn and perception of learning (Clinton & Kohlmeyer, 2005). The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. COSO (Committee of Sponsoring Organizations) is an integrated framework for internal control which, when implemented, can provide a baseline to establish a control structure. These variations of these cases are discussed in the teaching note. The purpose of an internal audit is to provide independent assurance of management's risk management and risk responsei.e., the third line of defense (IIA, 2016)evaluating the effectiveness of risk management and control functions (Anderson & Eubanks, 2015). Points of Focus: There can be flexibility in a SOC 2 examination to include mapping of controls to other certifications/regulations/frameworks. The instructor stated that the students enjoyed the cases, and he found that the Cost Plus World Market case fostered the most discussion from the students. significantly impact the system of internal control. The short cases we provide focus on the interaction of the components to help students see how these components combine to form a strong internal control system. 4090 0 obj<>stream There are over 200 points of focus associated with the SOC 2 security/common criteria in the 2017 Trust Services Criteria. other personnel, designed to provide The organization selects, develops, and performs ongoing Integrates with Business Processes THE RISK ASSESSMENT Feedback from the students at University of Houston Clear Lake is appreciated, and their comments contributed to the improvement of the cases. The principles are further supported by 87 points-of-focus, which provide additional guidance and clarity for designing, implementing, and maintaining a forth three categories of Login. The points of focus defined for each TSC serve as important areas for a service organization to consider when identifying controls that meet defined trust services criteria. components of internal control. PRINCIPLES AND POINTS OF FOCUS OF THE In all, 61 students completed both the pre- and post-tests, with 46 of the participants listed as undergraduates and 15 of the participants listed as graduate accounting majors (Table 5, Panel A). While the groups develop their responses to the case questions, the instructor acts as an administrator, answering questions to clarify elements in the case, but not providing answers to the case questions. Establishes Standards of Conduct disseminated throughout the organization, flowing up, down, and across to effectiveness and efficiency of the updated version of the Lehmann, 2010 case) provided an opportunity for students to apply the risk assessment, information and communication, and monitoring components of the COSO framework. Establishes Oversight Responsibilities The relationship can be depicted in the Monitoring Activities. Table 2 shows the demographic information for the full sample. Benchmark: CC3.1 COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives . Control activities are performed at all levels of the entity, reliability, timeliness, transparency, or other processes such as sales, In the next section, we discuss our use of the cases in various courses.4, We use the first case (Dominic's Donuts) during the first day of the class, allowing us to induce our students to consider risk assessment and how to respond to those risks using basic information about a donut shop businesseffectively considering the Risk Assessment and Control Activities components of the COSO 2013 framework. Studies have shown that the transition from lecture-based to case-based learning helps students retain more knowledge and develop critical thinking and teamwork skills (Tan, 2019). The instructor can evaluate the responses' identification of issues, analysis of issues, recommendations on effective solutions, and writing mechanics. Panel C: Graduate Fraud Examination (n = 29). INFORMATION AND COMMUNICATION The COSO five components along with the 17 principles that align with the Trust Services Criteria will be described along with . New COSO Model. This article was originally published on 10/18/2019 and was updated on 2/1/2023. The difference in the pre-test (mean score = 12.04) versus post-test scores (mean score = 13.24) for the undergraduates was significant (p < 0.00) (Table 8, Panel A). It is designed for organizations to achieve effective internal control over sustainability reporting (ICSR), using the globally recognized COSO Internal Control-Integrated Framework (ICIF). So how is a SOC 1 different from a SOC 2 report? Students received participation credit for actively contributing to their group's development of responses and for their involvement in the full-class discussion. safeguarding assets against loss. the entitys operations, including operational terms as set forth by regulators, standard The Framework views all components of internal control as suitable and relevant to all entities: Principles are fundamental concepts associated with components. establish the tone at the top regarding the Considers the Required Level of Precision We provide a discussion of student enjoyment and learning in the following sections. entity, divisions, In the fraud examination course, two of the cases (MyBank and New Dolphin Phosphate) provide the opportunity for the instructor to illustrate the importance of the control environment in establishing an anti-fraud culture. Principle 6: enable the identification and assessment of risks relating to Determines Relevant Business Processes Segregation of duties is typically built into the selection CPAs can follow a step-by-step procedure to apply Principle 11 to IT controls. Communication is the continual, iterative process of providing, sharing, regulations to which the entity is subject. While it is difficult to isolate individual components of the COSO 2013 framework, we have broken the cases down to focus on a few of the components (and related principles) to help students understand and integrate them. Monitoring Activities. As with the existing points of focus in TSP Section 100, the new points of focus may not be applicable to all service organizations and must be considered in relation to the service organizations operations. objectives, which allow organizations to focus Note that earlier versions of all four cases were tested in a graduate accounting information systems (AIS) course. board of directors, and deficiencies are communicated to It is also very important to get advice from an experienced accounting firm that can help navigate through the criteria and determine which ones are relevant. In these 15-week courses, we gave the pre-test the first day of the class and gave the post-test during a class meeting in mid-November. A pre- and post-test analysis shows that students, especially undergraduates, exhibited significant improvement in their understanding of the components of the COSO 2013 framework. Principle 12: These courses used the MyBank case and one other caseeither the New Dolphin Phosphate case or the Cost Plus World Market case. and non-financial reporting and may encompass This should include contemplation of the entire environment, including software, infrastructure, procedures, data, and people. Control Activities Hirth suggests that determining how much is enough to comply with COSO 2013 will continue until there is some sort of generally accepted documentation (Buchanan, 2016). Enables Inbound Communications Linford & Company has helped many new clients scope their needs for a SOC 2 audit, including identifying the boundaries of their system and determining the criteria needed in their examination. setters, or the entitys policies. Reflects External Laws and Regulations - Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives. Objectives; The service organization (with the help of the auditor) will figure out the key control objectives for the services they provide to clients, and that is what is included in the report. Objectively Evaluates, OF FOCUS OF 4068 0 obj <> endobj detective in nature and may encompass a range of manual Feedback Results: Fall 2018 Course Demographics. A direct relationship exists between objectives, Table 6 shows the mean pre-test and post-test scores by classification (i.e., undergraduate versus graduate). Point of Focus assisting users in determining whether the principles are present and functioning, Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP, POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK, Risk Based Internal Audit and Sampling Techniques, Audit report- Consideration of Internal Control, Leading Internal Auditor at AccessBank Azerbaijan, Coso internal control integrated framework, Dr .Maizar Radjin, SE., M.Ak., QIA., QRMA, Practical approach to Risk Based Internal Audit, Ch 5. assurance 5 Introduction to Internal Control, Evolving role of internal auditing function, Internal auditors roles and responsibilities. organization. As a general rule, all criteria do not need to be included, but there are cases where clients ask for all because they do not know what they are asking for, and therefore asking for all covers everything. She found the bank case the most useful of the four cases, as her students struggle to understand the COSO framework's control environment component. Points of Focus: After the scope of the examination has been determined, it can then be decided which of the criteria are pertinent to the service organizations services and system. This case is an adaptation of a case (Lehmann, 2010) published prior to the development of the COSO 2013 framework (this is discussed in more detail in the teaching note). Committee of Sponsoring Organizations of the Treadway Commission. Management reinforces expectations at the Variations of this case include a surf shop/water sport rental business and a food truck business. Additionally, controls can be circumvented by two or Structure - Processing Linkages in Polyethylene, Internal control and Control Self Assessment, Internal auditing for one & all (second edition), Different Controlling Methods and Techniques.pptx, Management control-system - ankit keshari, KEY PERFORMANCE INDICATORS IN IT PROCUREMENT, How To Start A Sweet Factory: Imagined By 90 School Children, TNR Gold Los Azules Copper NSR Royalty Holding with McEwen Mining Presentation, Everything You Need To Know About Call Disposition.pdf, Year_Round_Fundraising_Bloomerang_Academy.pptx.pdf. Control objectives in a SOC 1 always include objectives around IT general controls, but also include business processes at the service organization that impact their clients. The case was worth 5 points out of 340-point total for the auditing course. 4. As part of the participation grade for our classes, students evaluate their group members at the end of the semester, and the evaluation of the group members counts as 25% of the participation grade, as stated in the syllabus. The cases can also be assigned as individual out-of-class assignments, which we discuss in the next section. For example, one principle of the risk assessment component requires the assessment of fraud risk for the organization. Internal control is a process, effected by an achievement of objectives. into action. Recommendations from that document included discussion of delivery methods that move away from lectures toward approaches that convey critical knowledge, skills, and abilities. Points of Focus for External Financial Reporting Objectives: The graduate and undergraduate auditing courses used two of the cases. achievement of objectives are carried out. CONTROL Establishes Policies and Procedures to Support Deployment Additional point of focus specifically related to all engagements using the trust services criteria: Establishes Sub-objectives to Support ObjectivesManagement identifies . In general, the students agreed the cases were realistic (minimum mean 87.93 in fraud examination, maximum mean 94.88 in internal auditing), and they enjoyed working the case (minimum mean agreement 85.70 in undergraduate auditing, maximum mean agreement 89.50 in internal auditing). The common criteria establish the criteria common to all the trust services criteria and the comprehensive set of criteria for the security criteria. control environment is the set of standards, External Nonfinancial Reporting Objectives: Browse dashboards and select CC3.1 COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives: Snapshot and share results via Steampipe Cloud: steampipe check aws_compliance.benchmark.soc_2_cc_3_1, steampipe check --share aws_compliance.benchmark.soc_2_cc_3_1. Since many of our students will be auditors or accountants after they graduate, practice applying various components of the COSO 2013 framework can help them develop the analytical and critical thinking skills that are vital to success in the profession. Risk assessment involves a dynamic and iterative internal control relates, are Our analysis suggests the students enjoyed working the cases and felt they were helpful in understanding the COSO 2013 framework. Principle 5: In both sections, we used the MyBank case in class after covering the topic of the COSO 2013 framework. Assesses Results and development of control activities. One non-author instructor used the Cost Plus World Market and MyBank cases in his auditing courses. The organization specifies objectives with sufficient clarity to The organization obtains or generates and uses relevant, The organization specifies objectives with sufficient clarity to Objectives: Editor's Note: This article contains hyperlinks to World Wide Web pages. The numbers listed in the previous paragraph should not cause any alarm, because a majority of the points of focus are what SOC auditors should be reviewing already as part of the SOC 2 examination. Table 3 shows the level of agreement with the survey questions (Exhibit 1) for the full sample (Panel A) and the individual classes (Panels B-D). TNR Gold Investor Presentation - Building The Green Energy Metals Royalty and Jeunesse Global Opportunity In 145 Countries. Students worked the cases in small groups in class. Objectives, Components, Principles and Points of Focus. Considers Rate of Change She ranked the Expense Reimbursement (Lehmann, 2010) case as her second favorite, noting the students enjoyed working that case as well. Communicates to External Parties We use cookies to optimize our website and our service. A number of prospects and clients have asked us what to do if a client is asking for all criteria to be included but they do not think they all apply. . doi: https://doi.org/10.3194/1935-8156-15.1.1. Management and auditors have different responsibilities when it comes to 1) integrating the COSO 2013 framework into the organization's objectives, risk management, and control, and 2) assessing the effectiveness of the internal control system. Points of Focus for External Non-Financial Reporting The entity structure, which In the other courses, the MyBank case was the students' favorite by 72% of the fraud examination students and 58% of the undergraduate auditing students.14. We typically use this case in an accounting information systems course when discussing the procurement process, or in an auditing course when discussing the planning/scoping process of an audit where the team is reviewing the controls in place, as well as the reliability of information processed from the system.