2013 coso framework overview - institute of internal … risk... · 2013 coso framework overview ....
TRANSCRIPT
With You Today
2
Roger A. Martinez, CPA Assurance Partner Vasquez & Company LLP Los Angeles, CA 213-873-1703 [email protected]
Vasquez at a Glance
• Vasquez serving government agencies in California for over 40 years.
• Vasquez audit team partners and managers are former ‘Big Four’ audit professionals.
• Consistently ranked among the top accounting firms in Los Angeles County as reported by the Los Angeles Business Journal.
• We provide the guidance and support for companies undertaking their first SOX compliance effort, helping them avoid a process that’s long, tedious and costly.
• We can help with selecting an appropriate compliance framework, internal controls documentation, a readiness assessment, or a fully outsourced compliance solution.
COSO Overview
3
• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five sponsoring organizations formed in 1985
• Provides thought leadership through the development of frameworks and guidance on:
- Internal control
- Enterprise risk management
- Fraud
• Designed to improve organizational performance and governance, and to reduce the extent of fraud in organizations
• Released original Internal Control-Integrated Framework in 1992 which has become the most widely used control framework used in management’s SOX assertion.
Framework updates driven by changes in business and operating environments
Why the COSO Framework was updated
4
Environment changes • Expectations for governance oversight
• Globalization of markets and operations
• Changes and greater complexity in business
• Demands and complexities in laws, rules, regulations, and standards
• Expectations for competencies and accountabilities
• Use of, and reliance on, evolving technologies
• Expectations relating to preventing and detecting fraud
Enhancements to the COSO Framework
5
Heightened focus on entity-level controls, technology and fraud prevention / detection
Original Framework Refresh Objectives Enhancements Updated Framework
COSO’s Internal Control – Integrated Framework (1992 Edition)
Reflects changes in business & operating
environments
Expand operations and reporting objectives
Articulates principles to facilitate effective
internal control
Updated Context Broadens Application Clarifies Requirements
COSO’s Internal Control – Integrated Framework (2013 Edition)
Update expected to increase ease of use and broaden application
Overview of what is and is not changing
6
What is not changing… • Core definition of internal control
• Three categories of objectives and five components of internal control
• Each of the five components of internal control are required for effective internal control
• Important role judgment in designing, implementing and conducting internal control, and in assessing its effectiveness
What is changing… • Changes in business and operating
environments considered
• Operations and reporting objectives expanded
• Fundamental concepts underlying five components articulated as principles with points of focus as additional guidance
• Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added
The 17 principles are necessary for effective internal control
Introduction of principles
7
Control Environment
1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability
Risk Assessment 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant changes
Control Activities 10.Selects and develops control activities 11.Selects and develops general controls over technology 12.Deploys through policies and procedures
Information & Communication
13.Uses relevant information 14.Communicates internally 15.Communicates externally
Monitoring Activities
16.Conducts ongoing and/or separate evaluations 17.Evaluates and communicates deficiencies
In addition to the 17 principles, the updated Framework contains more guidance on how technology relates to an entity’s internal control structure. The 1992 Framework included many concepts directly relevant for technologies of the time. Since then the technology has rapidly evolved from not only something embraced by the largest and most advanced companies to a foundation block of nearly all companies. The 2013 Framework includes more focus on technology throughout the components of internal control as well as broader focus on the impact of technology on the internal control structure rather than on the specific types of technology. Because more companies are outsourcing key portions of their business activities or control systems to third parties, the updated Framework also includes expanded guidance and considerations related to outside resources, such as third-party processors. The updated Framework also expands the reporting aspect of internal control to consider more than just financial reporting of non-financial information and internal reporting.
8
Impact of adopting the updated Framework
Finally, the advances in technology and communications have increased the reach of many companies both from a supply and development side and in sales or service delivery. For many entities, local or national boarders no longer serve as significant barriers. Rather, businesses are increasingly conducted on a multi-location or global basis. The 2013 Framework includes additional guidance and consideration for businesses operating in these environments:
• Illustrative Tools for Assessing Effectiveness of a System of Internal Control
• Internal Control over External Financial Reporting: A Compendium of Approaches and Examples
9
Impact of adopting the updated Framework
“Monitoring” has ben changed to “Monitoring Activities.” This change is intended to broaden the perception of monitoring as a service of activities undertaken individually and as part of each of the other four components, rather than as one unique process. “Financial Reporting” has been changed to “Reporting.” This change is intended to broaden the application of the Framework not only to external financial reporting as it has often been applied, but also to include internal reporting as well as external reporting of non-financial measures.
10
Impact of adopting the updated Framework
Along the right side of the cube, the organization structure has been changed to align with COSO’s Enterprise Risk Management Integrated Framework (ERM Framework) and also better illustrate that an effective internal control structure permeates an entire organization at all functional levels both independently and interdependently. It is also important to note that while there was consideration of combining the Internal Control Integrated Framework with the ERM Framework, the two remain separate, but interrelated. Internal control is an integral part of enterprise risk management, however, risk management encompasses a broader role than internal control in supporting the entity’s governance structure.
11
Impact of adopting the updated Framework
Example principle and related points of focus
12
Control Environment
1. Demonstrates commitment to integrity and ethical values
Point of Focus: • Sets the tone at the top • Establishes standards of conduct • Evaluates adherence to standards of conduct • Addresses deviations in a timely manner
• Points of focus are typically important characteristics of principles that can be used to facilitate designing, implementing, and conducting internal control
• There is no requirement to separately assess whether points of focus are in place
• Points of focus may not be suitable or relevant, and others may be identified
• Points of focus may facilitate designing, implementing, and conducting internal control
Example of controls embedded in other internal control components
13
Control Environment 1. Demonstrates commitment to integrity and ethical values
Human Resources review employees’ confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity
Control Environment
Management obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of information
Information & Communication
Internal Audit separately evaluates Control Environment, considering employees behaviors and whistleblower hotline results and reports thereon
Monitoring Activities
Component
Principle
Controls embedded in other components may effect this principle
Impact of adopting the updated Framework
14
• Initiate level of effort will vary by organization depending on their existing level of documentation, stakeholder involvement and locations
• Provides flexibility in applying the Framework to multiple, overlapping objectives across the entity
Easier to see what is covered and what is missing
May reduce likelihood of considering controls that are irrelevant
May reduce the number of discrete risks assessed and mitigated
• Potential for initial deficiencies if the system of internal control does not address each of the principles
• Heightened focus on entity-wide controls provides a platform for addressing increased entity-level scrutiny from authoritative bodies (e.g. SEC, PCAOB, AICPA)
Impact of adopting the updated Framework
15
Understand the Framework
Identify key stakeholders
Awareness / education /
training
Map existing controls to principles
Gap analysis / remediation
Update documentation
• Updated Framework will supersede original Framework on December 15, 2014 • Earlier implementation encourage • During the transition external reporting should disclose which version of the Framework was used
Timing considerations
Impact of adopting the updated Framework
16
Implementing the 2013 Framework
Provide COSO overview or training Identify stakeholders impacted by
transition Map existing controls to the principles Update project tools, templates,
documentation Prepare gap analysis Assist with developing remediation
plan
Entity-level control initiatives
Governance, risk and compliance Enterprise risk management Information technology IT security and privacy Fraud prevention and detection Regulatory issues (e.g. FCPA) Addressing increased entity-level focus
by authoritative bodies (e.g. SEC, PCAOB, AICPA)
Checklist for implementing the 2013 COSO Framework
17
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently issued its updated Internal Control-Integrated Framework (Framework) and related illustrative documents. This update contains a number of changes that may significantly impact public companies and other organizations utilizing the COSO Framework, changing the way they approach internal controls, including implementation, monitoring and reporting. The updated 2013 Framework will supersede the original guidelines on Dec. 15, 2014, with earlier implementation strongly encouraged. The checklist below is a useful tool to guide you through the implementation process.
Checklist
18
Understanding the 2013 COSO Framework
Task: Notes and action items: Timing:
Read and become familiar with the 2013 COSO Framework, including the following changes: • The linking of 17 Principles and 81 Points of Focus to the five components of internal control • Enhanced consideration of governance, information technology and anti-fraud • Updated reporting objectives • Introduction of major deficiencies
Leverage McGladrey resources: • Contact us for a personalized overview or implementation assistance • View our COSO Framework update webcast • View our white paper, “An overview of COSO’s 2013 Internal Control-Integrated Framework”
Leverage COSO website resources: • Framework guidance • Books and other publications • Sample templates • News
Leverage Institute of Internal Auditors (IIA) website resources: • COSO resources • Articles, books and reports • Training and events • News
Develop initial project implementation plan and timeline for implementing the 2013 Framework
Checklist
19
Identifying key stakeholders
Task: Notes and action items: Timing:
Internal audit
Sarbanes-Oxley (SOX) team
Audit committee members
External auditor
SOX steering committee
Senior leadership
Departmental or functional leadership and management team
IT
Process owners
Third parties and outsourced service providers
Personnel involved with anti-fraud programs
International locations in scope, if not included above
Update project implementation plan and timeline
Checklist
20
Awareness, education and training
Task: Notes and action items: Timing:
Develop communication plan to bring awareness of the 2013 Framework changes to key stakeholders
Prepare and distribute relevant communications to key stakeholders at key milestones throughout the implementation to keep them informed and engaged
Provide training to the internal audit team
Provide education and training to key stakeholders
Maintain archive of key communications and trainings for future reference by key stakeholders
Checklist
21
Gap analysis and remediation plan
Task: Notes and action items: Timing:
Assign to applicable stakeholders
Monitor and update
Report status to relevant stakeholders
Map existing controls to 2013 Framework principles
Task: Notes and action items: Timing:
Map existing controls to applicable principles
Identify gaps and prepare remediation plans
Collaborate with the external auditor throughout the process
Continue to update project implementation plan and timeline
Checklist
22
Update methodology, tools, templates and relative documentation
Task: Notes and action items: Timing:
Methodology and approach guide
Repository
Templates library
Documentation: • Risk and control matrices • Narratives and flow charts • Test scripts • Gap analysis and remediation plans
Reporting packages: • Internal audit • Audit committee • External audit • Leadership and management • External
Update external reporting (e.g., 10Q, 10K) to reflect usage of the 2013 Framework
Five principles related to the control environment are introduced in the 2013 Framework 1. The organization demonstrates a commitment to integrity and ethical
values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with broad oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Control Environment
24
Point of Focus – control environment
25
Principle 1. Demonstrates commitment to integrity and ethical values
• Sets the tone at the top • Establishes standards of conduct • Evaluates adherence to standards of conduct • Addresses deviations in a timely manner
Principle 2. Exercises oversight responsibility
• Establishes oversight responsibilities • Applies relevant expertise • Operates independently • Provides oversight for the system of internal
control
Principle 3. Establishes structure, authority and responsibility
• Considers all structures of the entity • Establishes reporting lines • Defines, assigns, and limits authorities and
responsibilities
Principle 4. Demonstrates commitment to competence
• Establishes policies and practices • Evaluates competence and addresses
shortcomings • Attracts, develops, and retains individuals • Plans and prepares for succession
Principle 5. Enforces accountability
• Enforces accountability through structures, authorities, and responsibilities
• Establishes performance measures, incentives, and rewards
• Evaluates performance measures, incentives, and rewards for ongoing relevance
• Considers excessive pressures • Evaluates performance and rewards or
disciplines individuals
Four principles are introduced related to risk assessment: 6. The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risk relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assess changes that could significantly impact the system of internal control
Risk Assessment
26
Point of focus – risk assessment
27
Principle 6. Specifies suitable objectives
• Operations objectives •Reflects management’s choices •Considers tolerances for risk •Includes operations and financial performance goals •Forms a basis for committing resources
• External financial reporting objectives •Complies with applicable accounting standards •Considers materiality •Reflects entity activities
• External non-financial reporting objectives •Complies with externally established standards and frameworks
•Considers the required level of precision •Reflects entity activities
• Internal reporting objectives •Reflects management’s choices •Considers the required level of precision •Reflects entity activities
• Compliance objectives •Reflects external laws and regulations •Considers tolerances for risk
Principle 7. Identifies and analyzes risk
• Includes entity, subsidiary, division, operating unit, and functional levels
• Analyzes internal and external factors • Involves appropriate levels of management • Estimates significance of risks identified • Determines how to respond to risks
Principle 8. Assesses fraud risk
• Considers various types of fraud • Assesses incentive and pressures • Assesses opportunities • Assesses attitudes and rationalizations
Principle 9. Identifies and analyzes significant change
• Assesses change in the external environment • Assesses change in the business model • Assesses change in leadership
Three principles are introduced related to control activities: 10. The organization selects and develops control activities that contribute to
the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Control Activities
28
Point of focus – control activities
29
Principle 10. Selects and develops control activities
• Integrates with risk assessment • Considers entity-specific factors • Determines relevant business processes • Evaluates a mix of control activity types • Considers at what level activities are applied • Addresses segregation of duties
Principle 11. Selects and develops general controls over technology
• Determines dependency between the use of technology in business processes and technology general controls
• Establishes relevant technology infrastructure control activities
• Establishes relevant security management process control activities
• Establishes relevant technology acquisition, development, and maintenance process control activities
Principle 12. Deploys through policies and procedures
• Establishes policies and procedures to support deployment of management’s directives
• Establishes responsibility and accountability for executing policies and procedures
• Performs in a timely manner • Takes corrective action • Performs using competent personnel • Reassesses policies and procedures
Three principles are introduced related to information and communication: 13. The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Information and Communication
30
Point of focus – information and communication
31
Principle 13. Uses relevant information
• Identifies information requirements • Captures internal and external sources of data • Processes relevant data into information • Maintains quality throughout processing • Considers costs and benefits
Principle 14. Communicates internally
• Communicates internal control information • Communicates with the board of directors • Provides separate communication lines • Selects relevant method of communication
Principle 15. Communicates externally
• Communicates to external parties • Enables inbound communications • Communicates with the board of directors • Provides separate communication lines • Selects relevant method of communication
Two principles are introduced related to monitoring activities: 16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Monitoring Activities
32
Point of focus – monitoring activities
33
Principle 16. Conducts ongoing and/or separate evaluations
• Considers a mix of ongoing and separate evaluations
• Considers rate of change • Establishes baseline understanding • Uses knowledgeable personnel • Integrates with business processes • Adjusts scope and frequency • Objectively evaluates
Principle 17. Evaluates and communicates deficiencies
• Assesses results • Communicates deficiencies • Monitors corrective actions
For many smaller entities, when looking quickly through the points of focus it is evident that many will not be relevant to their operations. Focuses on multiple locations or business units quickly can be dismissed for single-location businesses.
The 2013 Framework includes specific additional guidance related to smaller entities and governments. The following highlights consideration points related to segregation of duties, management override, board of directors, information technology, and monitoring activities for these entities. Key consideration factors for each area include:
Scalability for Smaller Entities
34
• Managers can review reports of detailed transactions on a regular and timely basis
• Managers can select transactions for review to supporting documents
• Managers can take periodic counts of inventory, equipment or other physical assets and compare them with the accounting records
• Managers can review reconciliations of account balances or periodically perform them independently
Scalability for Smaller Entities - Segregation of Duties
35
• Maintain a corporate culture of integrity and ethical values
• Implement a whistle-blower program
• Engage an effective internal audit program
• Attract and retain qualified board members
Scalability for Smaller Entities - Management Override
36
• To find qualified board members, companies may expand their search to broader populations with financial and accounting and other valued expertise
Scalability for Smaller Entities - Board of Directors
37
• The use of commercially developed software packages:
Reduces risks from program changes control requirements
May include the ability to control access to selected employees
May perform checks on data processing completeness and accuracy
May be able to maintain related documentation
Scalability for Smaller Entities - Information Technology
38
• Smaller entities may have less formal monitoring processes, but should still take credit for the monitoring performed
• It is noted in the Framework that smaller entities often need less formal documentation because there are fewer people working closer together. Consequently, management may perform monitoring through direct observation.
Scalability for Smaller Entities - Monitoring Activities
39
Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Separates the financial reporting category into three objectives: (1) external financial reporting, (2) external nonfinancial reporting, and (3) internal reporting.
Risk Assessment Enhanced Concepts
41
Principle 7 The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. • Explains that the risk assessment process includes risk identification, analysis, and
response. • Incorporates the concept of inherent risk. • Expands the discussion of risk tolerance and how risk may be managed, including
by accepting, avoiding, reducing, and sharing risk. • Considers velocity and persistence of risk (in addition to impact and likelihood). • Incorporates consideration of OSPs.
Risk Assessment Enhanced Concepts Cont.
42
Principle 8 The organization considers the potential for fraud in assessing risks to the achievement of objectives. • Incorporates the concept of fraud risk assessment. • Considerations related to various types of fraud, including fraudulent financial
reporting, fraudulent nonfinancial reporting, misappropriation of assets, safeguarding of assets, management override, and corruption.
• Evaluating incentives, pressures, opportunities, attitudes, and rationalizations. • Incorporates consideration of OSPs.
Risk Assessment Enhanced Concepts Cont.
43
Principle 9 The organization identifies and assesses changes that could significantly impact the system of internal control. Importance of assessing changes in the external environment, business model, operations, technology, relationship with OSPs, leadership, and how such changes may affect internal control.
Risk Assessment Enhanced Concepts Cont.
44
• Risk identification must be comprehensive and take into account significant interactions between the organization and OSPs.
• An organization’s risk assessment process takes into account risks originating in OSPs.
• The organization considers possible acts of corruption by OSPs during its fraud risk assessment, which should be based on the presumption that the entity’s expected standards of ethical conduct are being adhered to.
• In assessing possible corruption, the entity is not expected to directly manage the actions of OSP personnel; however, management may stipulate expected levels of performance and standards of conduct through contractual relations and may develop control activities that maintain oversight of OSPs.
• Management assesses changes in relationships with OSPs to determine the relevancy of previously effective internal controls.
Risk Assessment - Outsourced Services Providers (OPSs)
46
Risk Assessment – Information Technology
48
• Many organizations apply external IT standards to help manage their operations. • Risks at the entity level can arise from internal or external IT factors. • As part of its fraud risk assessment process, the organization should consider the
nature of IT and management’s ability to manipulate information. • The likelihood of a loss of assets or fraudulent external reporting increases when
there are: • High turnover rates of IT staff. • Ineffective IT systems.
• The organization identifies and assesses changes to IT to determine whether its system of internal control will need to be modified.
Risk Assessment - Controls
50
Principle 6. The organization identifies and assesses changes to IT to determine whether its system of internal control will need to be modified. • The organization links accounts, assertions and risks (can be accomplished
through a risk assessment & control matrix). • The organization sets as the entity’s broad external financial reporting objective
to prepare reliable financial statements in accordance with GAAP. Management subsequently specified the suitable financial reporting objectives and sub-objectives for all significant accounts and activities, including accounting policies, financial statement assertions, and qualitative characteristics.
• Management assesses materiality of significant accounts, considering both quantitative and qualitative factors.
• Management reviews publications from professional bodies for updates in accounting pronouncements relevant to the business. Periodically, management presents to the audit committee an analysis of changes released or emerging issues that may significantly impact financial reporting and notes any significant differences from accounting policies of similar entities.
• Management reviews financial accounting policies and discusses significant accounting policies with the audit committee on an annual basis.
Risk Assessment - Controls
51
Principle 6. The organization identifies and assesses changes to IT to determine whether its system of internal control will need to be modified. • Management reviews and updates its understanding of applicable standards and
statutory reporting requirements and communicates the update tot eh appropriate individuals / committees.
• Management reviews its financial statements on a monthly basis to ensure all significant activities are included and to analyze its various divisions for new developments and changes that may impact the organization.
Risk Assessment - Controls
52
Principle 7 • The organization analyzes risk across functions / departments and to significant
financial statement accounts using pre-determined risk ratings.
• The organization analyses risk for information technology.
• The organization assesses the likelihood and significance of identified risks.
• The organization uses benchmark data to assess significance and response to risk.
• The organization analyzes risks from external factors.
Risk Assessment - Controls
53
Principle 8 • The organization analyzes fraud risk.
• The audit committee reviews the fraud risk assessment process and discusses the
risk of management override of controls.
• The organization identifies and analyzes risk of material omission and misstatement due to fraud.
• The compensation committee analyzes the compensation structure.
Risk Assessment - Controls
54
Principle 9 • The organization analyzes change in the external environment and prepares
contingency plans (such as decreases in donor contributions, etc.)
• The organization analyzes significant change from international exposure.
• The organization analyzes significant change from a system implementation or process change.
• The organization analyzes change through succession and plans for executive transition.