2013 coso framework overview - institute of internal … risk... · 2013 coso framework overview ....

2013 COSO Framework Overview September 17, 2014

With You Today

2

Roger A. Martinez, CPA Assurance Partner Vasquez & Company LLP Los Angeles, CA 213-873-1703 [email protected]

Vasquez at a Glance

• Vasquez serving government agencies in California for over 40 years.

• Vasquez audit team partners and managers are former ‘Big Four’ audit professionals.

• Consistently ranked among the top accounting firms in Los Angeles County as reported by the Los Angeles Business Journal.

• We provide the guidance and support for companies undertaking their first SOX compliance effort, helping them avoid a process that’s long, tedious and costly.

• We can help with selecting an appropriate compliance framework, internal controls documentation, a readiness assessment, or a fully outsourced compliance solution.

COSO Overview

3

• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five sponsoring organizations formed in 1985

• Provides thought leadership through the development of frameworks and guidance on:

- Internal control

- Enterprise risk management

- Fraud

• Designed to improve organizational performance and governance, and to reduce the extent of fraud in organizations

• Released original Internal Control-Integrated Framework in 1992 which has become the most widely used control framework used in management’s SOX assertion.

Framework updates driven by changes in business and operating environments

Why the COSO Framework was updated

4

Environment changes • Expectations for governance oversight

• Globalization of markets and operations

• Changes and greater complexity in business

• Demands and complexities in laws, rules, regulations, and standards

• Expectations for competencies and accountabilities

• Use of, and reliance on, evolving technologies

• Expectations relating to preventing and detecting fraud

Enhancements to the COSO Framework

5

Heightened focus on entity-level controls, technology and fraud prevention / detection

Original Framework Refresh Objectives Enhancements Updated Framework

COSO’s Internal Control – Integrated Framework (1992 Edition)

Reflects changes in business & operating

environments

Expand operations and reporting objectives

Articulates principles to facilitate effective

internal control

Updated Context Broadens Application Clarifies Requirements

COSO’s Internal Control – Integrated Framework (2013 Edition)

Update expected to increase ease of use and broaden application

Overview of what is and is not changing

6

What is not changing… • Core definition of internal control

• Three categories of objectives and five components of internal control

• Each of the five components of internal control are required for effective internal control

• Important role judgment in designing, implementing and conducting internal control, and in assessing its effectiveness

What is changing… • Changes in business and operating

environments considered

• Operations and reporting objectives expanded

• Fundamental concepts underlying five components articulated as principles with points of focus as additional guidance

• Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added

The 17 principles are necessary for effective internal control

Introduction of principles

7

Control Environment

1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability

Risk Assessment 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant changes

Control Activities 10.Selects and develops control activities 11.Selects and develops general controls over technology 12.Deploys through policies and procedures

Information & Communication

13.Uses relevant information 14.Communicates internally 15.Communicates externally

Monitoring Activities

16.Conducts ongoing and/or separate evaluations 17.Evaluates and communicates deficiencies

In addition to the 17 principles, the updated Framework contains more guidance on how technology relates to an entity’s internal control structure. The 1992 Framework included many concepts directly relevant for technologies of the time. Since then the technology has rapidly evolved from not only something embraced by the largest and most advanced companies to a foundation block of nearly all companies. The 2013 Framework includes more focus on technology throughout the components of internal control as well as broader focus on the impact of technology on the internal control structure rather than on the specific types of technology. Because more companies are outsourcing key portions of their business activities or control systems to third parties, the updated Framework also includes expanded guidance and considerations related to outside resources, such as third-party processors. The updated Framework also expands the reporting aspect of internal control to consider more than just financial reporting of non-financial information and internal reporting.

8

Impact of adopting the updated Framework

Finally, the advances in technology and communications have increased the reach of many companies both from a supply and development side and in sales or service delivery. For many entities, local or national boarders no longer serve as significant barriers. Rather, businesses are increasingly conducted on a multi-location or global basis. The 2013 Framework includes additional guidance and consideration for businesses operating in these environments:

• Illustrative Tools for Assessing Effectiveness of a System of Internal Control

• Internal Control over External Financial Reporting: A Compendium of Approaches and Examples

9


“Monitoring” has ben changed to “Monitoring Activities.” This change is intended to broaden the perception of monitoring as a service of activities undertaken individually and as part of each of the other four components, rather than as one unique process. “Financial Reporting” has been changed to “Reporting.” This change is intended to broaden the application of the Framework not only to external financial reporting as it has often been applied, but also to include internal reporting as well as external reporting of non-financial measures.

10


Along the right side of the cube, the organization structure has been changed to align with COSO’s Enterprise Risk Management Integrated Framework (ERM Framework) and also better illustrate that an effective internal control structure permeates an entire organization at all functional levels both independently and interdependently. It is also important to note that while there was consideration of combining the Internal Control Integrated Framework with the ERM Framework, the two remain separate, but interrelated. Internal control is an integral part of enterprise risk management, however, risk management encompasses a broader role than internal control in supporting the entity’s governance structure.

11


Example principle and related points of focus

12

Control Environment

1. Demonstrates commitment to integrity and ethical values

Point of Focus: • Sets the tone at the top • Establishes standards of conduct • Evaluates adherence to standards of conduct • Addresses deviations in a timely manner

• Points of focus are typically important characteristics of principles that can be used to facilitate designing, implementing, and conducting internal control

• There is no requirement to separately assess whether points of focus are in place

• Points of focus may not be suitable or relevant, and others may be identified

• Points of focus may facilitate designing, implementing, and conducting internal control

Example of controls embedded in other internal control components

13

Control Environment 1. Demonstrates commitment to integrity and ethical values

Human Resources review employees’ confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity

Control Environment

Management obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of information

Information & Communication

Internal Audit separately evaluates Control Environment, considering employees behaviors and whistleblower hotline results and reports thereon


Component

Principle

Controls embedded in other components may effect this principle


14

• Initiate level of effort will vary by organization depending on their existing level of documentation, stakeholder involvement and locations

• Provides flexibility in applying the Framework to multiple, overlapping objectives across the entity

Easier to see what is covered and what is missing

May reduce likelihood of considering controls that are irrelevant

May reduce the number of discrete risks assessed and mitigated

• Potential for initial deficiencies if the system of internal control does not address each of the principles

• Heightened focus on entity-wide controls provides a platform for addressing increased entity-level scrutiny from authoritative bodies (e.g. SEC, PCAOB, AICPA)


15

Understand the Framework

Identify key stakeholders

Awareness / education /

training

Map existing controls to principles

Gap analysis / remediation

Update documentation

• Updated Framework will supersede original Framework on December 15, 2014 • Earlier implementation encourage • During the transition external reporting should disclose which version of the Framework was used

Timing considerations


16

Implementing the 2013 Framework

Provide COSO overview or training Identify stakeholders impacted by

transition Map existing controls to the principles Update project tools, templates,

documentation Prepare gap analysis Assist with developing remediation

plan

Entity-level control initiatives

Governance, risk and compliance Enterprise risk management Information technology IT security and privacy Fraud prevention and detection Regulatory issues (e.g. FCPA) Addressing increased entity-level focus

by authoritative bodies (e.g. SEC, PCAOB, AICPA)

Checklist for implementing the 2013 COSO Framework

17

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently issued its updated Internal Control-Integrated Framework (Framework) and related illustrative documents. This update contains a number of changes that may significantly impact public companies and other organizations utilizing the COSO Framework, changing the way they approach internal controls, including implementation, monitoring and reporting. The updated 2013 Framework will supersede the original guidelines on Dec. 15, 2014, with earlier implementation strongly encouraged. The checklist below is a useful tool to guide you through the implementation process.

Checklist

18

Understanding the 2013 COSO Framework

Task: Notes and action items: Timing:

Read and become familiar with the 2013 COSO Framework, including the following changes: • The linking of 17 Principles and 81 Points of Focus to the five components of internal control • Enhanced consideration of governance, information technology and anti-fraud • Updated reporting objectives • Introduction of major deficiencies

Leverage McGladrey resources: • Contact us for a personalized overview or implementation assistance • View our COSO Framework update webcast • View our white paper, “An overview of COSO’s 2013 Internal Control-Integrated Framework”

Leverage COSO website resources: • Framework guidance • Books and other publications • Sample templates • News

Leverage Institute of Internal Auditors (IIA) website resources: • COSO resources • Articles, books and reports • Training and events • News

Develop initial project implementation plan and timeline for implementing the 2013 Framework

Checklist

19

Identifying key stakeholders


Internal audit

Sarbanes-Oxley (SOX) team

Audit committee members

External auditor

SOX steering committee

Senior leadership

Departmental or functional leadership and management team

IT

Process owners

Third parties and outsourced service providers

Personnel involved with anti-fraud programs

International locations in scope, if not included above

Update project implementation plan and timeline

Checklist

20

Awareness, education and training


Develop communication plan to bring awareness of the 2013 Framework changes to key stakeholders

Prepare and distribute relevant communications to key stakeholders at key milestones throughout the implementation to keep them informed and engaged

Provide training to the internal audit team

Provide education and training to key stakeholders

Maintain archive of key communications and trainings for future reference by key stakeholders

Checklist

21

Gap analysis and remediation plan


Assign to applicable stakeholders

Monitor and update

Report status to relevant stakeholders

Map existing controls to 2013 Framework principles


Map existing controls to applicable principles

Identify gaps and prepare remediation plans

Collaborate with the external auditor throughout the process

Continue to update project implementation plan and timeline

Checklist

22

Update methodology, tools, templates and relative documentation


Methodology and approach guide

Repository

Templates library

Documentation: • Risk and control matrices • Narratives and flow charts • Test scripts • Gap analysis and remediation plans

Reporting packages: • Internal audit • Audit committee • External audit • Leadership and management • External

Update external reporting (e.g., 10Q, 10K) to reflect usage of the 2013 Framework

Checklist

23

Additional items


Five principles related to the control environment are introduced in the 2013 Framework 1. The organization demonstrates a commitment to integrity and ethical

values.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

3. Management establishes, with broad oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Control Environment

24

Point of Focus – control environment

25

Principle 1. Demonstrates commitment to integrity and ethical values

• Sets the tone at the top • Establishes standards of conduct • Evaluates adherence to standards of conduct • Addresses deviations in a timely manner

Principle 2. Exercises oversight responsibility

• Establishes oversight responsibilities • Applies relevant expertise • Operates independently • Provides oversight for the system of internal

control

Principle 3. Establishes structure, authority and responsibility

• Considers all structures of the entity • Establishes reporting lines • Defines, assigns, and limits authorities and

responsibilities

Principle 4. Demonstrates commitment to competence

• Establishes policies and practices • Evaluates competence and addresses

shortcomings • Attracts, develops, and retains individuals • Plans and prepares for succession

Principle 5. Enforces accountability

• Enforces accountability through structures, authorities, and responsibilities

• Establishes performance measures, incentives, and rewards

• Evaluates performance measures, incentives, and rewards for ongoing relevance

• Considers excessive pressures • Evaluates performance and rewards or

disciplines individuals

Four principles are introduced related to risk assessment: 6. The organization specifies objectives with sufficient clarity to enable the

identification and assessment of risk relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9. The organization identifies and assess changes that could significantly impact the system of internal control

Risk Assessment

26

Point of focus – risk assessment

27

Principle 6. Specifies suitable objectives

• Operations objectives •Reflects management’s choices •Considers tolerances for risk •Includes operations and financial performance goals •Forms a basis for committing resources

• External financial reporting objectives •Complies with applicable accounting standards •Considers materiality •Reflects entity activities

• External non-financial reporting objectives •Complies with externally established standards and frameworks

•Considers the required level of precision •Reflects entity activities

• Internal reporting objectives •Reflects management’s choices •Considers the required level of precision •Reflects entity activities

• Compliance objectives •Reflects external laws and regulations •Considers tolerances for risk

Principle 7. Identifies and analyzes risk

• Includes entity, subsidiary, division, operating unit, and functional levels

• Analyzes internal and external factors • Involves appropriate levels of management • Estimates significance of risks identified • Determines how to respond to risks

Principle 8. Assesses fraud risk

• Considers various types of fraud • Assesses incentive and pressures • Assesses opportunities • Assesses attitudes and rationalizations

Principle 9. Identifies and analyzes significant change

• Assesses change in the external environment • Assesses change in the business model • Assesses change in leadership

Three principles are introduced related to control activities: 10. The organization selects and develops control activities that contribute to

the mitigation of risks to the achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the achievement of objectives.

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Control Activities

28

Point of focus – control activities

29

Principle 10. Selects and develops control activities

• Integrates with risk assessment • Considers entity-specific factors • Determines relevant business processes • Evaluates a mix of control activity types • Considers at what level activities are applied • Addresses segregation of duties

Principle 11. Selects and develops general controls over technology

• Determines dependency between the use of technology in business processes and technology general controls

• Establishes relevant technology infrastructure control activities

• Establishes relevant security management process control activities

• Establishes relevant technology acquisition, development, and maintenance process control activities

Principle 12. Deploys through policies and procedures

• Establishes policies and procedures to support deployment of management’s directives

• Establishes responsibility and accountability for executing policies and procedures

• Performs in a timely manner • Takes corrective action • Performs using competent personnel • Reassesses policies and procedures

Three principles are introduced related to information and communication: 13. The organization obtains or generates and uses relevant, quality

information to support the functioning of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Information and Communication

30

Point of focus – information and communication

31

Principle 13. Uses relevant information

• Identifies information requirements • Captures internal and external sources of data • Processes relevant data into information • Maintains quality throughout processing • Considers costs and benefits

Principle 14. Communicates internally

• Communicates internal control information • Communicates with the board of directors • Provides separate communication lines • Selects relevant method of communication

Principle 15. Communicates externally

• Communicates to external parties • Enables inbound communications • Communicates with the board of directors • Provides separate communication lines • Selects relevant method of communication

Two principles are introduced related to monitoring activities: 16. The organization selects, develops, and performs ongoing and/or separate

evaluations to ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.


32

Point of focus – monitoring activities

33

Principle 16. Conducts ongoing and/or separate evaluations

• Considers a mix of ongoing and separate evaluations

• Considers rate of change • Establishes baseline understanding • Uses knowledgeable personnel • Integrates with business processes • Adjusts scope and frequency • Objectively evaluates

Principle 17. Evaluates and communicates deficiencies

• Assesses results • Communicates deficiencies • Monitors corrective actions

For many smaller entities, when looking quickly through the points of focus it is evident that many will not be relevant to their operations. Focuses on multiple locations or business units quickly can be dismissed for single-location businesses.

The 2013 Framework includes specific additional guidance related to smaller entities and governments. The following highlights consideration points related to segregation of duties, management override, board of directors, information technology, and monitoring activities for these entities. Key consideration factors for each area include:

Scalability for Smaller Entities

34

• Managers can review reports of detailed transactions on a regular and timely basis

• Managers can select transactions for review to supporting documents

• Managers can take periodic counts of inventory, equipment or other physical assets and compare them with the accounting records

• Managers can review reconciliations of account balances or periodically perform them independently

Scalability for Smaller Entities - Segregation of Duties

35

• Maintain a corporate culture of integrity and ethical values

• Implement a whistle-blower program

• Engage an effective internal audit program

• Attract and retain qualified board members

Scalability for Smaller Entities - Management Override

36

• To find qualified board members, companies may expand their search to broader populations with financial and accounting and other valued expertise

Scalability for Smaller Entities - Board of Directors

37

• The use of commercially developed software packages:

Reduces risks from program changes control requirements

May include the ability to control access to selected employees

May perform checks on data processing completeness and accuracy

May be able to maintain related documentation

Scalability for Smaller Entities - Information Technology

38

• Smaller entities may have less formal monitoring processes, but should still take credit for the monitoring performed

• It is noted in the Framework that smaller entities often need less formal documentation because there are fewer people working closer together. Consequently, management may perform monitoring through direct observation.

Scalability for Smaller Entities - Monitoring Activities

39

Risk Assessment – Enhanced Concepts

40

Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Separates the financial reporting category into three objectives: (1) external financial reporting, (2) external nonfinancial reporting, and (3) internal reporting.

Risk Assessment Enhanced Concepts

41

Principle 7 The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. • Explains that the risk assessment process includes risk identification, analysis, and

response. • Incorporates the concept of inherent risk. • Expands the discussion of risk tolerance and how risk may be managed, including

by accepting, avoiding, reducing, and sharing risk. • Considers velocity and persistence of risk (in addition to impact and likelihood). • Incorporates consideration of OSPs.

Risk Assessment Enhanced Concepts Cont.

42

Principle 8 The organization considers the potential for fraud in assessing risks to the achievement of objectives. • Incorporates the concept of fraud risk assessment. • Considerations related to various types of fraud, including fraudulent financial

reporting, fraudulent nonfinancial reporting, misappropriation of assets, safeguarding of assets, management override, and corruption.

• Evaluating incentives, pressures, opportunities, attitudes, and rationalizations. • Incorporates consideration of OSPs.


43

Principle 9 The organization identifies and assesses changes that could significantly impact the system of internal control. Importance of assessing changes in the external environment, business model, operations, technology, relationship with OSPs, leadership, and how such changes may affect internal control.


44

Risk Assessment – Outsourced Service Providers

45

• Risk identification must be comprehensive and take into account significant interactions between the organization and OSPs.

• An organization’s risk assessment process takes into account risks originating in OSPs.

• The organization considers possible acts of corruption by OSPs during its fraud risk assessment, which should be based on the presumption that the entity’s expected standards of ethical conduct are being adhered to.

• In assessing possible corruption, the entity is not expected to directly manage the actions of OSP personnel; however, management may stipulate expected levels of performance and standards of conduct through contractual relations and may develop control activities that maintain oversight of OSPs.

• Management assesses changes in relationships with OSPs to determine the relevancy of previously effective internal controls.

Risk Assessment - Outsourced Services Providers (OPSs)

46

Risk Assessment – Information Technology

47

Risk Assessment – Information Technology

48

• Many organizations apply external IT standards to help manage their operations. • Risks at the entity level can arise from internal or external IT factors. • As part of its fraud risk assessment process, the organization should consider the

nature of IT and management’s ability to manipulate information. • The likelihood of a loss of assets or fraudulent external reporting increases when

there are: • High turnover rates of IT staff. • Ineffective IT systems.

• The organization identifies and assesses changes to IT to determine whether its system of internal control will need to be modified.

Example Controls for Risk Assessment

49

Risk Assessment - Controls

50

Principle 6. The organization identifies and assesses changes to IT to determine whether its system of internal control will need to be modified. • The organization links accounts, assertions and risks (can be accomplished

through a risk assessment & control matrix). • The organization sets as the entity’s broad external financial reporting objective

to prepare reliable financial statements in accordance with GAAP. Management subsequently specified the suitable financial reporting objectives and sub-objectives for all significant accounts and activities, including accounting policies, financial statement assertions, and qualitative characteristics.

• Management assesses materiality of significant accounts, considering both quantitative and qualitative factors.

• Management reviews publications from professional bodies for updates in accounting pronouncements relevant to the business. Periodically, management presents to the audit committee an analysis of changes released or emerging issues that may significantly impact financial reporting and notes any significant differences from accounting policies of similar entities.

• Management reviews financial accounting policies and discusses significant accounting policies with the audit committee on an annual basis.


51

Principle 6. The organization identifies and assesses changes to IT to determine whether its system of internal control will need to be modified. • Management reviews and updates its understanding of applicable standards and

statutory reporting requirements and communicates the update tot eh appropriate individuals / committees.

• Management reviews its financial statements on a monthly basis to ensure all significant activities are included and to analyze its various divisions for new developments and changes that may impact the organization.


52

Principle 7 • The organization analyzes risk across functions / departments and to significant

financial statement accounts using pre-determined risk ratings.

• The organization analyses risk for information technology.

• The organization assesses the likelihood and significance of identified risks.

• The organization uses benchmark data to assess significance and response to risk.

• The organization analyzes risks from external factors.


53

Principle 8 • The organization analyzes fraud risk.

• The audit committee reviews the fraud risk assessment process and discusses the

risk of management override of controls.

• The organization identifies and analyzes risk of material omission and misstatement due to fraud.

• The compensation committee analyzes the compensation structure.


54

Principle 9 • The organization analyzes change in the external environment and prepares

contingency plans (such as decreases in donor contributions, etc.)

• The organization analyzes significant change from international exposure.

• The organization analyzes significant change from a system implementation or process change.

• The organization analyzes change through succession and plans for executive transition.

Questions?

55

Templates

1

Templates

2

Templates

3

Templates

4

Templates

5

Templates

6

Templates

7

Templates

8

Templates

9

Templates

10

Examples

11

Examples

12

Examples

13

Examples

14

Examples

15

Examples

16

Examples

17

Examples

18

Examples

19

Examples

20

Examples

21

Examples

22

Examples

23

2013 coso framework overview - institute of internal … risk... · 2013 coso framework overview ....

Documents