annual educational conference & business show session papers/arf... · • core definition of...
TRANSCRIPT
IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
2013 New COSO 2013 Framework and Current Trends in Risk Management
Session 105
Page � 3
Agenda
� COSO 2013 framework Overview
� Why the update ?
� What has been updated and what has remained the same?
� Codification of 17 principles and points-of-focus
� Key Areas of Focus
� Transition and impact
� Impact on Audits & Financial Exams
� Our point of view
� Next steps
� Applying the new COSO 2013 framework
� Risk management considerations
� How does COSO 2013 impact my organization
� Questions
Page � 4
Originally issued in 1992, COSO’s Internal Control – Integrated Framework (the “1992 Framework”) became one of the most widely accepted internal control frameworks in the world. In
order to address the significant changes to business and operating environments that have taken place over the past 20
years, on May 14, 2013, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated 2013 Internal Control-Integrated Framework to
supersede the 1992 Framework on December 15, 2014
Overview
Page � 5
Update driven by input of stakeholders:
0% 20% 40% 60% 80% 100%
Control Activities
Monitoring
Control Environment
Information &Communication
Risk Assessment
Difficult to interpretSomewhat difficult to interpretModerately easy to interpretGenerally easy to interpretEasy to interpret
Do stakeholders understand the components of
effective internal control?
Source - COSO’s survey of users and
stakeholders, worldwide – January to September
2011
Page � 6
Update expected to increase ease of use and broaden application
What is not changing... What is changing...
• Core definition of internal control
• Three categories of objectives and five components of internal control
• Each of the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring activities) are required foreffective internal control
• Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness
• Changes in business and operatingenvironments considered
• Operations and reporting objectives expanded
• Fundamental concepts underlying five components articulated as 17 principles
• Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added
Page � 7
Environments changes... …Have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules,
regulations, and standards
Expectations for competencies and
accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and
detecting fraud
Update considers changes in business and operating environments
COSO Cube (2013
Edition)
Page � 8
Why the update ?
� Business and operating environments have changed dramatically, becoming increasingly
complex, technologically driven and global in scope.
� Stakeholders are more engaged, seeking greater transparency and accountability for the
integrity of systems of internal controls that support business decisions and governance.
ICIF works
well todayCOSO’s Internal Control – Integrated Framework (1992 Edition)
Refresh
objectives
Enhancements
ICIF will work
better tomorrow COSO’s Internal Control – Integrated Framework (2013 Edition)
Address significant changes to the
business environment and associated
risks
Updated, enhanced and
clarified framework
Increase focus on operations,
compliance and non-financial
reporting objectives
Expanded internal and non-
financial reporting guidance
Codify criteria to use in the
development and assessment of
systems of internal control
Principles
Points of focusPoints of focusPoints of focusPoints of focus
Page � 9
Update clarifies requirements for effective internal control
5
Components
17 Principles
Points of Focus
Internal Controls
• Effective Internal Control provides
reasonable assurance that each
component and supporting principle
is present and functioning and the
five components are integrated
effectively
• Principles are suitable and presumed
relevant for all entities
• Principles can support achievement
of single, multiple, or overlapping
objectives
• Applying principles provides a basis
for evaluation of internal control
effectiveness across an organization
Page � 10
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Update articulates 17 principles of effective internal control
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Page � 11
Updated Framework: Describes important
characteristics of each principle
� For Example:
� Points of focus may not be suitable or relevant, and others may be identified.
� Points of focus may facilitate designing, implementing, and conducting internal control.
� There is no requirement to separately assess whether points of focus are in place.
Control Environment1. The organization demonstrates a commitment to
integrity and ethical values.
Points of focus:• Sets the tone at the top• Establishes standards of conduct• Evaluates adherence to standards of conduct• Addresses deviations in a timely manner
Page � 12
• More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may be managed, and linkage between risk assessment and control activities.
• Considering the potential for fraud risks to the achievement of an organization’s objectives.
Risk Assessment
• Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles.
• Requires management to specifically consider how OSPs are monitored.
Outsources Service
Providers (OSPs)
• Considerations related to IT are included in 14 out of 17 principles.
• Discussion of using IT to assist in continuous monitoring within the system of internal control (i.e., use of data analytics).
• Requirements for ensuring quality of information (i.e., data integrity).
Information Technology
(IT)
2013 Framework and Guidance –Key Areas of Focus
Page � 13
Transition & Impact
� Users are encouraged to transition applications and related documentation to the updated
Framework as soon as feasible
� Updated Framework will supersede original Framework at the end of the transition period
(i.e., December 15, 2014)
� During the transition period, external reporting should disclose whether the original or
updated version of the Framework was used
� Impact of adopting the updated Framework will vary by organization
− Does the system of internal control need to address changes in business?
− Does the system of internal control need to be updated to address all principles?
− Does the organization apply and interpret the original framework in the same manner
as COSO?
− Is the organization considering new opportunities to apply internal control to cover
additional objectives?
Page � 14
Transition & Impact (continued)
� The principles-based approach provides flexibility in applying the Framework to multiple,
overlapping objectives across the entity
• Easier to see what is covered and what is missing
• Focus on principles may reduce likelihood of considering something that’s irrelevant
� Understanding the importance of specifying suitable objectives focuses on those risks
and controls most important to achieving these objectives.
� Focusing on areas of risk that exceed acceptance levels or need to be managed across
the entity may reduce efforts spent mitigating risks in areas of lesser significance.
� Coordinating efforts for identifying and assessing risks across multiple, overlapping
objectives may reduce the number of discrete risks assessed and mitigated.
Page � 15
Transition & Impact (continued)
� Selecting, developing, and deploying controls to effect multiple principles may also reduce
the number of discrete, layered-on controls.
� Applying an integrated approach to internal control - encompassing operations, reporting,
and compliance – may lessen complexity.
� In assessing severity of internal control deficiencies, use only the relevant classification
criteria as set out in the Framework or by regulators, standard-setting bodies, and other
relevant third parties, as appropriate.
Page � 16
Our Point of view- Overview
� Helps increase transparency. The structure and rigor presented in this framework around 17 principles and point of focus helps establish transparency and accountability in an organization’s process of designing and implementing its system of internal control.
� Strengthened governance. For companies utilizing COSO, the new framework will also aid in strengthening the governance and oversight on internal control in an organization.
� Maintain an optimum balance. COSO 2013 framework does not necessarily warrant redesigning the organization’s system of internal control. Management must ensure that their approach for transitioning is effective and efficient.
� Implementation of new COSO 2013 framework. While the fundamental elements of the new COSO framework remain the same, it is important to update existing documentation to support that the system of internal control considers the 17 principles.
Page � 17
Our Point of view- Impact on External Audits
� More defined guidance = Better sources of Information for testing. Does not mean more testing. In fact, it might require less testing if companies implement the updated COSO Framework effectively
� Aligns with greater emphasis and specific measures on corporate governance
� Better synergy with ERM and related controls design. A Strong ERM Framework ties is well with the new COSO Framework
� Better defines the role of technology into risk management and controls
Page � 18
Impact on External Audits
� Examining Internal Controls Over Financial Reporting
(ICoFR)
• System of Internal Control must be examined
• 5 components are supported by 17 principles, which include:
• Commitment to integrity and ethical values;
• Exercises oversight responsibility;
• Demonstrates a commitment to competence;
• Assesses fraud risk.
• What is the burden of proof?
• Moreover, what constitutes solid audit evidence?
Page � 19
Impact on External Audits
� Increased focus on the following:• Electronic Audit Evidence
• Increased focus on validating information
» Tying out of balances does not suffice;
» Report parameters and illustrative screenshots required;
» Only “in scope” applications can be relied upon;
• Review Controls• THAT its reviewed is not enough: WHO, WHAT, HOW…
» Who is performing the review?
» What is their review process?
• Evaluating the Impact of Deficiencies• What is the impact of a deficiency?
• Inherent risk vs. residual risk
» How does a failure or a failure rate impact residual risk index;
» What is the effect of all failures identified:
» Cumulative impact;
» Synergistic – do multiple failures exacerbate individual risks?
Page � 20
Our Point of view- Impact on Financial Examinations
� New framework provides greater focus on the linking between risks, strategy and controls
� Updated documentation will provide greater insight and reliability into existing documentation and testing performed by Internal and external auditors
� Less testing if fully implemented; better aligns with a risk focused exam, including mapping of controls related to key risks and the reasoning behind those controls, especially when it comes to soft areas like corporate governance and strategy
� Examiners should look for implementation of the 17 criteria during their evaluation of the IT framework, including gaps in existing documentation
Page � 21
Next Steps
Companies should consider COSO’s 4 step approach transition guidance for purposes of complying with Section 404 of the Sarbanes-Oxley Act which include:
1. Read COSO’s updated Framework and illustrative documents
2. Initiate a discussion with senior management and the audit committee on the new COSO framework, highlighting its key changes and implications to the system of internal control at the organization
3. Review and establish a process for identifying and assessing necessary changes in controls (if any) and related documentation
4. Document your approach toward the application of the new COSO framework and transition plan, including changes in controls and related documentation
Given the integral role management, the audit committee, internal audit and other risk management functions all play in an effective system of internal control, a coordinated approach to address the key changes in the new COSO framework is essential.
Page � 22
Client
considerations
and next steps:
The four-step
approach
Understand
and educate
Assess
Plan and
implement
Communicate
Next Steps
Page � 23
Applying the new COSO 2013 framework- Steps to Implementation
A
B
C
D
E
F
Review existing internal control assessment results and perform an overall assessment with respect to the five
components and supporting 17 principles
Evaluate each of the five components individually and collectively, and document (in summary) whether the
relevant principles are present and functioning
For each component, formally evaluate whether each of the 17 principles (to the extent they are relevant) is
present and functioning and document the summarized assessment, including any deficiencies/gaps
Create a detailed mapping of all internal controls to each of the five components and related principles and
document (may not be required if A,B and C above can be adequately supported)
Identify additional controls (if any) that may be relevant to fully support a component and/or principle to be
present and functioning in the design and implementation of the system of internal control
Update overall internal control documentation to reflect changes in the new COSO framework, including but
not limited to: financial and non-financial reporting (both internal and external), documenting whether the 17
principles are present and functioning, and clarifying the objectives: a) effectiveness and efficiency of operations,
b) compliance with regulatory requirements and c) reporting
Page � 24
Applying the new COSO 2013 framework for management
Steps to Implementation- Cont’d
G
H
Update management’s control self-assessment process to include the three objectives (as part of risk
assessment) and five components and 17 principles (as part of self-assessment questionnaires)
Update risk assessment methodology (as applicable) and documentation to include evaluation of the three
objectives, five components and 17 underlying principles
APPLYING THE NEW COSO FRAMEWORK 2013 FOR INTERNAL
AUDITFOR AN INTERNAL AUDIT DEPARTMENT:
I
J
Revise the IA risk assessment methodology to address the seventeen principles supporting the five components
for achievement of the three objectives
Include reference of the 17 principles in assurance reviews performed by internal audit and its communication to
senior management and the audit committee
Page � 25
Risk management considerations to help management achieve business objectives
Building upon the COSO 2013 internal control framework, internal audit and other assurance providers should consider the following opportunities to help organizations achieve their business objectives.
• Objective setting process should be reviewed as part of risk assessment
• Ownership of risk and coordination of risk management activities should be encouraged
• Risk assessment and evaluation criteria should be formalized
• Cost benefit analysis on risk mitigation activities should be performed
• Enterprise Risk Assessment Methodology
• Risk Coverage – Combined Assurance Model; Risk & Control Framework Assessment Methodology
• Risk assessment, evaluation and quantification tools
• Cost of controls and Risk Enabled Performance Management (REPM)
Opportunity Solution
Page � 26
How does this impact my organization?
� ERM/ORSA
� Model Audit Rule
� Internal Audit and Regulators
� Action Steps in Implementation
� Impact of COSO 2013 on External Audit
Page � 27
� Differences:
� Strategy-Setting, Strategic Objectives and Risk Appetite – aspects of ERM, not Internal Control Framework
� Identification of emerging risks, and application of risk tolerance
� Create a Governance / Risk Framework: integrate across business
units and departments:
� Risk Assessment
� Control Activities
� Monitoring and Reporting
� Enhance documentation, communication and transparency
ERM & ORSA
Page � 28
MAR Transition Considerations
Companies applying the 1992 version of the Framework in conjunction with their SOX / MAR compliance process and for other purposes have to consider the following :
• How do we evaluate the effectiveness of internal control?
• When and how do we transition to the New Framework?
• What do we communicate to the certifying officers regarding the New Framework?
• What do we communicate to the audit committee regarding the New Framework?
• What are the Sarbanes-Oxley / MAR implications in transitioning to the New Framework?
• What do we do now?
Deadline for use in financial reporting – Year End 12/31/2014
Page � 29
Internal Audit and Regulators
� Relying more and more on “governance, risk and
compliance” processes
• The 2nd Line of Defense
� ERM / ORSA framework and reporting – Used in planning
� Internal Controls – Enhanced documentation and risk
mitigation strategies creates value
• reduced effort,
• more effective audits / exams,
• improved performance and reporting)
Page � 30
Clarity of Roles and Responsibilities Structured into “Three Lines of Defense”
Senior Management
Board / Audit Committee
1st Line of Defense 2nd Line of Defense3rd Line of
Defense
Management C
ontro
ls
Internal C
ontro
l
Measures
Financial Control
Security
Risk Management
Quality
Compliance
Legal
Internal A
udit
External A
udito
r /
Regulators
Page � 31
Action Steps in Implementation
� Learn what has changed and develop a transition plan
� Communicate changes to stakeholders, implications to the
organization and execute plan
� Evaluate and enhance your system of internal controls,
including operating practices, process improvement and
documentation
� Utilize and apply strategy to operations and technology
• Enhance Data Analytics and Information / Reporting
Questions and Comments
Page � 33
Jerry Ravi, Partner
EisnerAmper – Consulting / ERM Services
732.243.7590
Dianne Batistoni, Partner
EisnerAmper – Regulatory Audit and Consulting
Services
732.243.7220
Prashant Panavalli, Senior Manager
EisnerAmper – Consulting / ERM Services
732.243.7243
THANK YOU!!!!
Our Contact Information
IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Please Complete the Session Evaluation Form on the Conference App and Include Your Conference Registration ID# to be Included in a Drawing for a Free Conference Registration for the 2014 Annual Conference!NOTE: Your Conference Registration ID# is Located at the Bottom Left Hand Corner of Your Badge.