COSO and Internal Audit Considerations

Paul Oseland, CPAAccounting Specialist

Division of Supervision and Risk ManagementFederal Reserve Bank of Kansas City

2

Disclaimer

The opinions expressed in these presentations are intended for informational purposes and are not formal opinions of, nor binding on, the Federal Reserve Bank of Kansas City or the Board of Governors of the Federal Reserve System.

3

COSO Internal Control – Integrated Framework (2013)

• Update to the prior Framework originally released in 1992.

• Does not change the core definition of internal control or its five components.

• Provides additional Principles and Points of Focus that elaborate on the existing components.

• Supersedes the 1992 Framework as of December 14, 2014.

4

COSO Cube – 1992

5

COSO Cube – 1992 vs. 2013

6

1992 2013

COSO Cube vs. Rubik’s Cube

7

1992 2013 1980

COSO (2013) – 17 Principles

8

COSO (2013) – 81 Points of Focus

9

COSO (2013) Adoption

• 10th District FDICIA Filers with assets > $1 billion:– 25% of filers between $1 billion and $2 billion

adopted the 2013 Framework.– 22% of filers between $2 billion and $5 billion

adopted the 2013 Framework.– 50% of filers over $5 billion adopted the 2013

Framework.– 56% of SEC registered public companies adopted the

2013 Framework.

10

Supervisory Considerations

• CBEM Section 1010.1: “Institutions are encouraged to evaluate their internal control against the COSO framework.

• 12 CFR Part 363: COSO “provides a suitable and recognized framework for purposes of management's assessment. Other suitable frameworks have been published in other countries or may be developed in the future. Such other suitable frameworks may be used by management and the institution's independent public accountant in assessments, attestations, and audits of internal control over financial reporting.

11

FDICIA “Internal Audit Requirements”

• Institutions must prepare GAAP financial statements that shall be audited by an independent public accountant.

• Management must submit a report stating its responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting.

• Management must assess the effectiveness of ICFR, with an attestation from the independent public accountant (>$1 billion).

12

SR 99-33: Interagency Policy Statement on External Audits of Banks With Less Than $500 Million in Total Assets

“The policy statement encourages banks and savings associations that have less than $500 million in total assets (‘small banks’) and that are not subject to other audit requirements to adopt an external auditing program as a part of their overall risk management process.”

13

SR 03-5: Amended Interagency Guidance on the Internal Audit Function and its Outsourcing

• Each institution should have an internal audit function that is appropriate to its size and the nature and scope of its activities.

• The agencies encourage internal auditors to follow the IIA’s standards.

• Costs to small institutions with few employees and less complex operations may outweigh benefits derived from a full-time manager of internal audit or an auditing staff.

14

Questions?

15