coso internal control integrated framework

COSO’ P d R i i tCOSO’ P d R i i tCOSO’s Proposed Revision to COSO’s Proposed Revision to Internal Control Internal Control -- Integrated Integrated gg

Framework Framework and its Implications and its Implications I f ti T h lI f ti T h lon Information Technologyon Information Technology

Ken Vander Wal, ISACA International PresidentDavid Landsittel, Chairman of COSOCara Beston, Partner at PricewaterhouseCoopers

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.

p

Today’s webinar:Today’s webinar:

• Text in questions using the Ask A Question button

• All audio is streamed over your computer– Having technical issues? Click the ?

button• Download the slide deck from the Event

Home Page• No CPEs being offered for this event• Question or suggestion? Email them to

L i @i


[email protected]

Presenters:Presenters:

Ken Vander WalKen Vander WalISACA International President

David LandsittelDavid LandsittelChairman of COSO

Cara Beston


Cara BestonPartner at PricewaterhouseCoopers

AgendaAgenda

Introd ction• Introduction • COSO, Project Overview, Scope and

StructureStructure• Proposed Updates

I t f U d t t T h l• Impact of Updates to Technology• Open Discussion

C ll t A ti N t St• Call to Action – Next Steps


IntroductionIntroduction

• Background• Background• ISACA Membership on COSO’s Advisory

CouncilCouncil– Represented by Ken Vander Wal

Supported by Global Task Force– Supported by Global Task Force• Today’s Presenters

David Landsittel– David Landsittel– Cara Beston


COSO, Project Overview,COSO, Project Overview,COSO, Project Overview, COSO, Project Overview, Scope and StructureScope and Structure


About COSOAbout COSO

– Formed in 1985 to sponsor a Commission to examine f d l t fi i l tifraudulent financial reporting

– A joint initiative of five private sector organizations – Sponsors:

• American Accounting Association

• American Institute of Certified Public Accountants• American Institute of Certified Public Accountants

• Financial Executives International

• Institute of Management Accountants


• The Institute of Internal Auditors

MissionMission of COSOof COSO

• “To provide thought leadership through the development of• To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and toto improve organizational performance and governance and to reduce the extent of fraud in organizations.”

Fundamental PrincipleFundamental Principle• Good risk management and internal control are necessary for

the long-term success of organizations


Project OverviewProject Overviewjj

Internal Control Integrated– Internal Control - Integrated Framework

• First published in 1992M t id l d• Most widely used framework in the US

• Also widely used around th ldthe world

– However, since 1992, the operating environment has

l devolved – Framework concepts

timeless, but context needs pdating


updating

Project ObjectivesProject Objectivesj jj j– The goal of the project is to “refresh” the Framework, by

providing a context that is current.providing a context that is current.

– Enhancements are not intended to alter the core concepts developed in the original Frameworkdeveloped in the original Framework

– Other project objectives include:• Explicitly identifying principles and attributes to

provide efficiency and a basis for evaluating effectiveness

f• Adding more focus on operational and compliance control objectives

• Expanding “Financial Reporting” objective to “ i ” b dl


encompass “reporting” more broadly

Project Governance Structure and Project Governance Structure and ParticipantsParticipantsParticipantsParticipants

COSO Board of Directors

PricewaterhouseCoopersProject Team

COSO Advisory Council

Project Team

Companies & Other StakeholdersCOSO Advisory Council(nominated by the COSO Board)

• AICPA• AAA• IIA

Companies & Other Stakeholders

• Industry Associations• Academia• Not-for-profit, government entities• Professional associations

• FEI• IMA• Regulatory Observers• Public Accounting Firms• Others

Professional associations• Risk management professionals• Lawyers• Regulators• Other rule-makers


Project Scope and DeliverablesProject Scope and Deliverables

• Three Products Contemplated:• Three Products Contemplated:– An updated Internal Control – Integrated Framework

– A companion document focusing on applying framework for Internal Control over External Financial Reporting (ICEFR)

– Evaluation tools for use in assessing the overall effectiveness of internal control


Project TimetableProject Timetablejj

2010 2011 2012

Sept – Jan Feb - Oct Dec - Mar Apr - Dec

2010 2011 2012

Assess & Survey Stakeholder

Design & Build

Public Exposure Finalize


Obtaining Input: Survey of Obtaining Input: Survey of StakeholdersStakeholdersStakeholdersStakeholders

– Over 700 responses

– Responses come from wide range of organizations and individuals

• Large, small and non-profit organizations well represented

• 1 in 4 respondents are international (27%)1 in 4 respondents are international (27%)• The majority of respondents have been using the

Framework for over 5 years

– Overall, a large majority of respondents (85%) support updating, but not a major overhaul in the Framework


What’s ChangedWhat’s Changed

• The experienced reader will find much familiar in the updated• The experienced reader will find much familiar in the updated Framework, which builds on what has proven effective in the original version.

What is not changing... What is changing...1. Definition of internal control2. Five components of internal

control3 Criteria used to assess

1. Updating context to reflect current environment

2. Codification of principles used in developing and evaluating3. Criteria used to assess

effectiveness of systems of internal control

4. Use of judgment in evaluating th ff ti f t f

in developing and evaluating effectiveness of systems

3. Expanded financial reporting objective to address internal and external financial and nonthe effectiveness of systems of

internal control and external, financial and non-financial reporting objectives

4. Increased focus on operations, compliance objectives


Proposed UpdatesProposed UpdatesProposed UpdatesProposed Updates


Summary of UpdatesSummary of Updates

A changing business environment... Drives updates to the Framework...A changing business environment... Drives updates to the Framework...

Expectations for governance oversight

Globalization of markets and operationsGlobalization of markets and operations

Changes in business models

Demands and complexity of rules, p y ,regulations and standards

Expectations for competencies and accountabilities

Use and reliance on evolving technology

Expectations for preventing and detecting f d


fraud

Summary of Updates Summary of Updates Codification of 17 principles embedded in original FrameworkCodification of 17 principles embedded in original FrameworkCodification of 17 principles embedded in original FrameworkCodification of 17 principles embedded in original Framework

Control Environment 1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3 E t bli h t t th it d ibilit

6. Specifies relevant objectives

3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Establishes accountability

7. Identifies and assesses risk8. Identifies and assesses significant change9. Assesses fraud risk

10. Selects and develops control activities

Risk Assessment

Control Activities

Risk Assessment

10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures

13. Generates relevant information

Control Activities

Information & C i ti 14. Communicates internally

15. Communicates externally

16. Conducts ongoing and separate evaluations17. Evaluates and communicates deficiencies

Communication

Monitoring Activities


17. Evaluates and communicates deficiencies

Impact of Updates toImpact of Updates toImpact of Updates to Impact of Updates to TechnologyTechnology


Impact of Updates to TechnologyImpact of Updates to Technology

• Concepts related to technology were retained – Application controls v. General Controls– Language updated to reflect more current terms

• Original Framework addressed technology as a key component of control activities and the information system

• Today, technology is embedded in virtually every enterprise– Supports new business models and delivers business value– Enables business processes– Drives efficiency in controls– Generates expanded information p– Enhances speed and breadth of communication

• Updated Framework considers technology across all internal control components


p

Impact of Updates to Technology Impact of Updates to Technology

• Technology does not change the internal control landscape, but may affect how a company implements internal control

• As an enabler, technology– Creates new opportunitiespp– Presents new risks– Promotes efficiency and effectiveness– Simplifies previously challenging activitiesSimplifies previously challenging activities– Adds complexity– Increases rate of change

• Updated Framework considers the continuous evolution of• Updated Framework considers the continuous evolution of technology, but does not attempt to address various types

• Anticipates that technology will exist, but recognizes that it will be adopted differently from entity to entity


will be adopted differently from entity to entity

Impact of Updates to TechnologyImpact of Updates to Technology

• Control Environment – Improve access to senior management and vice versa– Improve access to senior management and vice versa

• Risk Assessment– Facilitate risk assessment process through improved data and

analyticsanalytics– Create new risks

• Control Activities P id t i k– Provide new responses to risks

– Increase efficiency of risk responses• Information & Communication

– Increases available information– Expands communication channels

• Monitoring Activities


g– Considers new methods to monitor

Examples of Technology & UpdatesExamples of Technology & Updates

• Increased importance of technology skills in assessing competence (par 161)

• Identification of risks related to technological developments that may impact achievement of objectives (par 228 and 274)

• Technology impact on risk of business continuity (par 248)• Entity-level considerations of the impact of systems (par 282)• Technology can both support business processes and alsoTechnology can both support business processes and also

act as control activities (par 295)– The extent of IT dependence on processes may indicate a greater

reliance on IT for controlsreliance on IT for controls– Management has the option to choose between manual,

automated or a combination of both in selecting and developing control activities


Examples of Technology & UpdatesExamples of Technology & Updates

• Technology is not prominently discussed in the area of segregation of duties (par 303- 305)– Management has several alternative control activities to select

from in addressing risks associated with incompatible duties – Assessing risks associated with access to technology is important

precedent to selecting control activities• Impact of technology on volume and complexity of data and

information raise awareness of:– High volume of data available through electronic means increases

complexity of systems needed to process data– Benefits of increased information may be offset by the operational

or compliance risks – Increased importance of security, protection and retention of data


Open DiscussionOpen DiscussionOpen DiscussionOpen Discussion


Open DiscussionOpen Discussion

Text in questions using the Ask A Q ti b ttQuestion button


Call to ActionCall to Action –– Next StepsNext StepsCall to Action Call to Action Next StepsNext Steps


Call to Action Call to Action –– Next Steps:Next Steps:

• Review and Provide Comments: Internal• Review and Provide Comments: Internal Control - Integrated Framework http://www.ic.coso.orgp g

• Deadline --- 31 March 2012• Draft of Internal Control over External

Financial Reporting (ICEFR)• Embrace and Utilize COSO Internal Control -

Integrated Framework in Your Enterprise• COBIT 5 - Coming 2nd Q 2012


Register Now!Register Now!

U i ISACA T i iUpcoming ISACA Training:• 4-day courses include:

COBIT– COBIT– Fundamentals of IT Audit and Assurance

IT A dit d A P ti– IT Audit and Assurance Practices• 27 – 30 March in Atlanta, Georgia

i / i i• www.isaca.org/training


Thank You!Thank You!


coso internal control integrated framework

Documents

todays webinar

project scope

frameworkfor internal

technologyt fu d t t

project objectives jj

compliance control objectives

mission of coso

updated framework