coso training - new york state
TRANSCRIPT
-
8/9/2019 Coso Training - New York State
1/35
COSO 2013Whats New, Whats Changed,Why Does it Matter and Other
Frequently Asked Questions
-
8/9/2019 Coso Training - New York State
2/35
-
8/9/2019 Coso Training - New York State
3/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
3
Today We Will Cover
Background on COSO
Important Changes
Deficiency Evaluation
Transitioning to the New Framework
Why Change?
-
8/9/2019 Coso Training - New York State
4/35
Why Change?
-
8/9/2019 Coso Training - New York State
5/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
5
Background and History of COSO
Committee Of Sponsoring Organizations of the Treadway Commission
Formed in 1985 in response to corrupt andunethical business practices in the 1970sand 80s
Voluntary private sector organization
COSO Internal Control IntegratedFramework was developed in 1992
COSO Cub e (1992 Edi t ion )
MONITORING
INFORMATION AND
COMMUNICATION
CONTROL ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
O P E R
A T I O
N S
F I N A N
C I A L
R E P O
R T I N
G
C O M P
L I A N C
E
UNIT A
UNIT B
ACTIVITY 1
ACTIVITY 2
ACTIVITY 3
Used by the majority of companies toevaluate their internal control environment,particularly as it relates to internal controlsover financial reporting
-
8/9/2019 Coso Training - New York State
6/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
6
What is COSO and Why is it a Suitable Model?
Management is required to base itsassessment of the effectiveness of thecompany's internal control overfinancial reporting on a suitable,r ecogn ized con t ro l f r ameworkestablished by a bod y o f exper t s tha tfo l lowed due-p rocess p rocedures ,inc lud ing the b road d i s t r ibu t ion ofthe framework for public comment.
Source: PCAOB AS2
-
8/9/2019 Coso Training - New York State
7/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
7
Why Change?
Envi ronment c hanges have driven Framework updates
COSO Cu be (2013 Edi t ion)*
Expectations for governance oversight
Globalization of markets and operations
Increased complexity of business andorganizational structures
Demands and complexity in laws, rules, regulationsand standards
Expectations for competencies and accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and detectingfraud
Large-scale governance and internal controlbreakdowns
Risk and risk-based approaches receive greaterattention
Source: Chapter 2 of COSO Internal Control: IntegratedFramework (2013) .
*
-
8/9/2019 Coso Training - New York State
8/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
8
What Hasnt Changed
Internal control is a process effected by the entitys board of directors, management andother personnel designed to provide reasonable assurance regarding the achievement ofobjectives relating to:
Operations Reporting Compliance
Core definition of internal control
Objectives represent the columns
Components represent the rows
Objectives may be set at the entity, division,operating unit or functional levels
The cube retains its familiarity:
-
8/9/2019 Coso Training - New York State
9/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
9
What Hasnt Changed
The criteria used to assess the effectiveness of aninternal control system remain largely unchanged.
Assessed, using a principles-based approach, relative to thefive components of internal control
To have an effective system of internal control relating to
one, two or more categories of objectives, all fivecomponents must be:
Present and functioning , and
Operating together
The significant role of judgment in designing,
implementing and conducting internal control, and inassessing its effectiveness.
Principles are provided for each component andmanagement exercises judgment in determining the extentto which these principles are present and functioning
-
8/9/2019 Coso Training - New York State
10/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
10
Whats Changed
Codifies 17 principles supporting thefive components of internal control1
Clarifies role of objective-settling asa precursor to internal control
2
Reflects increased relevance oftechnology
3
Incorporates an enhanced
discussion of governance concepts4
Expands the reporting category ofobjectives to include non-financialand internal
5
Enhances consideration of anti-
fraud expectations in its ownprinciple
6
Increases the focus on non-financialreporting objectives to broaden use
7
Additional approaches andexamples for operations,compliance and non-financialreporting objectives
8
-
8/9/2019 Coso Training - New York State
11/35
Important Changes
-
8/9/2019 Coso Training - New York State
12/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
12
The Most Important Change: 17 Principles RepresentingFundamental Concepts Associated with Each Component
Demonstrates commitment to integrity and ethical values 4 Exercises oversight responsibility 4 Establishes structure, authority and responsibility 3 Demonstrates commitment to competence 4 Enforces accountability 5
CONTROLENVIRONMENT
Conducts ongoing and/or separate evaluations 7 Evaluates and communicates deficiencies 3
MONITORINGACTIVITIES
Uses relevant information 5 Communicates internally 4 Communicates externally 5
INFORMATION &COMMUNICATION
Selects and develops control activities 6 Selects and develops general controls over technology 4 Deploys through policies and procedures 6
CONTROL A CTIVITIES
Specifies relevant objectives 5 Identifies and analyzes risk 5 Assesses fraud risk 4 Identifies and analyzes significant change 3
RISK A SSESSMENT
No of POF Questions
-
8/9/2019 Coso Training - New York State
13/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
13
Points of Focus Represent Important Characteristics AssociatedWith the Principles
Principles can be present and functioning without all points of focus. Points of focus representhelpful guidance and do not require separate evaluations. Management must use judgment onthe relevance of the points of focus. They are not meant to imply a checklist. An example ofthese for the Control Environment, Commitment to Integrity and Ethical Values is below.
Sets the Tone at the TopThe board of directors and management at alllevels of the entity demonstrate through their
directives, actions and behaviors theimportance of integrity and ethical values to
support the functioning of the system ofinternal control
Evaluates Adherence toStandards of Conduct
Processes are in place to evaluate theperformance of individuals and teams against
the entitys expected standards of conduct
Establishes Standards of ConductThe expectations of the board of directors andsenior management concerning integrity and
ethical values are defined in the entitysstandards of conduct and understood at all
levels of the organization and by outsourcedservice providers and business partners
Addresses Deviationsin a Timely Manner
Deviations from the entitys expectedstandards of conduct are identified and
remedied in a timely and consistent manner
-
8/9/2019 Coso Training - New York State
14/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
14
Practical Application Points of Focus: Important CharacteristicsAn example of these for Risk Assessment - Specifies Relevant Objectives - is below.
Complies with ApplicableAccounting Standards
Financial reporting objectives are consistentwith accounting principles suitable andavailable for that entity. The accounting
principles selected are appropriate in thecircumstances
Reflects Entity Activities
External reporting reflects the underlyingtransactions and events to show qualitative
characteristics and assertions
Considers MaterialityManagement considers materiality in financial
statement presentation
-
8/9/2019 Coso Training - New York State
15/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
15
Practical Application Points of Focus: Important CharacteristicsAn example of these for Control Activities - Selects and Develops Control Activities - is below.
Integrates with Risk AssessmentControl activities help ensure that risk responses
that address and mitigate risks are carried out
Determines Relevant BusinessProcesses
Management determines which relevant businessprocesses require control activities
Considers Entity-Specific FactorsManagement considers how the environment,
complexity, nature, and scope of its operations, aswell as the specific characteristics of its
organization, affect the selection and developmentof control activities
Evaluates a Mix of Control Activity TypesControl activities include a range and variety of
controls and may include a balance of approachesto mitigate risks, considering both manual and
automated controls, and preventive and detectivecontrols
Considers at What Level Activities AreApplied
Management considers control activities at variouslevels in the entity
Addresses Segregation of DutiesManagement segregates incompatible duties, and
where such segregation is not practical, selects anddevelops alternative control activities
-
8/9/2019 Coso Training - New York State
16/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
16
Practical Application Points of Focus: Important CharacteristicsAn example of these for Information and Communication - Uses Relevant Information - is below.
Identifies Information Requirements
A process is in place to identify the informationrequired and expected to support the functioning of
the other components of internal control and theachievement of entitys objectives
Processes Relevant Data into Information
Information systems process and transform relevantdata into information
Captures Internal and External Sources of Data
Information systems capture internal and externalsources of data
Maintains Quality throughout ProcessingInformation systems produce information that istimely, current, accurate, complete, accessible,
protected, and verifiable and retained. Information isreviewed to assess its relevance in supporting the
internal control components
Considers Costs and Benefits
Management considers control activities at variouslevels in the entity
-
8/9/2019 Coso Training - New York State
17/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
17
Practical Application Points of Focus: Important CharacteristicsAn example of these for Monitoring Activities - Conducts Ongoing and/or Separate Evaluations - isbelow.
Considers a Mix of Ongoing and SeparateEvaluations
Management includes a balance of ongoing andseparate evaluations
Establishes Baseline UnderstandingThe design and current state of an internal control
system are used to establish a baseline for ongoingand separate evaluations
Considers Rate of ChangeManagement considers the rate of change in
business and business processes when selectingand developing ongoing and separate evaluations
Uses Knowledgeable PersonnelEvaluators who perform ongoing and separate
evaluations have sufficient knowledge to understandwhat is being evaluated
Integrates with Business Processes
Ongoing evaluations are built into the businessprocesses and adjust to changing conditions
Adjusts Scope and Frequency
Management varies the scope and frequency ofseparate evaluations depending on risk
Objectively Evaluates
Separate evaluations are performed periodically toprovide objective feedback
-
8/9/2019 Coso Training - New York State
18/35
Deficiency Evaluation
-
8/9/2019 Coso Training - New York State
19/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
19
Present and FunctioningTo determine that a principle and component are present and functioning , theorganization must:
Understand the intent of the principle and how it is beingapplied
Work to help personnel understand and apply the principleconsistently across the entity
View weaknesses in absence of a principle as a matterrequiring managements attention
Present refers to the determination that components and relevant principles exist inthe design and implementation of the system of internal control to achieve specifiedobjectives (Design and Implementation Effectiveness)
Functioning refers to the determination that components and relevant principlescontinue to exist in the conduct of the system of internal control to achieve specifiedobjectives (Operating Effectiveness)
Determine to what extent relevant principles underlying the component are presentand functioning
-
8/9/2019 Coso Training - New York State
20/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
20
Assessing Whether Components Operate Together
Focus of evaluation is on how each of the five
components is being applied as an integral part ofthe overall system of internal control, not justfunctioning on its own
Components are interdependent with a multitudeof interrelationships and linkages, particularly interms of how principles interact within and acrosscomponents
From a practical standpoint, management candemonstrate that components operate togetherwhen they are present and functioning AND internalcontrol deficiencies aggregated across componentsdo not result in the determination that one or moremajor deficiencies exist
Therefore, aggregate internal control deficienciesacross components to assess whether majordeficiencies exist
-
8/9/2019 Coso Training - New York State
21/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
21
Assessment of Internal Control Deficiencies
A deficiency is a short -coming in a component or components andrelevant principle(s) that reduces the likelihood that the entity canachieve its objectives. Not every deficiency will result in a conclusionthat the entity does not have an effective system of internal control.
Major deficiency = an internal control deficiency or
combination of deficiencies that severely reduces thelikelihood that the entity can achieve its objectives
Management may be required to consider additionalcriteria established by external parties (e.g., regulators,
standard-setting bodies, listing agencies, etc.)
Alternative or compensating controls may further supporta conclusion that a principle is present and functioning
-
8/9/2019 Coso Training - New York State
22/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
22
Limitations on Internal Control
No such thing as absolute assurance The framework comments on limitations of internal control, which
results from: The quality and suitability of objectives established as a
precondition to internal control
The potential for flawed human judgment in decision-making Managements consideration of the relative costs and benefits in
responding to risk and establishing controls The potential for breakdowns that can occur because of human
failures (such as simple errors or mistakes) The possibility that controls can be circumvented by collusion of
two or more people The ability of management to override internal control functions and
decisions
-
8/9/2019 Coso Training - New York State
23/35
Transitioning to theNew Framework
-
8/9/2019 Coso Training - New York State
24/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
24
Illustrative High Level Project Plan Gap Analysis Example
Inventory existing key controls and evaluate to see if all principles are present and functioning.Determine appropriate points of focus to evaluate against.
-
8/9/2019 Coso Training - New York State
25/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
25
Get External Auditor Involvement Upfront
Meet with external auditor to discussexpectations
Get their views on approach and issues Determine their expectations on changes in
documentation Understand the key changes they see
related to the companys previous approach Align approach where appropriate to drive
efficiencies and support reliance upon yourwork
Identify areas that could be more difficultand require attention to address specificchallenges
Orientation Planning Assessment Remediation
-
8/9/2019 Coso Training - New York State
26/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
26
Determine the mapping approach using the 17 principles Identify the relevant points of focus for each principle
Create 17 principles documentation inventory Create document that lays out the 17 principles under each principle
summarize at a high level what the company has that demonstrates thisprinciple is present and functioning
Come to an initial conclusiono we have it nailedo we are in pretty good shape with some refinements neededo we have some controls that are relevant but have work to do to complete,
oro we must start from scratch
Use this perspective to plan the detailed mapping exercise
Preliminary Mapping Exercise for 17 Principles
Orientation Planning Assessment Remediation
-
8/9/2019 Coso Training - New York State
27/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
27
Mapping Controls to the 17 Principles - Sample Scenarios
COSO
ComponentControl Environment
Principle 1. The organization demonstrates a commitment to integrity and ethicalvalues
Point of Focus 2. Establishes Standards of Conduct
ControlObjective
A code of conduct and other policies exist regarding acceptable businesspractice, conflicts of interest, or expected standards of ethical and moralbehavior and are effectively implemented within the organization.
ControlExamples
The company has an employee handbook which contains the company'spolicies and change order procedures regarding:
The policy includes guidelines for handling high risk matters and high riskgeographies. It encourages personnel raise issues or questions relatedto the application of defined standards. It outlines explicit consequencesfor deviations.
1. Internet 2. Discrimination 3. Harassment4. Health and Safety 5. Whistleblower 6. Code of Conduct
and Business Ethics
-
8/9/2019 Coso Training - New York State
28/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
28
Mapping Controls to the 17 Principles - Sample Scenarios
COSO
ComponentControl Environment
Principle 1,POF 2
The organization demonstrates a commitment to integrity and ethicalvalues - Establishes Standards of Conduct (Code of Conduct contd)
Control
Examples(contd)
The employee handbook is provided to all employees, when they arehired or when new versions come out. All employees must sign anacknowledgement that he/she has read the employee handbook. Thesigned acknowledgement of employees understanding of, andcompliance with the employee handbook is retained and filed in theemployee's HR file.
In the event of updates to the employee handbook, all employees areprovided with an updated hardcopy or electronic copy (i.e., email orcompany's intranet). Additionally, each employee is required to read theupdated policy, and to sign an acknowledgement. HR tracks theemployees' acknowledgments and sends them a reminder.
A supplier code of conduct is incorporated into supplier contracts.
Ethics training is provided annually to staff in the finance function.
-
8/9/2019 Coso Training - New York State
29/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
29
Mapping Controls to the 17 Principles - Sample Scenarios
COSO
ComponentControl Environment
Principle1. The organization demonstrates a commitment to integrity and ethical
values
Point of Focus 2. Establishes Standards of Conduct
ControlObjective
An Insider Trading Policy is in place that details the Company's policyregarding trading in company shares are defined and the "coveredperson" and the other eligibility requirements.
ControlExamples
An Insider Trading Policy Statement details the Company's policyregarding trading in company shares. "Covered Persons" are required tocomply with the policy. At the time an employee is determined to be acovered person, they are provided a copy of the policy and must sign,acknowledging they understand the policy. Signed acknowledgementsare retained by the company as evidence.
-
8/9/2019 Coso Training - New York State
30/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
30
Assessment Phase
Map controls to principles and come to a preliminary conclusion regarding whether1. the design of the documented controls is effective and
2. if the controls are determined to be operating effectively, would they allowmanagement to conclude that the Principle is present and functioning Diagnose gaps in documentation Determine controls that must be re-configured, changed, added/deleted for
2014, if any, to support a positive assertion in the internal control report Based on the above, finalize the action plan for 2014 to
improve the control structure test the operating effectiveness of controls arrange for the necessary resources
Meet with the external audit firm and present results of work, identified areasfor revision, remaining action plan, etc.
Orientation Planning Assessment Remediation
-
8/9/2019 Coso Training - New York State
31/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
31
Assessment Phase Opportunity to Assess Existing Controls
Assessment provides an opportunity toevaluate effective compliance withCOSO. Take the time to re-assessyour controls against the base COSOelements you have had in place forseveral years.
Document controls that exist but werenot previously documented and testedfor SOX.
Orientation Planning Assessment Remediation
-
8/9/2019 Coso Training - New York State
32/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
32
Assessment Phase Points of Focus
Points of focus help drive the 17principles to a more granular, actionable
level While not required, they should be used
as a guideline to assess conformanceto the principles
Orientation Planning Assessment Remediation
-
8/9/2019 Coso Training - New York State
33/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
33
Remediation
Execute remaining steps in the actionplan and monitor progress to
completion
Orientation Planning Assessment Remediation
-
8/9/2019 Coso Training - New York State
34/35
2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
34
Questions
-
8/9/2019 Coso Training - New York State
35/35
2014 Protiviti Inc35