coso training - new york state

8/9/2019 Coso Training - New York State

1/35

COSO 2013Whats New, Whats Changed,Why Does it Matter and Other

Frequently Asked Questions


2/35


3/35

2014 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

3

Today We Will Cover

Background on COSO

Important Changes

Deficiency Evaluation

Transitioning to the New Framework

Why Change?


4/35

Why Change?


5/35


5

Background and History of COSO

Committee Of Sponsoring Organizations of the Treadway Commission

Formed in 1985 in response to corrupt andunethical business practices in the 1970sand 80s

Voluntary private sector organization

COSO Internal Control IntegratedFramework was developed in 1992

COSO Cub e (1992 Edi t ion )

MONITORING

INFORMATION AND

COMMUNICATION

CONTROL ACTIVITIES

RISK ASSESSMENT

CONTROL ENVIRONMENT

O P E R

A T I O

N S

F I N A N

C I A L

R E P O

R T I N

G

C O M P

L I A N C

E

UNIT A

UNIT B

ACTIVITY 1

ACTIVITY 2

ACTIVITY 3

Used by the majority of companies toevaluate their internal control environment,particularly as it relates to internal controlsover financial reporting


6/35


6

What is COSO and Why is it a Suitable Model?

Management is required to base itsassessment of the effectiveness of thecompany's internal control overfinancial reporting on a suitable,r ecogn ized con t ro l f r ameworkestablished by a bod y o f exper t s tha tfo l lowed due-p rocess p rocedures ,inc lud ing the b road d i s t r ibu t ion ofthe framework for public comment.

Source: PCAOB AS2


7/35


7

Why Change?

Envi ronment c hanges have driven Framework updates

COSO Cu be (2013 Edi t ion)*

Expectations for governance oversight

Globalization of markets and operations

Increased complexity of business andorganizational structures

Demands and complexity in laws, rules, regulationsand standards

Expectations for competencies and accountabilities

Use of, and reliance on, evolving technologies

Expectations relating to preventing and detectingfraud

Large-scale governance and internal controlbreakdowns

Risk and risk-based approaches receive greaterattention

Source: Chapter 2 of COSO Internal Control: IntegratedFramework (2013) .

*


8/35


8

What Hasnt Changed

Internal control is a process effected by the entitys board of directors, management andother personnel designed to provide reasonable assurance regarding the achievement ofobjectives relating to:

Operations Reporting Compliance

Core definition of internal control

Objectives represent the columns

Components represent the rows

Objectives may be set at the entity, division,operating unit or functional levels

The cube retains its familiarity:


9/35


9

What Hasnt Changed

The criteria used to assess the effectiveness of aninternal control system remain largely unchanged.

Assessed, using a principles-based approach, relative to thefive components of internal control

To have an effective system of internal control relating to

one, two or more categories of objectives, all fivecomponents must be:

Present and functioning , and

Operating together

The significant role of judgment in designing,

implementing and conducting internal control, and inassessing its effectiveness.

Principles are provided for each component andmanagement exercises judgment in determining the extentto which these principles are present and functioning


10/35


10

Whats Changed

Codifies 17 principles supporting thefive components of internal control1

Clarifies role of objective-settling asa precursor to internal control

2

Reflects increased relevance oftechnology

3

Incorporates an enhanced

discussion of governance concepts4

Expands the reporting category ofobjectives to include non-financialand internal

5

Enhances consideration of anti-

fraud expectations in its ownprinciple

6

Increases the focus on non-financialreporting objectives to broaden use

7

Additional approaches andexamples for operations,compliance and non-financialreporting objectives

8


11/35

Important Changes


12/35


12

The Most Important Change: 17 Principles RepresentingFundamental Concepts Associated with Each Component

Demonstrates commitment to integrity and ethical values 4 Exercises oversight responsibility 4 Establishes structure, authority and responsibility 3 Demonstrates commitment to competence 4 Enforces accountability 5

CONTROLENVIRONMENT

Conducts ongoing and/or separate evaluations 7 Evaluates and communicates deficiencies 3

MONITORINGACTIVITIES

Uses relevant information 5 Communicates internally 4 Communicates externally 5

INFORMATION &COMMUNICATION

Selects and develops control activities 6 Selects and develops general controls over technology 4 Deploys through policies and procedures 6

CONTROL A CTIVITIES

Specifies relevant objectives 5 Identifies and analyzes risk 5 Assesses fraud risk 4 Identifies and analyzes significant change 3

RISK A SSESSMENT

No of POF Questions


13/35


13

Points of Focus Represent Important Characteristics AssociatedWith the Principles

Principles can be present and functioning without all points of focus. Points of focus representhelpful guidance and do not require separate evaluations. Management must use judgment onthe relevance of the points of focus. They are not meant to imply a checklist. An example ofthese for the Control Environment, Commitment to Integrity and Ethical Values is below.

Sets the Tone at the TopThe board of directors and management at alllevels of the entity demonstrate through their

directives, actions and behaviors theimportance of integrity and ethical values to

support the functioning of the system ofinternal control

Evaluates Adherence toStandards of Conduct

Processes are in place to evaluate theperformance of individuals and teams against

the entitys expected standards of conduct

Establishes Standards of ConductThe expectations of the board of directors andsenior management concerning integrity and

ethical values are defined in the entitysstandards of conduct and understood at all

levels of the organization and by outsourcedservice providers and business partners

Addresses Deviationsin a Timely Manner

Deviations from the entitys expectedstandards of conduct are identified and

remedied in a timely and consistent manner


14/35


14

Practical Application Points of Focus: Important CharacteristicsAn example of these for Risk Assessment - Specifies Relevant Objectives - is below.

Complies with ApplicableAccounting Standards

Financial reporting objectives are consistentwith accounting principles suitable andavailable for that entity. The accounting

principles selected are appropriate in thecircumstances

Reflects Entity Activities

External reporting reflects the underlyingtransactions and events to show qualitative

characteristics and assertions

Considers MaterialityManagement considers materiality in financial

statement presentation


15/35


15

Practical Application Points of Focus: Important CharacteristicsAn example of these for Control Activities - Selects and Develops Control Activities - is below.

Integrates with Risk AssessmentControl activities help ensure that risk responses

that address and mitigate risks are carried out

Determines Relevant BusinessProcesses

Management determines which relevant businessprocesses require control activities

Considers Entity-Specific FactorsManagement considers how the environment,

complexity, nature, and scope of its operations, aswell as the specific characteristics of its

organization, affect the selection and developmentof control activities

Evaluates a Mix of Control Activity TypesControl activities include a range and variety of

controls and may include a balance of approachesto mitigate risks, considering both manual and

automated controls, and preventive and detectivecontrols

Considers at What Level Activities AreApplied

Management considers control activities at variouslevels in the entity

Addresses Segregation of DutiesManagement segregates incompatible duties, and

where such segregation is not practical, selects anddevelops alternative control activities


16/35


16

Practical Application Points of Focus: Important CharacteristicsAn example of these for Information and Communication - Uses Relevant Information - is below.

Identifies Information Requirements

A process is in place to identify the informationrequired and expected to support the functioning of

the other components of internal control and theachievement of entitys objectives

Processes Relevant Data into Information

Information systems process and transform relevantdata into information

Captures Internal and External Sources of Data

Information systems capture internal and externalsources of data

Maintains Quality throughout ProcessingInformation systems produce information that istimely, current, accurate, complete, accessible,

protected, and verifiable and retained. Information isreviewed to assess its relevance in supporting the

internal control components

Considers Costs and Benefits

Management considers control activities at variouslevels in the entity


17/35


17

Practical Application Points of Focus: Important CharacteristicsAn example of these for Monitoring Activities - Conducts Ongoing and/or Separate Evaluations - isbelow.

Considers a Mix of Ongoing and SeparateEvaluations

Management includes a balance of ongoing andseparate evaluations

Establishes Baseline UnderstandingThe design and current state of an internal control

system are used to establish a baseline for ongoingand separate evaluations

Considers Rate of ChangeManagement considers the rate of change in

business and business processes when selectingand developing ongoing and separate evaluations

Uses Knowledgeable PersonnelEvaluators who perform ongoing and separate

evaluations have sufficient knowledge to understandwhat is being evaluated

Integrates with Business Processes

Ongoing evaluations are built into the businessprocesses and adjust to changing conditions

Adjusts Scope and Frequency

Management varies the scope and frequency ofseparate evaluations depending on risk

Objectively Evaluates

Separate evaluations are performed periodically toprovide objective feedback


18/35

Deficiency Evaluation


19/35


19

Present and FunctioningTo determine that a principle and component are present and functioning , theorganization must:

Understand the intent of the principle and how it is beingapplied

Work to help personnel understand and apply the principleconsistently across the entity

View weaknesses in absence of a principle as a matterrequiring managements attention

Present refers to the determination that components and relevant principles exist inthe design and implementation of the system of internal control to achieve specifiedobjectives (Design and Implementation Effectiveness)

Functioning refers to the determination that components and relevant principlescontinue to exist in the conduct of the system of internal control to achieve specifiedobjectives (Operating Effectiveness)

Determine to what extent relevant principles underlying the component are presentand functioning


20/35


20

Assessing Whether Components Operate Together

Focus of evaluation is on how each of the five

components is being applied as an integral part ofthe overall system of internal control, not justfunctioning on its own

Components are interdependent with a multitudeof interrelationships and linkages, particularly interms of how principles interact within and acrosscomponents

From a practical standpoint, management candemonstrate that components operate togetherwhen they are present and functioning AND internalcontrol deficiencies aggregated across componentsdo not result in the determination that one or moremajor deficiencies exist

Therefore, aggregate internal control deficienciesacross components to assess whether majordeficiencies exist


21/35


21

Assessment of Internal Control Deficiencies

A deficiency is a short -coming in a component or components andrelevant principle(s) that reduces the likelihood that the entity canachieve its objectives. Not every deficiency will result in a conclusionthat the entity does not have an effective system of internal control.

Major deficiency = an internal control deficiency or

combination of deficiencies that severely reduces thelikelihood that the entity can achieve its objectives

Management may be required to consider additionalcriteria established by external parties (e.g., regulators,

standard-setting bodies, listing agencies, etc.)

Alternative or compensating controls may further supporta conclusion that a principle is present and functioning


22/35


22

Limitations on Internal Control

No such thing as absolute assurance The framework comments on limitations of internal control, which

results from: The quality and suitability of objectives established as a

precondition to internal control

The potential for flawed human judgment in decision-making Managements consideration of the relative costs and benefits in

responding to risk and establishing controls The potential for breakdowns that can occur because of human

failures (such as simple errors or mistakes) The possibility that controls can be circumvented by collusion of

two or more people The ability of management to override internal control functions and

decisions


23/35

Transitioning to theNew Framework


24/35


24

Illustrative High Level Project Plan Gap Analysis Example

Inventory existing key controls and evaluate to see if all principles are present and functioning.Determine appropriate points of focus to evaluate against.


25/35


25

Get External Auditor Involvement Upfront

Meet with external auditor to discussexpectations

Get their views on approach and issues Determine their expectations on changes in

documentation Understand the key changes they see

related to the companys previous approach Align approach where appropriate to drive

efficiencies and support reliance upon yourwork

Identify areas that could be more difficultand require attention to address specificchallenges

Orientation Planning Assessment Remediation


26/35


26

Determine the mapping approach using the 17 principles Identify the relevant points of focus for each principle

Create 17 principles documentation inventory Create document that lays out the 17 principles under each principle

summarize at a high level what the company has that demonstrates thisprinciple is present and functioning

Come to an initial conclusiono we have it nailedo we are in pretty good shape with some refinements neededo we have some controls that are relevant but have work to do to complete,

oro we must start from scratch

Use this perspective to plan the detailed mapping exercise

Preliminary Mapping Exercise for 17 Principles



27/35


27

Mapping Controls to the 17 Principles - Sample Scenarios

COSO

ComponentControl Environment

Principle 1. The organization demonstrates a commitment to integrity and ethicalvalues

Point of Focus 2. Establishes Standards of Conduct

ControlObjective

A code of conduct and other policies exist regarding acceptable businesspractice, conflicts of interest, or expected standards of ethical and moralbehavior and are effectively implemented within the organization.

ControlExamples

The company has an employee handbook which contains the company'spolicies and change order procedures regarding:

The policy includes guidelines for handling high risk matters and high riskgeographies. It encourages personnel raise issues or questions relatedto the application of defined standards. It outlines explicit consequencesfor deviations.

1. Internet 2. Discrimination 3. Harassment4. Health and Safety 5. Whistleblower 6. Code of Conduct

and Business Ethics


28/35


28


COSO


Principle 1,POF 2

The organization demonstrates a commitment to integrity and ethicalvalues - Establishes Standards of Conduct (Code of Conduct contd)

Control

Examples(contd)

The employee handbook is provided to all employees, when they arehired or when new versions come out. All employees must sign anacknowledgement that he/she has read the employee handbook. Thesigned acknowledgement of employees understanding of, andcompliance with the employee handbook is retained and filed in theemployee's HR file.

In the event of updates to the employee handbook, all employees areprovided with an updated hardcopy or electronic copy (i.e., email orcompany's intranet). Additionally, each employee is required to read theupdated policy, and to sign an acknowledgement. HR tracks theemployees' acknowledgments and sends them a reminder.

A supplier code of conduct is incorporated into supplier contracts.

Ethics training is provided annually to staff in the finance function.


29/35


29


COSO


Principle1. The organization demonstrates a commitment to integrity and ethical

values

Point of Focus 2. Establishes Standards of Conduct

ControlObjective

An Insider Trading Policy is in place that details the Company's policyregarding trading in company shares are defined and the "coveredperson" and the other eligibility requirements.

ControlExamples

An Insider Trading Policy Statement details the Company's policyregarding trading in company shares. "Covered Persons" are required tocomply with the policy. At the time an employee is determined to be acovered person, they are provided a copy of the policy and must sign,acknowledging they understand the policy. Signed acknowledgementsare retained by the company as evidence.


30/35


30

Assessment Phase

Map controls to principles and come to a preliminary conclusion regarding whether1. the design of the documented controls is effective and

2. if the controls are determined to be operating effectively, would they allowmanagement to conclude that the Principle is present and functioning Diagnose gaps in documentation Determine controls that must be re-configured, changed, added/deleted for

2014, if any, to support a positive assertion in the internal control report Based on the above, finalize the action plan for 2014 to

improve the control structure test the operating effectiveness of controls arrange for the necessary resources

Meet with the external audit firm and present results of work, identified areasfor revision, remaining action plan, etc.



31/35


31

Assessment Phase Opportunity to Assess Existing Controls

Assessment provides an opportunity toevaluate effective compliance withCOSO. Take the time to re-assessyour controls against the base COSOelements you have had in place forseveral years.

Document controls that exist but werenot previously documented and testedfor SOX.



32/35


32

Assessment Phase Points of Focus

Points of focus help drive the 17principles to a more granular, actionable

level While not required, they should be used

as a guideline to assess conformanceto the principles



33/35


33

Remediation

Execute remaining steps in the actionplan and monitor progress to

completion



34/35


34

Questions


35/35

2014 Protiviti Inc35

coso training - new york state

Documents