Phoenix Chapter Annual Conference May 17, 2019

Much More than Just Internal Control…

Robert HirthCOSO, Chair Emeritus

Three Excellent Resources…

What the Heck is COSO?...

5

About COSO…

> 600,000 professionals

Originally formed in 1985, COSO is a joint initiative of five private

sector organizations and is dedicated to

providing thought leadership through the

development of frameworks and

guidance on enterprise risk

management (ERM) internal control and

fraud deterrence

6

MissionCOSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internalcontrol and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.”

COSO’s Fundamental Principle

• EFFECTIVE risk management and internal control are necessary for long term success of all organizations

7

And Thus…

National Commission on Fraudulent Financial Reporting formed with James C. Treadway, Jr., former SEC

Commissioner and General Counsel, Paine Webber as its Chairman – becoming known as the “Treadway

Commission” a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on

fraudulent corporate financial reporting.

Source: sechistorical.org

8

The Internal Control RecommendationAll public companies should maintain internal

controls that provide reasonable assurance that fraudulent financial reporting will be prevented or

subject to early detection - this is a broader concept than internal accounting controls…

…The Commission also recommends that its sponsoring organizations cooperate on

developing additional, integrated guidance on internal controls…

- Treadway Commission report

9

…

“…while effective internal control requires leadership from the top, the responsibility for effective implementation of internal control resides with everyone in the organization, not just the finance function. This includes accountants, compliance officers and those involved in making contracts and supporting operations as well as those working on the production line to ensure that products produced meet quality objectives.

…the individuals that are responsible for achieving the objectives are also responsible for the quality of internal controls. “

Larry RittenbergChair Emeritus, COSO

10

A Broad Perspective…

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Source: COSO 2013 Internal Control- Integrated framework

11

20 Years in the Making…

© Allstate Insurance Company

11

12

Why Make Changes?

In the twenty years since the inception of the original framework, business and operating

environments have changed dramatically, becoming increasingly complex,

technologically driven, and global.

At the same time, stakeholders are more engaged, seeking greater transparency and

accountability for the integrity of systems of internal control that support business

decisions and governance of the organizationSource: COSO September 2012

13

Project deliverable #1 – Internal Control-Integrated Framework (2013 Edition)

• Consists of three volumes:

▫ Executive Summary

▫ Framework and Appendices

▫ Illustrative Tools for Assessing Effectiveness of a System of Internal Control

• Sets out:

▫ Definition of internal control

▫ Categories of objectives

▫ Components and principles of internal control

▫ Requirements for effectiveness

14

Project deliverable #2 – Internal Control over External Financial Reporting: A Compendium....

• Illustrates approaches and examples of how principles are applied in preparing financial statements

• Considers changes in business and operating environments during past two decades

• Provides examples from a variety of entities – public, private, not-for-profit, and government

• Aligns with the updated Framework

15

ICFR, SOX Section 404 The final rules require a company's annual report to include an internal control report of management that contains:

• A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;

• A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's internal control over financial reporting;

• Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective.

16

ICFR, SOX Section 404• The assessment must include disclosure of any "material weaknesses" in the

company's internal control over financial reporting identified by management. Management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in the company's internal control over financial reporting; and

• A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the registrant's internal control over financial reporting.

17

Using a Suitable Framework…• Management is required to base its assessment of the effectiveness of the company's

internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment. In addition to being available to users of management's reports, a framework is suitable only when it:

• Is free from bias;

• Permits reasonably consistent qualitative and quantitative measurements of a company's internal control over financial reporting;

• Is sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal control over financial reporting are not omitted; and

• Is relevant to an evaluation of internal control over financial reporting.

18

Why is COSO a Suitable Model?

“Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control frameworkestablished by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment. The COSO Framework satisfies our criteria…”

Source: SEC

19

A Specific-Purpose Perspective

HR(1

Slide 19

HR(1 Hirth, Robert (10040), 1/14/2019

20

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

COSO is Happy ! 1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

13. Uses relevant information

14. Communicates internally

15. Communicates externally

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

21

COSO and Fraud…

The Fraud Risk Management Guide is an update to a 2007 report sponsored by the American Institute of CPAs (AICPA), The Institute of Internal Auditors (IIA), and ACFE, Managing the Business Risk of Fraud: A Practical Guide. Updates reflect recent developments in the area of risk management, including important information related to new technology, specifically data analytics.

The Fraud Risk Management Guide includes examples of key program components and resources that organizations can use to develop a fraud risk-management program effectively and efficiently. In addition, the guide contains references to other sources of guidance for tailoring a fraud risk-management program to a specific industry.

COSO ICF Principle #8

24

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9. The organization identifies and assesses changes that could significantly impact the system of internal control.

Risk Assessment

Update articulates principles of effective internal control (continued)

Principle #8- Points of Focus

• Considers Various Types of Fraud

• Assesses Incentive and Pressures

• Assesses Opportunities

• Assesses Attitudes and Rationalizations

Types of Fraud

• Fraudulent financial reporting

• Fraudulent non-financial reporting

• Misappropriation of assets

• Illegal acts

• Uses technology or does not

• Inside or outside the organization

• Corruption

Sources of Fraud• Management bias

• Degree of estimates and judgments

• Fraud schemes and scenarios common to industries and markets

• Geographic regions

• Incentives that motivate fraudulent behavior

• Nature of technology and ability to manipulate information

• Unusual or complex transactions

• Vulnerability to override and ability to circumvent existing controls

5 KEY POINTS

• Establishes and Communicates Fraud Risk Management Program

• Performs Comprehensive Fraud Risk Assessment

• Selects, Develop and Deploys Preventative and Detective Fraud Controls

• Establishes a Communication Process about Potential Fraud

• Selects, Develops and Performs Ongoing evaluations

Control Hierarchy…

• Preventative better than detective

• Automated better than manual

• Must be operating as intended and effective

• Must be performed by competent personnel

• Should be tested periodically

Controls That May Help Reduce or DeterFraud….

Approvals and approval levels

Access

Limits

Reviews, matching

Segregation of duties, rotations

Reconciliations

Metric reporting

Vacations

Other Control Characteristics

Frequency

Precision

Degree of difficulty to apply

Competencies required

Best Fraud Defenses

•People

•Culture

•Technology

•Whistleblowers and Hotlines

•Controls

•Vigilance

•Audits

The Three Lines of Defense model advocates for clearly defining responsibilities for three aspects of risk: risk ownership, risk monitoring, and risk assurance. Respectively, functions that own and manage risks are the first line. Various risk control and compliance functions that monitor risks are the second line. Internal audit, which provides independent assurance on the effectiveness of control and compliance functions, is the third line.

The new white paper breaks down each of the three lines and assigns the corresponding framework principles. For example, the first line of defense — primarily front-line and mid-line managers who have day-to-day ownership and management of risks and controls — is assigned the 12 COSO principles listed under risk assessment, control activities, information and communications, and monitoring.

37

Enterprise RiskManagement

Integrating with Strategyand Performance

37

38

A New Title… • Retitled as Enterprise Risk Management—Integrating with Strategy and Performance

• Recognizes the importance of strategy and entity performance

• Further delineates enterprise risk management from internal control

39

Builds Links to Internal Control

• The document does not replace the Internal Control – Integrated Framework

• The two frameworks are distinct and complementary

• Both use a components and principles structure

• Aspects of internal control common to enterprise risk management are not repeated

• Some aspects of internal control are developed further in this framework

40

A Key Introduction…

• Our understanding of the nature of risk, the art and science of choice lies at the core of our modern market economy.

• Every choice we make in the pursuit of objectives has its risks. From day-to-day operational decisions to the fundamental trade-offs in the boardroom, dealing with uncertainly in these choices is a part of our organizational lives.

41

Definitions

The possibility that events will occur and affect the achievement of strategy and business objectives (or will not occur)

Risk

The culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value

Enterprise Risk

Management

42

1) Provides a New Document Structure

• Framework focused on fewer components (five)

• Uses focused call-out examples to emphasize key points (> 30)

• Follows the business model versus an isolated risk management process

43

2) Introduces Principles

20 key principles within each of the five components

44

3) Incorporates New Graphics/Concepts

Graphic has stronger ties to the business model

45

Links to Strategy • Explores strategy from three different perspectives:

–The possibility of strategy and business objectives not aligning with mission, vision and values

–The implications from the strategy chosen–Risk to executing the strategy

46

Integrated, Not Added on

47

Decision-making Uncertainty/Certainty

• Selecting SAP or Oracle

• Setting the quarterly revenue plan

for $20 million

• Hiring a new VP of___________

• Not developing a new product

• Making a new investment

• Opening a new office

• Closing an office

NEW!!- Compendium of Examples

The compendium illustrates:

• All principles

• A variety of entity sizes from global through to national, regional, and local entities

• Actual company practices and augmented with expected practices in select areas, as needed

• An ERM perspective from the business mindset

In-Depth View of ERM in Practice

Each example:

• Sets out the industry context

• Highlights the key benefits of enterprise risk management

• Lists the principles demonstrated

• Provides facts and circumstances for context

• Offers in-depth discussion

The Compendium Considers a Variety of Industry Types

51

You May Already be “Doing ERM”…

• Strong, Articulated Mission, Clear Vision and Values

• Commitment to the concept of ERM activities and integration

• Strategy as the best alternative, Risk vs. Reward, linked to objectives

• Understand uncertainty of our world and decisions we make

• Big focus on Change, so what, what do we do

• Focus and measurement on Objectives

• Going through the “WHAT IF” process

• Knowing what you won’t do and why

• Evaluating if ERM is adding value

WHY ERM?

“How would you like to meet more of your objectives more of the time? “

ERM Simplified…

53

Every organization is trying to achieve its mission. Trying usually involves creating a plan that defines objectives, including metrics. Establishing that plan and objectives as well as executing to those objectives involves decision-making which involves uncertainty.

In addition, we live in an imperfect world that changes quickly and presents unexpected events- all creating additional uncertainty. Risk is defined as the degree of uncertainty in achieving objectives.

ERM includes the discipline and process of identifying, evaluating and the desire to manage risk and uncertainty in any enterprise relative to its plan and objectives, as well as external events so that the plan and objectives are achieved more often than without this discipline and activity.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a new research report that provides direction on how the Internal Control-Integrated Framework (2013) and the Enterprise Risk Management-Integrated Framework (2004) can help organizations effectively and efficiently evaluate and manage cyber risks.

Using the 2013 Internal Control-Integrated Framework as an example, COSO in the Cyber Age provides direction on identifying and implementing internal control components and principles, from demonstrating commitment to integrity and ethical values, to risk analysis, and evaluating and communicating deficiencies.

ERM on Every Audit…

• What are the Objectives?

• What is the plan to achieve them?

• How do you monitor progress and status?

• What will impact the plan (positive and negative)?

• Do you recognize uncertainty of decisions?

• How can you be better?

• Do you need any help?

“Personalize” ERM…• What are YOUR Objectives?

• What is YOUR plan to achieve them?

• How do YOU monitor progress and status?

• What will impact YOUR plan (positive and negative)?

• Do YOU recognize uncertainly of decisions?

• How can YOU be better?

• Do YOU need any help?

COSO, World Business Council for Sustainable Development to Issue First- Ever Guidance for Applying Enterprise Risk Management (ERM) to Environmental, Social, Governance-related Risks

"Business is moving into an era of significant change in corporate governance. Integrating the environmental, social and governance factors into a company’s risk assessment will soon be the norm. New tools are needed for managing this new view of risks to the long-term financial and societal profile of business are needed. Using these tools will mean better decisions that will make more sustainable companies become more successful.“

WBCSD President and CEO Peter Bakker,

January 2018

Applying enterprise risk management to environmental, social and governance-related risks

How the guidance can help you

• Enhanced resilience

• A common language for articulating ESG-related risks

• Improved resource deployment

• Enhanced pursuit of ESG-related opportunities

• Realized efficiencies of scale

• Improved disclosure

COSO Framework and SustainabilityLeveraging the COSO Internal Control – Integrated Framework to Improve Confidence in

Sustainability Performance Data

5/22/2019

And Even Legal Advice…

“Be aware that sustainability has become a major, mainstream governance topic that encompasses a wide range of issues, including a company’s long-term durability as a successful enterprise, climate change and other environmental risks and impacts, systemic financial stability, management of human capital, labor standards, resource management, and consumer and product safety, and consider how your company presents itself with respect to these matters.”

(Wachtell Lipton, July 2018)

5/22/2019

And Even Internal Audit !

Based upon a thorough review by NIKE’s internal audit function, considerable progress has been made to NIKE’s sustainability data processes over the past several fiscal years, including but not limited to: a performance management data system overhaul, development of standard operating procedures, and an improved data governance model. The review also identified opportunities to further improve systems and controls around sustainability reporting. NIKE will continue to evolve and address information systems in light of this goal.

5/22/2019

ESG “Out Performs”

Consumer Goods Apparel, Accessories & Footwear Appliance Manufacturing Building Products & Furnishings E-Commerce Household & Personal Products Multiline and Specialty Retailers &

Distributors Toys & Sporting Goods

Extractives & Minerals Processing Coal Operations Construction Materials Iron & Steel Producers Metals & Mining Oil & Gas - Exploration & Production Oil & Gas - Midstream Oil & Gas - Refining & Marketing Oil & Gas – Services

Financials Asset Management & Custody

Activities Commercial Banks Consumer Finance Insurance Investment Banking & Brokerage Mortgage Finance Security & Commodity Exchanges

Food & Beverage Agricultural Products Alcoholic Beverages Food Retailers & Distributors Meat, Poultry & Dairy Non-Alcoholic Beverages Processed Foods Restaurants Tobacco

Health Care Biotechnology & Pharmaceuticals Drug Retailers Health Care Delivery Health Care Distributors Managed Care Medical Equipment & Supplies

Infrastructure Electric Utilities & Power Generators Engineering & Construction Services Gas Utilities & Distributors Home Builders Real Estate Real Estate Services Waste Management Water Utilities & Services

Renewable Resources & Alternative Energy Biofuels Forestry Management Fuel Cells & Industrial Batteries Pulp & Paper Products Solar Technology & Project Developers Wind Technology & Project Developers

Resource Transformation Aerospace & Defense Chemicals Containers & Packaging Electrical & Electronic Equipment Industrial Machinery & Goods

Services Advertising & Marketing Casinos & Gaming Education Hotels & Lodging Leisure Facilities Media & Entertainment Professional & Commercial Services

Technology & Communications Electronic Manufacturing Services &

Original Design Manufacturing Hardware Internet Media & Services Semiconductors Software & IT Services Telecommunication Services

Transportation Air Freight & Logistics Airlines Auto Parts Automobiles Car Rental & Leasing Cruise Lines Marine Transportation Rail Transportation Road Transportation

5/22/201965 © SASB

Industries Grouped by Resource Intensity & Sustainability ImpactsSustainable Industry Classification System (SICS®): 77 industries within 11 sectors

Thought Leadership to Improve Your Organization

68

Oh, and One More Thing…

Much More than Just Internal Control…