phoenix chapter annual conference may 17, 2019 · 2019. 5. 23. · at the same time, stakeholders...
TRANSCRIPT
Phoenix Chapter Annual Conference May 17, 2019
Much More than Just Internal Control…
Robert HirthCOSO, Chair Emeritus
Three Excellent Resources…
What the Heck is COSO?...
5
About COSO…
> 600,000 professionals
Originally formed in 1985, COSO is a joint initiative of five private
sector organizations and is dedicated to
providing thought leadership through the
development of frameworks and
guidance on enterprise risk
management (ERM) internal control and
fraud deterrence
6
MissionCOSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internalcontrol and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.”
COSO’s Fundamental Principle
• EFFECTIVE risk management and internal control are necessary for long term success of all organizations
7
And Thus…
National Commission on Fraudulent Financial Reporting formed with James C. Treadway, Jr., former SEC
Commissioner and General Counsel, Paine Webber as its Chairman – becoming known as the “Treadway
Commission” a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on
fraudulent corporate financial reporting.
Source: sechistorical.org
8
The Internal Control RecommendationAll public companies should maintain internal
controls that provide reasonable assurance that fraudulent financial reporting will be prevented or
subject to early detection - this is a broader concept than internal accounting controls…
…The Commission also recommends that its sponsoring organizations cooperate on
developing additional, integrated guidance on internal controls…
- Treadway Commission report
9
…
“…while effective internal control requires leadership from the top, the responsibility for effective implementation of internal control resides with everyone in the organization, not just the finance function. This includes accountants, compliance officers and those involved in making contracts and supporting operations as well as those working on the production line to ensure that products produced meet quality objectives.
…the individuals that are responsible for achieving the objectives are also responsible for the quality of internal controls. “
Larry RittenbergChair Emeritus, COSO
10
A Broad Perspective…
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Source: COSO 2013 Internal Control- Integrated framework
11
20 Years in the Making…
© Allstate Insurance Company
11
12
Why Make Changes?
In the twenty years since the inception of the original framework, business and operating
environments have changed dramatically, becoming increasingly complex,
technologically driven, and global.
At the same time, stakeholders are more engaged, seeking greater transparency and
accountability for the integrity of systems of internal control that support business
decisions and governance of the organizationSource: COSO September 2012
13
Project deliverable #1 – Internal Control-Integrated Framework (2013 Edition)
• Consists of three volumes:
▫ Executive Summary
▫ Framework and Appendices
▫ Illustrative Tools for Assessing Effectiveness of a System of Internal Control
• Sets out:
▫ Definition of internal control
▫ Categories of objectives
▫ Components and principles of internal control
▫ Requirements for effectiveness
14
Project deliverable #2 – Internal Control over External Financial Reporting: A Compendium....
• Illustrates approaches and examples of how principles are applied in preparing financial statements
• Considers changes in business and operating environments during past two decades
• Provides examples from a variety of entities – public, private, not-for-profit, and government
• Aligns with the updated Framework
15
ICFR, SOX Section 404 The final rules require a company's annual report to include an internal control report of management that contains:
• A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
• A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's internal control over financial reporting;
• Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective.
16
ICFR, SOX Section 404• The assessment must include disclosure of any "material weaknesses" in the
company's internal control over financial reporting identified by management. Management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in the company's internal control over financial reporting; and
• A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the registrant's internal control over financial reporting.
17
Using a Suitable Framework…• Management is required to base its assessment of the effectiveness of the company's
internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment. In addition to being available to users of management's reports, a framework is suitable only when it:
• Is free from bias;
• Permits reasonably consistent qualitative and quantitative measurements of a company's internal control over financial reporting;
• Is sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal control over financial reporting are not omitted; and
• Is relevant to an evaluation of internal control over financial reporting.
18
Why is COSO a Suitable Model?
“Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control frameworkestablished by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment. The COSO Framework satisfies our criteria…”
Source: SEC
19
A Specific-Purpose Perspective
HR(1
Slide 19
HR(1 Hirth, Robert (10040), 1/14/2019
20
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
COSO is Happy ! 1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
21
COSO and Fraud…
The Fraud Risk Management Guide is an update to a 2007 report sponsored by the American Institute of CPAs (AICPA), The Institute of Internal Auditors (IIA), and ACFE, Managing the Business Risk of Fraud: A Practical Guide. Updates reflect recent developments in the area of risk management, including important information related to new technology, specifically data analytics.
The Fraud Risk Management Guide includes examples of key program components and resources that organizations can use to develop a fraud risk-management program effectively and efficiently. In addition, the guide contains references to other sources of guidance for tailoring a fraud risk-management program to a specific industry.
COSO ICF Principle #8
24
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
Risk Assessment
Update articulates principles of effective internal control (continued)
Principle #8- Points of Focus
• Considers Various Types of Fraud
• Assesses Incentive and Pressures
• Assesses Opportunities
• Assesses Attitudes and Rationalizations
Types of Fraud
• Fraudulent financial reporting
• Fraudulent non-financial reporting
• Misappropriation of assets
• Illegal acts
• Uses technology or does not
• Inside or outside the organization
• Corruption
Sources of Fraud• Management bias
• Degree of estimates and judgments
• Fraud schemes and scenarios common to industries and markets
• Geographic regions
• Incentives that motivate fraudulent behavior
• Nature of technology and ability to manipulate information
• Unusual or complex transactions
• Vulnerability to override and ability to circumvent existing controls
5 KEY POINTS
• Establishes and Communicates Fraud Risk Management Program
• Performs Comprehensive Fraud Risk Assessment
• Selects, Develop and Deploys Preventative and Detective Fraud Controls
• Establishes a Communication Process about Potential Fraud
• Selects, Develops and Performs Ongoing evaluations
Control Hierarchy…
• Preventative better than detective
• Automated better than manual
• Must be operating as intended and effective
• Must be performed by competent personnel
• Should be tested periodically
Controls That May Help Reduce or DeterFraud….
Approvals and approval levels
Access
Limits
Reviews, matching
Segregation of duties, rotations
Reconciliations
Metric reporting
Vacations
Other Control Characteristics
Frequency
Precision
Degree of difficulty to apply
Competencies required
Best Fraud Defenses
•People
•Culture
•Technology
•Whistleblowers and Hotlines
•Controls
•Vigilance
•Audits
The Three Lines of Defense model advocates for clearly defining responsibilities for three aspects of risk: risk ownership, risk monitoring, and risk assurance. Respectively, functions that own and manage risks are the first line. Various risk control and compliance functions that monitor risks are the second line. Internal audit, which provides independent assurance on the effectiveness of control and compliance functions, is the third line.
The new white paper breaks down each of the three lines and assigns the corresponding framework principles. For example, the first line of defense — primarily front-line and mid-line managers who have day-to-day ownership and management of risks and controls — is assigned the 12 COSO principles listed under risk assessment, control activities, information and communications, and monitoring.
37
Enterprise RiskManagement
Integrating with Strategyand Performance
37
38
A New Title… • Retitled as Enterprise Risk Management—Integrating with Strategy and Performance
• Recognizes the importance of strategy and entity performance
• Further delineates enterprise risk management from internal control
39
Builds Links to Internal Control
• The document does not replace the Internal Control – Integrated Framework
• The two frameworks are distinct and complementary
• Both use a components and principles structure
• Aspects of internal control common to enterprise risk management are not repeated
• Some aspects of internal control are developed further in this framework
40
A Key Introduction…
• Our understanding of the nature of risk, the art and science of choice lies at the core of our modern market economy.
• Every choice we make in the pursuit of objectives has its risks. From day-to-day operational decisions to the fundamental trade-offs in the boardroom, dealing with uncertainly in these choices is a part of our organizational lives.
41
Definitions
The possibility that events will occur and affect the achievement of strategy and business objectives (or will not occur)
Risk
The culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value
Enterprise Risk
Management
42
1) Provides a New Document Structure
• Framework focused on fewer components (five)
• Uses focused call-out examples to emphasize key points (> 30)
• Follows the business model versus an isolated risk management process
43
2) Introduces Principles
20 key principles within each of the five components
44
3) Incorporates New Graphics/Concepts
Graphic has stronger ties to the business model
45
Links to Strategy • Explores strategy from three different perspectives:
–The possibility of strategy and business objectives not aligning with mission, vision and values
–The implications from the strategy chosen–Risk to executing the strategy
46
Integrated, Not Added on
47
Decision-making Uncertainty/Certainty
• Selecting SAP or Oracle
• Setting the quarterly revenue plan
for $20 million
• Hiring a new VP of___________
• Not developing a new product
• Making a new investment
• Opening a new office
• Closing an office
NEW!!- Compendium of Examples
The compendium illustrates:
• All principles
• A variety of entity sizes from global through to national, regional, and local entities
• Actual company practices and augmented with expected practices in select areas, as needed
• An ERM perspective from the business mindset
In-Depth View of ERM in Practice
Each example:
• Sets out the industry context
• Highlights the key benefits of enterprise risk management
• Lists the principles demonstrated
• Provides facts and circumstances for context
• Offers in-depth discussion
The Compendium Considers a Variety of Industry Types
51
You May Already be “Doing ERM”…
• Strong, Articulated Mission, Clear Vision and Values
• Commitment to the concept of ERM activities and integration
• Strategy as the best alternative, Risk vs. Reward, linked to objectives
• Understand uncertainty of our world and decisions we make
• Big focus on Change, so what, what do we do
• Focus and measurement on Objectives
• Going through the “WHAT IF” process
• Knowing what you won’t do and why
• Evaluating if ERM is adding value
WHY ERM?
“How would you like to meet more of your objectives more of the time? “
ERM Simplified…
53
Every organization is trying to achieve its mission. Trying usually involves creating a plan that defines objectives, including metrics. Establishing that plan and objectives as well as executing to those objectives involves decision-making which involves uncertainty.
In addition, we live in an imperfect world that changes quickly and presents unexpected events- all creating additional uncertainty. Risk is defined as the degree of uncertainty in achieving objectives.
ERM includes the discipline and process of identifying, evaluating and the desire to manage risk and uncertainty in any enterprise relative to its plan and objectives, as well as external events so that the plan and objectives are achieved more often than without this discipline and activity.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a new research report that provides direction on how the Internal Control-Integrated Framework (2013) and the Enterprise Risk Management-Integrated Framework (2004) can help organizations effectively and efficiently evaluate and manage cyber risks.
Using the 2013 Internal Control-Integrated Framework as an example, COSO in the Cyber Age provides direction on identifying and implementing internal control components and principles, from demonstrating commitment to integrity and ethical values, to risk analysis, and evaluating and communicating deficiencies.
ERM on Every Audit…
• What are the Objectives?
• What is the plan to achieve them?
• How do you monitor progress and status?
• What will impact the plan (positive and negative)?
• Do you recognize uncertainty of decisions?
• How can you be better?
• Do you need any help?
“Personalize” ERM…• What are YOUR Objectives?
• What is YOUR plan to achieve them?
• How do YOU monitor progress and status?
• What will impact YOUR plan (positive and negative)?
• Do YOU recognize uncertainly of decisions?
• How can YOU be better?
• Do YOU need any help?
COSO, World Business Council for Sustainable Development to Issue First- Ever Guidance for Applying Enterprise Risk Management (ERM) to Environmental, Social, Governance-related Risks
"Business is moving into an era of significant change in corporate governance. Integrating the environmental, social and governance factors into a company’s risk assessment will soon be the norm. New tools are needed for managing this new view of risks to the long-term financial and societal profile of business are needed. Using these tools will mean better decisions that will make more sustainable companies become more successful.“
WBCSD President and CEO Peter Bakker,
January 2018
Applying enterprise risk management to environmental, social and governance-related risks
How the guidance can help you
• Enhanced resilience
• A common language for articulating ESG-related risks
• Improved resource deployment
• Enhanced pursuit of ESG-related opportunities
• Realized efficiencies of scale
• Improved disclosure
COSO Framework and SustainabilityLeveraging the COSO Internal Control – Integrated Framework to Improve Confidence in
Sustainability Performance Data
5/22/2019
And Even Legal Advice…
“Be aware that sustainability has become a major, mainstream governance topic that encompasses a wide range of issues, including a company’s long-term durability as a successful enterprise, climate change and other environmental risks and impacts, systemic financial stability, management of human capital, labor standards, resource management, and consumer and product safety, and consider how your company presents itself with respect to these matters.”
(Wachtell Lipton, July 2018)
5/22/2019
And Even Internal Audit !
Based upon a thorough review by NIKE’s internal audit function, considerable progress has been made to NIKE’s sustainability data processes over the past several fiscal years, including but not limited to: a performance management data system overhaul, development of standard operating procedures, and an improved data governance model. The review also identified opportunities to further improve systems and controls around sustainability reporting. NIKE will continue to evolve and address information systems in light of this goal.
5/22/2019
ESG “Out Performs”
Consumer Goods Apparel, Accessories & Footwear Appliance Manufacturing Building Products & Furnishings E-Commerce Household & Personal Products Multiline and Specialty Retailers &
Distributors Toys & Sporting Goods
Extractives & Minerals Processing Coal Operations Construction Materials Iron & Steel Producers Metals & Mining Oil & Gas - Exploration & Production Oil & Gas - Midstream Oil & Gas - Refining & Marketing Oil & Gas – Services
Financials Asset Management & Custody
Activities Commercial Banks Consumer Finance Insurance Investment Banking & Brokerage Mortgage Finance Security & Commodity Exchanges
Food & Beverage Agricultural Products Alcoholic Beverages Food Retailers & Distributors Meat, Poultry & Dairy Non-Alcoholic Beverages Processed Foods Restaurants Tobacco
Health Care Biotechnology & Pharmaceuticals Drug Retailers Health Care Delivery Health Care Distributors Managed Care Medical Equipment & Supplies
Infrastructure Electric Utilities & Power Generators Engineering & Construction Services Gas Utilities & Distributors Home Builders Real Estate Real Estate Services Waste Management Water Utilities & Services
Renewable Resources & Alternative Energy Biofuels Forestry Management Fuel Cells & Industrial Batteries Pulp & Paper Products Solar Technology & Project Developers Wind Technology & Project Developers
Resource Transformation Aerospace & Defense Chemicals Containers & Packaging Electrical & Electronic Equipment Industrial Machinery & Goods
Services Advertising & Marketing Casinos & Gaming Education Hotels & Lodging Leisure Facilities Media & Entertainment Professional & Commercial Services
Technology & Communications Electronic Manufacturing Services &
Original Design Manufacturing Hardware Internet Media & Services Semiconductors Software & IT Services Telecommunication Services
Transportation Air Freight & Logistics Airlines Auto Parts Automobiles Car Rental & Leasing Cruise Lines Marine Transportation Rail Transportation Road Transportation
5/22/201965 © SASB
Industries Grouped by Resource Intensity & Sustainability ImpactsSustainable Industry Classification System (SICS®): 77 industries within 11 sectors
Thought Leadership to Improve Your Organization
68
Oh, and One More Thing…
Much More than Just Internal Control…