policyiq for coso 2013 internal control - integrated framework
DESCRIPTION
The policyIQ Team was joined by Senior Practice Director of RGP’s Governance Risk & Compliance (GRC) practice, Les Sussman, to discuss how the updated COSO framework will impact companies and, specifically, policyIQ clients or prospects. Mr. Sussman recaptured the highlights from a webinar that he co-presented with RGP’s Global Managing Director of the Finance & Accounting practice, Shauna Watson. Their session, “Effective Transition to the 2013 COSO Framework and SOX Compliance”, drew more than a thousand registrants and received great reviews for addressing considerations that have not been discussed in other COSO-related sessions. With a diverse audience of current policyIQ users and many participants who are not currently using policyIQ, we took time to introduce some highlights of policyIQ. We went on to demonstrate how easily and quickly we amended our policyIQ configuration to accommodate the updated 2013 COSO Internal Control – Integrated Framework. RGP recommends that companies employ both a top down and a bottom up approach to mapping Principles and Controls to one another. We discussed this and how policyIQ reports can be applied to make quick work of mapping, gap analysis, control rationalization and reporting to the Audit Committee and External Auditors. Reach out to us with any questions: [email protected] or [email protected].TRANSCRIPT
COSO 2013 Internal Control-Integrated Framework, Efficiently Transition Using policyIQ
March 6, 2014
Objectives
By the end of the session, you will
Be aware of key changes in updated COSO Framework
Have more information about how to plan your transition project
Understand what policyIQ is and how to navigate
See that you can easily configure policyIQ to capture COSO Principles
Recognize how you can use reports for analysis and final reporting
2
COSO Updates Framework, May 14, 2013
The New Framework
3
Internal Control – Integrated FrameworkFramework and Appendices
The New Framework
Expands the financial reporting category of objectives to include other forms of reporting (internal and non-financial)
Explicitly formalizes principles introduced in original framework
Provides approaches and examples illustrating how principles are applied in financials
Supersedes 1992 Framework on December 15, 2014
4
2013 COSO Framework
5
The updated framework formalizes 17 principles
that were introduced and embedded in the original
framework. Companies choosing to follow the
COSO Framework will need to demonstrate that all
17 Principles are present and functioning in their
Internal Control Framework.
10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures
Control Activities
1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability
Control Environment
6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change
Risk Assessment
13.Uses relevant information14.Communicates internally15.Communicates externally
Information & Communication
16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies
Monitoring Activities
2013 COSO Framework
6
Transition Strategy
7
Project ownership it is important that someone takes responsibility for dates
and deliverables
Project communication include all parties touched by the change in communications
Resource constraints assess the time and people that you have, reach out to RGP or
others for support
Coordination with external auditors touch base with auditors early and often to ensure that you are
on the same page
Top down versus bottom up RGP recommends doing both
Project Approach and TimelineActivities
Phase 1 - Plan• Establish project
ownership / management
• Develop detailed approach and timeline
• Identify resources and assign responsibility
• Communicate plan and train
• Consult with auditors
P4
1/1/2014 – 3/31/2014Q1 – Year-end close, financial audits, Year-end write-up
4/1/2014 – 6/30/2014Q2 Testing for 1st half of the year
7/1/2014 – 9/30/2014Q3 – Testing 2nd part of the year
10/1/2014 – 12/31/2014Q4 – Year-end & Remediation
Testing
3/31/2014 6/30/2014 9/30/2014 12/31/2014Today
P3P2P1
Phase 2 - Map• Update risk assessment• Start mapping from top
down• Link principles to
controls• Consider points of
focus• Coordinate with other
service providers
Phase 3 - Assess• Identify deficiencies• Evaluate deficiencies• Determine controls
requiring remediation• Consider eliminating
orphan controls
Phase 4 - Implement• Design new controls• Train control owners• Schedule testing
8
Introduction policyIQ
9
Web-based Governance, Risk & Compliance
Customizable and flexible
A workflow, oversight, management reporting tool
Secure (certifications, SSL, Username/PW)
10
Introduction policyIQ
ContractContract
ProcedureProcedure
PolicyPolicy
TestTest
ControlControl
RiskRisk Fields: Text Dropdown Multi-Select Date Number Currency
Restrict: Creators Approvers
PagePage
ProcedureTemplate
ProcedureTemplate
name
date
text
11
Introduction policyIQ
Create Pages for your Risks, COSO Principles, Narratives, Controls, and so on from Templates that drive consistency and sound information governance practices
ContractContract
ProcedureProcedure
PolicyPolicy
TestTest
ControlControl
RiskRisk
PagePageupload & attach
FolderFolder
PagePage
PagePage
FolderFolderFolderFolder
12
Introduction policyIQ
Take advantage of the database and easy-to-use interface to eliminate issues with multiple versions, to manage workpapers and supporting documentation and to relate content appropriately for powerful reporting capabilities.
Introduction to policyIQ
13
Introduction to policyIQ
14
Remember SOX in Year 1 or 2 and manually managing Risk/Control matrices in Excel?
Introduction to policyIQ
15
Remember SOX in Year 1 or 2 and manually managing Risk/Control matrices in Excel?
You might be comforted knowing that policyIQ plays well with Excel—as in this example above of a matrix (Detail Link Report) exported to Excel.
Introduction to policyIQ
16
Remember that the root object in policyIQ is a page…
…with the ability to link pages to one another.
Pages are created from Templates with the fields that you want.
You can define who should have read, write and approve access to all content and can index Pages into one or multiple Folders.
Introduction to policyIQ
17
Getting around is very easy—using familiar actions to drill down into Folders, select items in the table on the right and choose the appropriate action from the toolbar above. We do these things everyday while working with documents on our hard drive or in shared network folders.
Introduction to policyIQ
18
To configure (retrofit) policyIQ for the new COSO framework, we recommend adding a Folder structure called “COSO” to which you can add subfolders for each of the COSO Components. This is where you will file or index your pages for each of your COSO Principles.
Introduction to policyIQ
19
To create those Principle Pages, you must first create a Page Template. Similar to the navigation elsewhere in policyIQ, drill down into the appropriate Page Template Category and then choose the appropriate action (Add Template for Pages) from the toolbar. Follow similar navigation to highlight the Principle template on the left and add one Short Text field to capture the more detailed description of each Principle.
Introduction to policyIQ
20
Populating policyIQ with your Principles, Points of Focus (and Risks, Controls, Tests, etc. if you are new to policyIQ) is as simple as arranging the information in Excel for Import.
Introduction to policyIQ
21
The result of the import is: your pages have been created, appropriate security rights have been assigned, pages are indexed into the appropriate folders and you can even link pages to one another.
Using policyIQ for Analysis and Reporting
22
Mapping Process – Top-down Approach
23
Without policyIQ, you could use COSO’s Illustrative Tools to help you manage your top-down methodology of mapping your Principles to Points of Focus and then to relevant Controls.
Mapping Process – Top-down Approach
24
With policyIQ, you could use the tool and linking capability to manage your top-down methodology of mapping your Principles to Points of Focus and then to relevant Controls.
You could also use policyIQ to review all of your controls and map them to relevant Principles or Points of Focus. This process will set the stage for using policyIQ to thoroughly (and quickly) review and rationalize the reduction of controls and, therefore, testing (and related costs).
Mapping Process – Bottom-up Approach
25
policyIQ Reports – To Identify Gaps
26
With a simple report, it is apparent when gaps exist.
policyIQ Reports – Control Rationalization
27
Reports also allow you to easily see where some Principles might be more than adequately controlled and when it makes sense to remove Controls from the SOX framework (noting they are “out of scope” for SOX).
policyIQ Reports – To Summarize
28
Focus only on necessary information in Results
You may also use policyIQ Reports to summarize information—selecting only the pertinent information—to share with the Audit Committee, External Auditors, and so on.
Start the transition process as soon as possible
Use the opportunity to streamline key controls and reduce costs
Leverage technology to promote effectiveness and efficiency
Mapping process
Control Rationalization – Gaps and Redundancies
Reporting to the Audit Committee and External Auditors
Summary
29
30
Contact Information
LESTER SUSSMAN
Senior Practice Director, GRC
STEPHENIE BUEHRLE
Product Director, policyIQ
POLICYIQ INFORMATION
Reach out to us with any questions about
the framework, methodology for
transitioning, project management, project support or policyIQ!