policyiq for coso 2013 internal control - integrated framework

30
COSO 2013 Internal Control- Integrated Framework, Efficiently Transition Using policyIQ March 6, 2014

Upload: sbyearly

Post on 29-Nov-2014

415 views

Category:

Business


0 download

DESCRIPTION

The policyIQ Team was joined by Senior Practice Director of RGP’s Governance Risk & Compliance (GRC) practice, Les Sussman, to discuss how the updated COSO framework will impact companies and, specifically, policyIQ clients or prospects. Mr. Sussman recaptured the highlights from a webinar that he co-presented with RGP’s Global Managing Director of the Finance & Accounting practice, Shauna Watson. Their session, “Effective Transition to the 2013 COSO Framework and SOX Compliance”, drew more than a thousand registrants and received great reviews for addressing considerations that have not been discussed in other COSO-related sessions. With a diverse audience of current policyIQ users and many participants who are not currently using policyIQ, we took time to introduce some highlights of policyIQ. We went on to demonstrate how easily and quickly we amended our policyIQ configuration to accommodate the updated 2013 COSO Internal Control – Integrated Framework. RGP recommends that companies employ both a top down and a bottom up approach to mapping Principles and Controls to one another. We discussed this and how policyIQ reports can be applied to make quick work of mapping, gap analysis, control rationalization and reporting to the Audit Committee and External Auditors. Reach out to us with any questions: [email protected] or [email protected].

TRANSCRIPT

Page 1: policyIQ for COSO 2013 Internal Control - Integrated Framework

COSO 2013 Internal Control-Integrated Framework, Efficiently Transition Using policyIQ

March 6, 2014

Page 2: policyIQ for COSO 2013 Internal Control - Integrated Framework

Objectives

By the end of the session, you will

Be aware of key changes in updated COSO Framework

Have more information about how to plan your transition project

Understand what policyIQ is and how to navigate

See that you can easily configure policyIQ to capture COSO Principles

Recognize how you can use reports for analysis and final reporting

2

Page 3: policyIQ for COSO 2013 Internal Control - Integrated Framework

COSO Updates Framework, May 14, 2013

The New Framework

3

Internal Control – Integrated FrameworkFramework and Appendices

Page 4: policyIQ for COSO 2013 Internal Control - Integrated Framework

The New Framework

Expands the financial reporting category of objectives to include other forms of reporting (internal and non-financial)

Explicitly formalizes principles introduced in original framework

Provides approaches and examples illustrating how principles are applied in financials

Supersedes 1992 Framework on December 15, 2014

4

Page 5: policyIQ for COSO 2013 Internal Control - Integrated Framework

2013 COSO Framework

5

The updated framework formalizes 17 principles

that were introduced and embedded in the original

framework. Companies choosing to follow the

COSO Framework will need to demonstrate that all

17 Principles are present and functioning in their

Internal Control Framework.

Page 6: policyIQ for COSO 2013 Internal Control - Integrated Framework

10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures

Control Activities

1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability

Control Environment

6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change

Risk Assessment

13.Uses relevant information14.Communicates internally15.Communicates externally

Information & Communication

16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies

Monitoring Activities

2013 COSO Framework

6

Page 7: policyIQ for COSO 2013 Internal Control - Integrated Framework

Transition Strategy

7

Project ownership it is important that someone takes responsibility for dates

and deliverables

Project communication include all parties touched by the change in communications

Resource constraints assess the time and people that you have, reach out to RGP or

others for support

Coordination with external auditors touch base with auditors early and often to ensure that you are

on the same page

Top down versus bottom up RGP recommends doing both

Page 8: policyIQ for COSO 2013 Internal Control - Integrated Framework

Project Approach and TimelineActivities

Phase 1 - Plan• Establish project

ownership / management

• Develop detailed approach and timeline

• Identify resources and assign responsibility

• Communicate plan and train

• Consult with auditors

P4

1/1/2014 – 3/31/2014Q1 – Year-end close, financial audits, Year-end write-up

4/1/2014 – 6/30/2014Q2 Testing for 1st half of the year

7/1/2014 – 9/30/2014Q3 – Testing 2nd part of the year

10/1/2014 – 12/31/2014Q4 – Year-end & Remediation

Testing

3/31/2014 6/30/2014 9/30/2014 12/31/2014Today

P3P2P1

Phase 2 - Map• Update risk assessment• Start mapping from top

down• Link principles to

controls• Consider points of

focus• Coordinate with other

service providers

Phase 3 - Assess• Identify deficiencies• Evaluate deficiencies• Determine controls

requiring remediation• Consider eliminating

orphan controls

Phase 4 - Implement• Design new controls• Train control owners• Schedule testing

8

Page 9: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction policyIQ

9

Page 10: policyIQ for COSO 2013 Internal Control - Integrated Framework

Web-based Governance, Risk & Compliance

Customizable and flexible

A workflow, oversight, management reporting tool

Secure (certifications, SSL, Username/PW)

10

Introduction policyIQ

Page 11: policyIQ for COSO 2013 Internal Control - Integrated Framework

ContractContract

ProcedureProcedure

PolicyPolicy

TestTest

ControlControl

RiskRisk Fields: Text Dropdown Multi-Select Date Number Currency

Restrict: Creators Approvers

PagePage

ProcedureTemplate

ProcedureTemplate

name

date

text

11

Introduction policyIQ

Create Pages for your Risks, COSO Principles, Narratives, Controls, and so on from Templates that drive consistency and sound information governance practices

Page 12: policyIQ for COSO 2013 Internal Control - Integrated Framework

ContractContract

ProcedureProcedure

PolicyPolicy

TestTest

ControlControl

RiskRisk

PagePageupload & attach

FolderFolder

PagePage

PagePage

FolderFolderFolderFolder

12

Introduction policyIQ

Take advantage of the database and easy-to-use interface to eliminate issues with multiple versions, to manage workpapers and supporting documentation and to relate content appropriately for powerful reporting capabilities.

Page 13: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction to policyIQ

13

Page 14: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction to policyIQ

14

Remember SOX in Year 1 or 2 and manually managing Risk/Control matrices in Excel?

Page 15: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction to policyIQ

15

Remember SOX in Year 1 or 2 and manually managing Risk/Control matrices in Excel?

You might be comforted knowing that policyIQ plays well with Excel—as in this example above of a matrix (Detail Link Report) exported to Excel.

Page 16: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction to policyIQ

16

Remember that the root object in policyIQ is a page…

…with the ability to link pages to one another.

Pages are created from Templates with the fields that you want.

You can define who should have read, write and approve access to all content and can index Pages into one or multiple Folders.

Page 17: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction to policyIQ

17

Getting around is very easy—using familiar actions to drill down into Folders, select items in the table on the right and choose the appropriate action from the toolbar above. We do these things everyday while working with documents on our hard drive or in shared network folders.

Page 18: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction to policyIQ

18

To configure (retrofit) policyIQ for the new COSO framework, we recommend adding a Folder structure called “COSO” to which you can add subfolders for each of the COSO Components. This is where you will file or index your pages for each of your COSO Principles.

Page 19: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction to policyIQ

19

To create those Principle Pages, you must first create a Page Template. Similar to the navigation elsewhere in policyIQ, drill down into the appropriate Page Template Category and then choose the appropriate action (Add Template for Pages) from the toolbar. Follow similar navigation to highlight the Principle template on the left and add one Short Text field to capture the more detailed description of each Principle.

Page 20: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction to policyIQ

20

Populating policyIQ with your Principles, Points of Focus (and Risks, Controls, Tests, etc. if you are new to policyIQ) is as simple as arranging the information in Excel for Import.

Page 21: policyIQ for COSO 2013 Internal Control - Integrated Framework

Introduction to policyIQ

21

The result of the import is: your pages have been created, appropriate security rights have been assigned, pages are indexed into the appropriate folders and you can even link pages to one another.

Page 22: policyIQ for COSO 2013 Internal Control - Integrated Framework

Using policyIQ for Analysis and Reporting

22

Page 23: policyIQ for COSO 2013 Internal Control - Integrated Framework

Mapping Process – Top-down Approach

23

Without policyIQ, you could use COSO’s Illustrative Tools to help you manage your top-down methodology of mapping your Principles to Points of Focus and then to relevant Controls.

Page 24: policyIQ for COSO 2013 Internal Control - Integrated Framework

Mapping Process – Top-down Approach

24

With policyIQ, you could use the tool and linking capability to manage your top-down methodology of mapping your Principles to Points of Focus and then to relevant Controls.

Page 25: policyIQ for COSO 2013 Internal Control - Integrated Framework

You could also use policyIQ to review all of your controls and map them to relevant Principles or Points of Focus. This process will set the stage for using policyIQ to thoroughly (and quickly) review and rationalize the reduction of controls and, therefore, testing (and related costs).

Mapping Process – Bottom-up Approach

25

Page 26: policyIQ for COSO 2013 Internal Control - Integrated Framework

policyIQ Reports – To Identify Gaps

26

With a simple report, it is apparent when gaps exist.

Page 27: policyIQ for COSO 2013 Internal Control - Integrated Framework

policyIQ Reports – Control Rationalization

27

Reports also allow you to easily see where some Principles might be more than adequately controlled and when it makes sense to remove Controls from the SOX framework (noting they are “out of scope” for SOX).

Page 28: policyIQ for COSO 2013 Internal Control - Integrated Framework

policyIQ Reports – To Summarize

28

Focus only on necessary information in Results

You may also use policyIQ Reports to summarize information—selecting only the pertinent information—to share with the Audit Committee, External Auditors, and so on.

Page 29: policyIQ for COSO 2013 Internal Control - Integrated Framework

Start the transition process as soon as possible

Use the opportunity to streamline key controls and reduce costs

Leverage technology to promote effectiveness and efficiency

Mapping process

Control Rationalization – Gaps and Redundancies

Reporting to the Audit Committee and External Auditors

Summary

29

Page 30: policyIQ for COSO 2013 Internal Control - Integrated Framework

30

Contact Information

LESTER SUSSMAN

Senior Practice Director, GRC

[email protected]

STEPHENIE BUEHRLE

Product Director, policyIQ

[email protected]

POLICYIQ INFORMATION

[email protected]

Reach out to us with any questions about

the framework, methodology for

transitioning, project management, project support or policyIQ!