Updates to the COSO Internal Controls Framework. How to Apply it to Your Control Framework

Transcription

1 Updates to the COSO Internal Controls Framework How to Apply it to Your Control Framework

2 Presenters Jack Kristan, CPA. CIA, MBA Senior Consulting Manager, Plante Moran Enterprise Risk Services Jack has more than 11 years of business operations, finance, accounting, and internal audit experience. Since joining Plante Moran s Enterprise Risks Services (ERS) practice, he has been actively involved engaged in assignments evaluating internal audits across multiple industries, including trusts. Jack serves as an onsite team leader for internal audit, Sarbanes-Oxley, JSOX, and consulting engagements. He has been engaged to perform operational improvement audits, lead the finance effort for an ERP implementation with a FORTUNE 500 company, manufacturing variances audits, developed an audit module for a large class action settlement, and co-developed a software solution for segregation of duties with another ERS associate. He regularly presents on various internal control and audit related topics for the MACPA and local IIA chapters in Michigan. Matthew Bohdan, CPA, CIA, MBA Consulting Manager, Plante Moran Enterprise Risk Services Matt has over 7 years of public accounting and management consulting experience providing services to clients in a number of industries. Matt is a member of Plante Moran s Financial Support and Enterprise Risk Services practice, and is responsible for assisting clients with various accounting and finance related consulting projects. Projects include interim accounting assistance provided to provided to companies in transition, including holdings and subsidiaries of venture capital entities, financial modeling, system and process implementation, internal audit & Sarbanes-Oxley, business planning, financial reporting, due diligence, other outsourced financial management. Matt has played a key role in several client projects in the development and implementation of accounting/finance procedures and business process improvement for companies in transition and distress.

3 What is COSO and the Internal Control Framework? 2

4 What is COSO and the Internal Control Framework? COSO - Recap FORMATION & HISTORY Organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting Formation was jointly sponsored by the American Accg. Association, AICPA, Financial Executives International, the IIA and IMA Significant frameworks and guidance papers: Internal Controls (1992)* Internal Control Issues in Derivatives Usage (1996) Enterprise Risk Management (2004) Internal Control over Financial Reporting Guidance for Smaller Public Companies (2006) Guidance on Monitoring Internal Control Systems (2009) 3

5 What is COSO and the Internal Control Framework? COSO - Recap MISSION / VISION Provides thought leadership through the development of frameworks for Enterprise Risk Management Internal Controls Fraud Deterrence Aims to leverage these frameworks to improve operational and governance practices in an organization COSO s vision is to be a recognized thought leader in the global marketplace on the development of guidance in the areas of risk and control which enable good organizational governance and reduction of fraud. 4

6 What is COSO and the Internal Control Framework? COSO - Recap THE FRAMEWORK COSO s Internal Controls framework is based on three objectives and five components across and organization OBJECTIVES Operations Effectiveness and efficiency of an organization s operations, including operational and financial goals & safeguarding and organization s assets against loss Reporting Internal and external financial and non-financial reporting, encompassing the reliability, timeliness, transparency and other terms set forth by other agency s that set standards and the entity s policies Compliance Pertains to the adherence of laws and regulations the entity is subject to 5

7 What is COSO and the Internal Control Framework? COSO - Recap THE FRAMEWORK COSO s Internal Controls framework is based on three objectives and five components across and organization COMPONENTS Control Environment The control environment of any organization is the foundation of a sound system of internal controls. This includes the tone at the top, the organization's tone on integrity and ethics, the structure of the entity, its processes and the organization s risk philosophy Risk Assessment A systemic approach that is agreed upon to define the way to identify risk in the organization and ultimately determine the organization s approach to developing control actions for those risks. The risk assessment is dynamic and constantly changing Control Activities The actions that have been developed by the organization such as standard procedures to prevent or detect errors and prevent the identified risks coming to fruition Information and Communication The means by which information is passed throughout the organization, including senior management s tone on internal controls. The primary enabler to ensure that the organization understands what is necessary to achieve the organization objectives Monitoring Activities On-going evaluations of the other components to ensure that the objectives of internal control are being met 6

8 What is COSO and the Internal Control Framework? COSO - Recap THE COSO CUBE Though there are other COSO Cubes we have just described the fundamentals of COSO s Integrated Framework for Internal Controls. COSO s Objectives COSO s Components 7

9 2013 Framework Changes 8

10 What is the new framework? KEY CHANGES Improved clarity of the five objectives for enhanced design and implementation of internal controls Specific listing of the 17 principals Expansion of Reporting Objective to include non-financial and internal reporting Updates to accommodate the changes to the business environment since 1992: Expectations for governance oversight Globalization of markets and operations Changes and increased complexity of business operations Changes in regulations, standards, laws, etc Expectations for competencies and accountabilities Specific expectations relating to the prevention and detection of fraud Use and reliance on evolving technology 9

11 What is the new framework? EXPANDED GUIDANCE FOR INFORMATION TECHNOLOGY Consideration of information technology related factors that may impact the entity s ability to achieve its objectives Impact of technology on the control environment is evolutionary in nature Brought about by changes in technology and their associated risks Organizations frequently use IT to support control activities and monitor the components of internal control. Inherent limitations of the framework when applied to emerging technological trends such as cloud computing and the use of social media 10 10

12 Traditional Documentation Approaches Framework Changes Execute Risk Assessment Identify Key Accounts and Map to Business Processes Internal Audit* interviews, documents and validates internal controls with process owners and management 11

13 Traditional Documentation Approaches Risk Assessment Receipt of Financials Prepare and Issue Risk Survey Input Financials to Risk Model Review and input survey results to Risk Model Follow Up Interviews as needed / Revise Risk Model Prepare Risk Memo and Audit Plan Review w/ Management 12

14 Traditional Documentation Approaches Map Risks to Processes RISK MAPPING Obtain the consolidated financial statements Assign materiality based on internal discussions Typically percentage of assets for balance sheet items Percentage of net income for I.S. items Review the risk assessment exercise and tie the risks to the financial statements Use the risk assessment factors for impact and likelihood in conjunction with the financial statements Identify priority processes and begin the documentation processes 13

15 Map Risks to Processes RISK ASSESSMENT KEY DELIVERABLE AN ACTIONANBLE PLAN 14

16 Evaluate Existing System of Internal Control EVALUATION TOOLS Traditional Risk-Control Matrices, Working Papers & Summary of Control Deficiency Listings which identify control breakdowns and search for compensating controls COSO Suggestions Framework includes a number of enhanced tools that organizations can utilize to assess the efficacy of their internal controls 15

17 Traditional Documentation Approaches Documentation Prepare Narrative Interview Prepare Flowchart Prepare Risk- Control Matrix Validate Controls 16

18 Traditional Documentation Approaches Samples Accounts Payable 17

19 Traditional Documentation Approaches Samples 18

20 Traditional Documentation Approaches Samples The CLIENT, Anytown Accounts Payable 19

21 SAMPLE TOOLS Traditional Documentation Approaches Samples 20

22 Management Assessment Tools Provided by COSO 21

23 Sample Tools SAMPLE TOOLS ASSESSING THE COMPONENTS 1. Aggregate the design results of the principles 2. Aggregate the operating effectiveness of control suite for each principle 3. Identify deficient principles 4. Determine extent and impact of deficiencies 5. Assess the component 22

24 Evaluate Existing System of Internal Control EVALUATION TOOLS COSO TEMPLATES 23

25 Evaluate Existing System of Internal Control EVALUATION TOOLS COSO TEMPLATES 24

26 Evaluate Existing System of Internal Control EVALUATION TOOLS COSO SAMPLES 25

27 Thank you. Please contact us with any questions.