2013 COSO Framework Overview September 17, 2014

Transcription

1 2013 COSO Framework Overview September 17, 2014

2 With You Today Roger A. Martinez, CPA Assurance Partner Vasquez & Company LLP Los Angeles, CA Vasquez at a Glance Vasquez serving government agencies in California for over 40 years. Vasquez audit team partners and managers are former Big Four audit professionals. Consistently ranked among the top accounting firms in Los Angeles County as reported by the Los Angeles Business Journal. We provide the guidance and support for companies undertaking their first SOX compliance effort, helping them avoid a process that s long, tedious and costly. We can help with selecting an appropriate compliance framework, internal controls documentation, a readiness assessment, or a fully outsourced compliance solution. 2

3 COSO Overview The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five sponsoring organizations formed in 1985 Provides thought leadership through the development of frameworks and guidance on: - Internal control - Enterprise risk management - Fraud Designed to improve organizational performance and governance, and to reduce the extent of fraud in organizations Released original Internal Control-Integrated Framework in 1992 which has become the most widely used control framework used in management s SOX assertion. 3

4 Why the COSO Framework was updated Framework updates driven by changes in business and operating environments Environment changes Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud 4

5 Enhancements to the COSO Framework Heightened focus on entity-level controls, technology and fraud prevention / detection Original Framework COSO s Internal Control Integrated Framework (1992 Edition) Refresh Objectives Reflects changes in business & operating environments Expand operations and reporting objectives Articulates principles to facilitate effective internal control Enhancements Updated Context Broadens Application Clarifies Requirements Updated Framework COSO s Internal Control Integrated Framework (2013 Edition) 5

6 Overview of what is and is not changing Update expected to increase ease of use and broaden application What is not changing What is changing Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control Important role judgment in designing, implementing and conducting internal control, and in assessing its effectiveness Changes in business and operating environments considered Operations and reporting objectives expanded Fundamental concepts underlying five components articulated as principles with points of focus as additional guidance Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added 6

7 Introduction of principles The 17 principles are necessary for effective internal control Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Risk Assessment 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant changes Control Activities Information & Communication Monitoring Activities 10.Selects and develops control activities 11.Selects and develops general controls over technology 12.Deploys through policies and procedures 13.Uses relevant information 14.Communicates internally 15.Communicates externally 16.Conducts ongoing and/or separate evaluations 17.Evaluates and communicates deficiencies 7

8 Impact of adopting the updated Framework In addition to the 17 principles, the updated Framework contains more guidance on how technology relates to an entity s internal control structure. The 1992 Framework included many concepts directly relevant for technologies of the time. Since then the technology has rapidly evolved from not only something embraced by the largest and most advanced companies to a foundation block of nearly all companies. The 2013 Framework includes more focus on technology throughout the components of internal control as well as broader focus on the impact of technology on the internal control structure rather than on the specific types of technology. Because more companies are outsourcing key portions of their business activities or control systems to third parties, the updated Framework also includes expanded guidance and considerations related to outside resources, such as third-party processors. The updated Framework also expands the reporting aspect of internal control to consider more than just financial reporting of non-financial information and internal reporting. 8

9 Impact of adopting the updated Framework Finally, the advances in technology and communications have increased the reach of many companies both from a supply and development side and in sales or service delivery. For many entities, local or national boarders no longer serve as significant barriers. Rather, businesses are increasingly conducted on a multi-location or global basis. The 2013 Framework includes additional guidance and consideration for businesses operating in these environments: Illustrative Tools for Assessing Effectiveness of a System of Internal Control Internal Control over External Financial Reporting: A Compendium of Approaches and Examples 9

10 Impact of adopting the updated Framework Monitoring has ben changed to Monitoring Activities. This change is intended to broaden the perception of monitoring as a service of activities undertaken individually and as part of each of the other four components, rather than as one unique process. Financial Reporting has been changed to Reporting. This change is intended to broaden the application of the Framework not only to external financial reporting as it has often been applied, but also to include internal reporting as well as external reporting of non-financial measures. 10

11 Impact of adopting the updated Framework Along the right side of the cube, the organization structure has been changed to align with COSO s Enterprise Risk Management Integrated Framework (ERM Framework) and also better illustrate that an effective internal control structure permeates an entire organization at all functional levels both independently and interdependently. It is also important to note that while there was consideration of combining the Internal Control Integrated Framework with the ERM Framework, the two remain separate, but interrelated. Internal control is an integral part of enterprise risk management, however, risk management encompasses a broader role than internal control in supporting the entity s governance structure. 11

12 Example principle and related points of focus Control Environment 1. Demonstrates commitment to integrity and ethical values Point of Focus: Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in a timely manner Points of focus are typically important characteristics of principles that can be used to facilitate designing, implementing, and conducting internal control There is no requirement to separately assess whether points of focus are in place Points of focus may not be suitable or relevant, and others may be identified Points of focus may facilitate designing, implementing, and conducting internal control 12

13 Example of controls embedded in other internal control components Component Principle Control Environment 1. Demonstrates commitment to integrity and ethical values Controls embedded in other components may effect this principle Human Resources review employees confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity Management obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of information Internal Audit separately evaluates Control Environment, considering employees behaviors and whistleblower hotline results and reports thereon Control Environment Information & Communication Monitoring Activities 13

14 Impact of adopting the updated Framework Initiate level of effort will vary by organization depending on their existing level of documentation, stakeholder involvement and locations Provides flexibility in applying the Framework to multiple, overlapping objectives across the entity Easier to see what is covered and what is missing May reduce likelihood of considering controls that are irrelevant May reduce the number of discrete risks assessed and mitigated Potential for initial deficiencies if the system of internal control does not address each of the principles Heightened focus on entity-wide controls provides a platform for addressing increased entity-level scrutiny from authoritative bodies (e.g. SEC, PCAOB, AICPA) 14

15 Impact of adopting the updated Framework Understand the Framework Identify key stakeholders Awareness / education / training Map existing controls to principles Gap analysis / remediation Update documentation Timing considerations Updated Framework will supersede original Framework on December 15, 2014 Earlier implementation encourage During the transition external reporting should disclose which version of the Framework was used 15

16 Impact of adopting the updated Framework Implementing the 2013 Framework Entity-level control initiatives Provide COSO overview or training Governance, risk and compliance Identify stakeholders impacted by transition Map existing controls to the principles Update project tools, templates, documentation Prepare gap analysis Assist with developing remediation plan Enterprise risk management Information technology IT security and privacy Fraud prevention and detection Regulatory issues (e.g. FCPA) Addressing increased entity-level focus by authoritative bodies (e.g. SEC, PCAOB, AICPA) 16

17 Checklist for implementing the 2013 COSO Framework The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently issued its updated Internal Control- Integrated Framework (Framework) and related illustrative documents. This update contains a number of changes that may significantly impact public companies and other organizations utilizing the COSO Framework, changing the way they approach internal controls, including implementation, monitoring and reporting. The updated 2013 Framework will supersede the original guidelines on Dec. 15, 2014, with earlier implementation strongly encouraged. The checklist below is a useful tool to guide you through the implementation process. 17

18 Checklist Understanding the 2013 COSO Framework Task: Notes and action items: Timing: Read and become familiar with the 2013 COSO Framework, including the following changes: The linking of 17 Principles and 81 Points of Focus to the five components of internal control Enhanced consideration of governance, information technology and anti-fraud Updated reporting objectives Introduction of major deficiencies Leverage McGladrey resources: Contact us for a personalized overview or implementation assistance View our COSO Framework update webcast View our white paper, An overview of COSO s 2013 Internal Control-Integrated Framework Leverage COSO website resources: Framework guidance Books and other publications Sample templates News Leverage Institute of Internal Auditors (IIA) website resources: COSO resources Articles, books and reports Training and events News Develop initial project implementation plan and timeline for implementing the 2013 Framework 18

19 Checklist Identifying key stakeholders Task: Notes and action items: Timing: Internal audit Sarbanes-Oxley (SOX) team Audit committee members External auditor SOX steering committee Senior leadership Departmental or functional leadership and management team IT Process owners Third parties and outsourced service providers Personnel involved with anti-fraud programs International locations in scope, if not included above Update project implementation plan and timeline 19

20 Checklist Awareness, education and training Task: Notes and action items: Timing: Develop communication plan to bring awareness of the 2013 Framework changes to key stakeholders Prepare and distribute relevant communications to key stakeholders at key milestones throughout the implementation to keep them informed and engaged Provide training to the internal audit team Provide education and training to key stakeholders Maintain archive of key communications and trainings for future reference by key stakeholders 20

21 Checklist Map existing controls to 2013 Framework principles Task: Notes and action items: Timing: Map existing controls to applicable principles Identify gaps and prepare remediation plans Collaborate with the external auditor throughout the process Continue to update project implementation plan and timeline Gap analysis and remediation plan Task: Notes and action items: Timing: Assign to applicable stakeholders Monitor and update Report status to relevant stakeholders 21

22 Checklist Update methodology, tools, templates and relative documentation Task: Notes and action items: Timing: Methodology and approach guide Repository Templates library Documentation: Risk and control matrices Narratives and flow charts Test scripts Gap analysis and remediation plans Reporting packages: Internal audit Audit committee External audit Leadership and management External Update external reporting (e.g., 10Q, 10K) to reflect usage of the 2013 Framework 22

23 Checklist Additional items Task: Notes and action items: Timing: 23

24 Control Environment Five principles related to the control environment are introduced in the 2013 Framework 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with broad oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 24

25 Point of Focus control environment Principle 1. Demonstrates commitment to integrity and ethical values Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in a timely manner Principle 2. Exercises oversight responsibility Establishes oversight responsibilities Applies relevant expertise Operates independently Provides oversight for the system of internal control Principle 3. Establishes structure, authority and responsibility Considers all structures of the entity Establishes reporting lines Defines, assigns, and limits authorities and responsibilities Principle 4. Demonstrates commitment to competence Establishes policies and practices Evaluates competence and addresses shortcomings Attracts, develops, and retains individuals Plans and prepares for succession Principle 5. Enforces accountability Enforces accountability through structures, authorities, and responsibilities Establishes performance measures, incentives, and rewards Evaluates performance measures, incentives, and rewards for ongoing relevance Considers excessive pressures Evaluates performance and rewards or disciplines individuals 25

26 Risk Assessment Four principles are introduced related to risk assessment: 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risk relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assess changes that could significantly impact the system of internal control 26

27 Point of focus risk assessment Principle 6. Specifies suitable objectives Operations objectives Reflects management s choices Considers tolerances for risk Includes operations and financial performance goals Forms a basis for committing resources External financial reporting objectives Complies with applicable accounting standards Considers materiality Reflects entity activities External non-financial reporting objectives Complies with externally established standards and frameworks Considers the required level of precision Reflects entity activities Internal reporting objectives Reflects management s choices Considers the required level of precision Reflects entity activities Compliance objectives Reflects external laws and regulations Considers tolerances for risk Principle 7. Identifies and analyzes risk Includes entity, subsidiary, division, operating unit, and functional levels Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified Determines how to respond to risks Principle 8. Assesses fraud risk Considers various types of fraud Assesses incentive and pressures Assesses opportunities Assesses attitudes and rationalizations Principle 9. Identifies and analyzes significant change Assesses change in the external environment Assesses change in the business model Assesses change in leadership 27

28 Control Activities Three principles are introduced related to control activities: 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. 28

29 Point of focus control activities Principle 10. Selects and develops control activities Integrates with risk assessment Considers entity-specific factors Determines relevant business processes Evaluates a mix of control activity types Considers at what level activities are applied Addresses segregation of duties Principle 11. Selects and develops general controls over technology Principle 12. Deploys through policies and procedures Establishes policies and procedures to support deployment of management s directives Establishes responsibility and accountability for executing policies and procedures Performs in a timely manner Takes corrective action Performs using competent personnel Reassesses policies and procedures Determines dependency between the use of technology in business processes and technology general controls Establishes relevant technology infrastructure control activities Establishes relevant security management process control activities Establishes relevant technology acquisition, development, and maintenance process control activities 29

30 Information and Communication Three principles are introduced related to information and communication: 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. 30

31 Point of focus information and communication Principle 13. Uses relevant information Identifies information requirements Captures internal and external sources of data Processes relevant data into information Maintains quality throughout processing Considers costs and benefits Principle 15. Communicates externally Communicates to external parties Enables inbound communications Communicates with the board of directors Provides separate communication lines Selects relevant method of communication Principle 14. Communicates internally Communicates internal control information Communicates with the board of directors Provides separate communication lines Selects relevant method of communication 31

32 Monitoring Activities Two principles are introduced related to monitoring activities: 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 32

33 Point of focus monitoring activities Principle 16. Conducts ongoing and/or separate evaluations Considers a mix of ongoing and separate evaluations Considers rate of change Establishes baseline understanding Uses knowledgeable personnel Integrates with business processes Adjusts scope and frequency Objectively evaluates Principle 17. Evaluates and communicates deficiencies Assesses results Communicates deficiencies Monitors corrective actions 33

34 Scalability for Smaller Entities For many smaller entities, when looking quickly through the points of focus it is evident that many will not be relevant to their operations. Focuses on multiple locations or business units quickly can be dismissed for singlelocation businesses. The 2013 Framework includes specific additional guidance related to smaller entities and governments. The following highlights consideration points related to segregation of duties, management override, board of directors, information technology, and monitoring activities for these entities. Key consideration factors for each area include: 34

35 Scalability for Smaller Entities - Segregation of Duties Managers can review reports of detailed transactions on a regular and timely basis Managers can select transactions for review to supporting documents Managers can take periodic counts of inventory, equipment or other physical assets and compare them with the accounting records Managers can review reconciliations of account balances or periodically perform them independently 35

36 Scalability for Smaller Entities - Management Override Maintain a corporate culture of integrity and ethical values Implement a whistle-blower program Engage an effective internal audit program Attract and retain qualified board members 36

37 Scalability for Smaller Entities - Board of Directors To find qualified board members, companies may expand their search to broader populations with financial and accounting and other valued expertise 37

38 Scalability for Smaller Entities - Information Technology The use of commercially developed software packages: Reduces risks from program changes control requirements May include the ability to control access to selected employees May perform checks on data processing completeness and accuracy May be able to maintain related documentation 38

39 Scalability for Smaller Entities - Monitoring Activities Smaller entities may have less formal monitoring processes, but should still take credit for the monitoring performed It is noted in the Framework that smaller entities often need less formal documentation because there are fewer people working closer together. Consequently, management may perform monitoring through direct observation. 39

40 Risk Assessment Enhanced Concepts 40

41 Risk Assessment Enhanced Concepts Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Separates the financial reporting category into three objectives: (1) external financial reporting, (2) external nonfinancial reporting, and (3) internal reporting. 41

42 Risk Assessment Enhanced Concepts Cont. Principle 7 The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Explains that the risk assessment process includes risk identification, analysis, and response. Incorporates the concept of inherent risk. Expands the discussion of risk tolerance and how risk may be managed, including by accepting, avoiding, reducing, and sharing risk. Considers velocity and persistence of risk (in addition to impact and likelihood). Incorporates consideration of OSPs. 42

43 Risk Assessment Enhanced Concepts Cont. Principle 8 The organization considers the potential for fraud in assessing risks to the achievement of objectives. Incorporates the concept of fraud risk assessment. Considerations related to various types of fraud, including fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, safeguarding of assets, management override, and corruption. Evaluating incentives, pressures, opportunities, attitudes, and rationalizations. Incorporates consideration of OSPs. 43

44 Risk Assessment Enhanced Concepts Cont. Principle 9 The organization identifies and assesses changes that could significantly impact the system of internal control. Importance of assessing changes in the external environment, business model, operations, technology, relationship with OSPs, leadership, and how such changes may affect internal control. 44

45 Risk Assessment Outsourced Service Providers 45

46 Risk Assessment - Outsourced Services Providers (OPSs) Risk identification must be comprehensive and take into account significant interactions between the organization and OSPs. An organization s risk assessment process takes into account risks originating in OSPs. The organization considers possible acts of corruption by OSPs during its fraud risk assessment, which should be based on the presumption that the entity s expected standards of ethical conduct are being adhered to. In assessing possible corruption, the entity is not expected to directly manage the actions of OSP personnel; however, management may stipulate expected levels of performance and standards of conduct through contractual relations and may develop control activities that maintain oversight of OSPs. Management assesses changes in relationships with OSPs to determine the relevancy of previously effective internal controls. 46

47 Risk Assessment Information Technology 47

48 Risk Assessment Information Technology Many organizations apply external IT standards to help manage their operations. Risks at the entity level can arise from internal or external IT factors. As part of its fraud risk assessment process, the organization should consider the nature of IT and management s ability to manipulate information. The likelihood of a loss of assets or fraudulent external reporting increases when there are: High turnover rates of IT staff. Ineffective IT systems. The organization identifies and assesses changes to IT to determine whether its system of internal control will need to be modified. 48

49 Example Controls for Risk Assessment 49

50 Risk Assessment - Controls Principle 6. The organization identifies and assesses changes to IT to determine whether its system of internal control will need to be modified. The organization links accounts, assertions and risks (can be accomplished through a risk assessment & control matrix). The organization sets as the entity s broad external financial reporting objective to prepare reliable financial statements in accordance with GAAP. Management subsequently specified the suitable financial reporting objectives and subobjectives for all significant accounts and activities, including accounting policies, financial statement assertions, and qualitative characteristics. Management assesses materiality of significant accounts, considering both quantitative and qualitative factors. Management reviews publications from professional bodies for updates in accounting pronouncements relevant to the business. Periodically, management presents to the audit committee an analysis of changes released or emerging issues that may significantly impact financial reporting and notes any significant differences from accounting policies of similar entities. Management reviews financial accounting policies and discusses significant accounting policies with the audit committee on an annual basis. 50

51 Risk Assessment - Controls Principle 6. The organization identifies and assesses changes to IT to determine whether its system of internal control will need to be modified. Management reviews and updates its understanding of applicable standards and statutory reporting requirements and communicates the update tot eh appropriate individuals / committees. Management reviews its financial statements on a monthly basis to ensure all significant activities are included and to analyze its various divisions for new developments and changes that may impact the organization. 51

52 Risk Assessment - Controls Principle 7 The organization analyzes risk across functions / departments and to significant financial statement accounts using pre-determined risk ratings. The organization analyses risk for information technology. The organization assesses the likelihood and significance of identified risks. The organization uses benchmark data to assess significance and response to risk. The organization analyzes risks from external factors. 52

53 Risk Assessment - Controls Principle 8 The organization analyzes fraud risk. The audit committee reviews the fraud risk assessment process and discusses the risk of management override of controls. The organization identifies and analyzes risk of material omission and misstatement due to fraud. The compensation committee analyzes the compensation structure. 53

54 Risk Assessment - Controls Principle 9 The organization analyzes change in the external environment and prepares contingency plans (such as decreases in donor contributions, etc.) The organization analyzes significant change from international exposure. The organization analyzes significant change from a system implementation or process change. The organization analyzes change through succession and plans for executive transition. 54

55 Questions? 55

56 Templates 1

57 Templates 2

58 Templates 3

59 Templates 4

60 Templates 5

61 Templates 6

62 Templates 7

63 Templates 8

64 Templates 9

65 Templates 10

66 Examples 11

67 Examples 12

68 Examples 13

69 Examples 14

70 Examples 15

71 Examples 16

72 Examples 17

73 Examples 18

74 Examples 19

75 Examples 20

76 Examples 21

77 Examples 22

78 Examples 23