COSO 2013 Internal Control Framework

Transcription

1 COSO 2013 Internal Control A Guide to Implementation July 24, 2014 Justin Adamson Agenda COSO Background Changes to the Roadmap to Implementation Implementation Considerations & Lessons Learned 2 1

2 Who/What is COSO? Committee of Sponsoring Organizations of the Treadway Commission (COSO) A private sector initiative, jointly sponsored and funded by: American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Financial Executives International (FEI) Institute of Management Accountants (IMA) The Institute of Internal Auditors (IIA) Formed after the SEC and U.S. Congress enacted campaign finance law reforms and the 1977 Foreign Corrupt Practices Act Primary responsibility is to develop frameworks and guidance on enterprise risk management, internal control and fraud deterrence 3 COSO 1992 Initial Initial framework defined control functions in terms of: Entities (2) Categories (3) Components (5) Source: SOX-Online.com 4 2

3 COSO 2013 Revised Revised the framework elements: Entities (4) Categories (3) Components (5) Source: Chapter 2 of COSO Internal Control: Integrated (2013). Supersedes previous framework on December 15, COSO 2013: Key Changes Codification of fundamental concepts from original framework as Principles and offers points of focus for each principle Expands the financial reporting category of objectives to include other forms of reporting (internal and non-financial) Consideration for changes to business and operating environments Increased relevance and dependence on IT Focus on fraud risk assessment 6 3

4 COSO Internal Control Integrated The 5 components and 17 principles of internal control are intended to function in an integrated manner Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 7 COSO Internal Control Integrated Points of focus describe important characteristics of each Principle Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. Points of Focus: Sets the Tone at the Top Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner Control Examples: Source: coso.org BOD and established committees charged with oversight Code of Conduct defining integrity and ethical values expected by the company Follow-up/Investigation process of reported ethics violations 8 4

5 COSO Internal Control Integrated Risk Assessment 7. Identifies and Analyzes Risk Points of Focus: Includes Entity, Subsidiary, Division, Operating Unit and Functional Levels Analyzes Internal and External Factors Involves Appropriate Levels of Management Estimates Significance of Risks Identified Determines How to Respond to Risks Control Examples: Risk/Control Self Assessment process and adherence (Likelihood/Impact ranking) Risk and/or Performance metric dashboard monitoring and documentation of acceptance or avoidance Documented governance and oversight process to ensure risks are communicated to appropriate levels of mgmt. (escalation path) 9 COSO 2013: Why now? Catching up with emerging trends Globalization of economies Complexity of business operations Growing reliance on technology Increased reliance on thirdparty Increased volume and maturity of fraud schemes Increased government oversight, regulations, and legislation Increased focus and scrutiny of BoD and Senior Management oversight 10 5

6 Implementation Roadmap Evaluate & Plan Map to New Refine & Enhance Documentation Communicate & Train Read and interpret new framework Attend consultant webinars, seminars, and training classes Develop transition strategy with key stakeholders Top-down, risk based review of controls and map to framework as appropriate Consult with key mgmt. personnel to ensure appropriate coverage Consult with external auditors on COSO 2013 compliance Identify and clarify COSO 2013 controls in your universe Ensure appropriate testing is in place Internal Audit Involvement Consult with External Auditors Communicate control framework to key management, external auditors, and BOD Provide training and awareness of the new framework to stakeholders 11 Implementation Considerations All 5 components and all 17 principles must be present, functioning and operating together in an integrated manner Principles are present and functioning if any deficiencies are less than major (same as material weakness using traditional SOX control deficiency methods) If implementing the framework for SOX compliance only, consider building the foundation for applying it to other company objectives Take this opportunity to take a fresh look at all controls Consider controls for vendors, and external business partners Implementation Evidence: Mapping of 17 principles to key controls Memo documenting implementation approach and process (who was involved, timeline, etc.) 12 6

7 Lessons Learned From Early Adopters This is not a complete overhaul of your system of internal controls no major projects, consultants, or mountains of documents Top down, risk-based approach is recommended COSO did not intend this to be a checklist exercise. Utilize currently available COSO guidance, manuals and tools Engage external and internal auditors early and often Engage internal/external stakeholders from the beginning Approaches, complexity and level of effort vary by organization Controls and processes likely exist, but just aren t documented If it s not documented, it doesn t count! Present and functioning (tested) PCAOB report findings may cover COSO 13 COSO 2013 Revised Questions? 14 7