COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP
Disclaimer The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including, without limitation, legal, accounting, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant client relationship. Although this information may have been prepared by professionals, it should not be used as a substitute for professional services. If legal, accounting, investment, or other professional advice is required, the services of a professional should be sought. Content is not all inclusive.
Agenda Background What is COSO? Reasons for the New COSO Framework COSO 2013 Framework What Hasn t Changed? What Has Changed? COSO 2013 Implementation Approach Phased Implementation Approach Practical Implementation Techniques, Common Gaps and Misconceptions Summary Questions
Background What Is COSO? Internal Control Integrated Framework is a four volume report first published in 1992 Became the accepted framework following financial control failures of the early 2000 s Most widely adopted SOX 404 framework in the U.S. as a suitable, recognized control framework Use under SOX 404 focused solely on the COSO Financial Reporting objective Original COSO 1992 Cube
Background Reasons for a New COSO Framework COSO 1992 was nearly 20 years old and becoming outdated. Changes in underlying business environment and associated risks including: Increased business risks; changing business models Greater use of shared services and outsourced service providers Complexity and change in rules, regulations, and standards Reliance on evolving technology Higher expectations for governance oversight, risk management, and detection and prevention of fraud from regulators and stakeholders Ongoing development and application of internal control framework such as: Enrichment of corporate governance and control concepts Significant practical implementation of the COSO 1992 Framework Expansion beyond the strictly financial reporting component Transition to a principles based approach; codify prior implicit concepts
Background Reasons for a New COSO Framework Refreshed Objective Enhancement Result Address significant changes to the business environment and associated risks Updated, enhanced and clarified Framework Codify criteria to use in the development and assessment of systems of internal control Added principles and points of focus COSO 2013 Increase focus on operations, compliance and non financial reporting objectives Expanded internal and non financial reporting guidance
COSO 2013 Framework Overview Sponsored and funded by the same five organizations as COSO 1992 and authored by PricewaterhouseCoopers Significant public comment and revisions to exposure drafts, in addition to the survey of over 700 stakeholders and users of COSO 1992 COSO 2013 was released in May 2013 and supersedes the 1992 Framework effective December 15, 2014 Transitions COSO 1992 to a principles based framework Intended to include enhancements and clarification on the 1992 Framework, including both structural and practical application changes SOX 404 compliance is not the sole or primary audience/ purpose for COSO 2013; broadens the concept of financial reporting
COSO 2013 Framework Overview What hasn t changed... What has changed... Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness Changes in business and operating environments considered Operations and reporting objectives expanded Fundamental concepts underlying five components articulated as PRINCIPLES Additional approaches and examples relevant to operations, compliance, and non financial reporting objectives added
COSO 2013 Framework What Has Changed? 17 explicitly articulated principles associated with the 5 internal control components Objective: To increase Management s understanding as to what constitutes effective internal control Added points of focus under each principle Represent important characteristics that support each principle Provide guidance to assist management in assessing whether the components of internal control are present, functioning, and operating together within the organization Provide a much more granular approach, including more detail and clarity on implementation
COSO 2013 Framework What Has Changed? A Visual Example of the Structural Hierarchy 3 Objectives 5 Components 17 Principles 87 Points of Focus An entity can achieve effective internal control if all principles are present and functioning and the control components are operating together
COSO 2013 Framework Three Objectives Operations Relates to achievement of basic mission and vision Reporting Relates to 1) external financial reporting, 2) external non financial reporting, and 3) internal financial and non financial reporting Compliance Relates to compliance with laws and regulations
COSO 2013 Framework Components and Principles Components Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities Principles 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies relevant objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies
COSO 2013 Framework What Else Has Changed? Points of focus represent important characteristics of the respective principles and provide support to the principles to which they pertain Documenting or assessing points of focus is not required for effective internal control Not all of the points of focus relate to SOX considerations
COSO 2013 Framework Drilling Down Control Environment 1. Demonstrate a commitment to integrity and ethical values. Points of Focus a. Sets the tone at the top b. Establishes standards of conduct c. Evaluates adherence to standards of conduct d. Addresses deviations in a timely manner Approaches a. Leading by example b. Evaluates management and other personnel c. Evaluates outside service providers d. Develop process to report and promptly act on deviations from Standards of Conduct
COSO 2013 Framework What Else Has Changed? Increases the importance of the risk assessment Emphasizes the use of management judgment Increases relevance of technology Enhances discussion of governance concepts Board of Directors, Subcommittees of the Board (Audit Committees, Compensation Committees, Governance Committees, etc.) Expands reporting category Includes four types of reporting: both internal and external financial and non financial reporting objectives Establishes term internal control over external financial reporting (ICEFR) as found in the Compendium
COSO 2013 Framework What Else Has Changed? Enhances consideration of anti fraud expectations Considers the potential causes of fraud as a separate principle of internal control Increases the focus on non financial reporting objectives Expanded focus on operations, compliance, and non financial reporting objectives Increased discussion on the impact of other service organizations (e.g., service organizations, joint ventures, etc.) Enhances considerations for the use of relevant and quality information
COSO 2013 Implementation Approach Phase I: Develop Awareness and Alignment Understand changes in the COSO Framework Establish objectives for performing the COSO 2013 implementation Identify implications of the new Framework on the company s internal control structure Determine the extent of evaluation needed for full compliance Communication with external auditor Communicate with Supervisory Committee Phase II: Conduct Assessment Map the Framework s 5 components and 17 principles to the existing internal key controls Evaluate whether the 5 components and 17 principles exist and are operating individually and together Document result of assessment and identify control gaps (if any) Identify and assess required changes (if any) in the company s internal controls Communication with external auditor and Audit Committee Phase III: Update Documentation Update the internal control documentation Update the assessment and testing plan Conduct testing in conjunction with SOX 404 compliance testing (as needed) to determine if principles are present and functioning Communication with external auditor and Supervisory Committee
COSO 2013 Implementation Approach A Practical Step-by-Step Guide 1. Create a matrix identifying relevant COSO components, principles and points of focus 3. Identify where principles are not addressed by existing key controls or documentation 5. Document controls that map to each principle and conduct testing 2. Map existing entitylevel key controls (ELCs) to the relevant COSO 2013 principles, using the points of focus for additional detail/description 4. Develop a remediation plan to address design or documentation gaps
Common Gaps Identified During COSO 2013 Mapping Implementation Lack of a documented risk assessment related to Internal Control Over Financial Reporting (ICFR) (Principle 7) Not performing a fraud risk assessment; fraud has been identified as a separate principle of internal control (Principle 8) Inappropriate reliance on system generated data and reports, including non financial data and third party data (Principle 13) Over dependence on third party reporting (what COSO considers different business models ) without evaluation of the underlying controls performed at the third party Informal evaluation and a lack of documentation/testing of the COSO components other than Control Activities Inadequate evaluation of internal control under COSO requirements of present and functioning and working in an integrated manner Lack of precision in Management Review Controls
Misconceptions About COSO 2013 Myth: COSO 2013 requires a clean slate approach to SOX and all new controls. False. Many controls will remain unchanged. SOX business process and general computer controls fit in the Control Activities component of COSO which is largely unchanged by COSO 2013. Existing entity level controls should cover many (but not all) of the other COSO components. Myth: COSO 2013 is focused on management review controls and reports. False. This is a specific focus area of the PCAOB. While COSO 2013 is consistent with some of the PCAOB findings (e.g., system generated reports and data), it is different from the areas recently identified by the PCAOB as SOX 404 audit deficiencies.
Misconceptions About COSO 2013 Myth: You can use all of your existing entity level control documentation to address COSO 2013 and no testing is required. False. Additional controls may be needed or require documentation based on your COSO 2013 mapping and assessment. Key controls will need to be tested, and COSO principles will need to be assessed to determine if they are present and functioning. Myth: COSO 2013 will change your testing and evaluation methodology. False. Neither COSO 1992 nor COSO 2013 specify testing methodologies (sample sizes, sample period, etc.).
Misconceptions About COSO 2013 Myth: No changes are required to comply with COSO 2013. False. At a minimum, implementing COSO 2013 will require a mapping to the new framework. Implementation could include expanding efforts over certain COSO principles or points of focus.
Example Tools Indirect and Monitoring Entity Level Controls Direct Entity Level Controls and Process Level Controls Information Technology General Controls Management Reporting Controls
Indirect and Monitoring ELC s Four core COSO Components: Control Environment Risk Assessment Information and Communication Monitoring Activities These are broken into the 17 Principles (only about 14 apply to this level) These are subdivided into Points of Focus (some apply to multiple Principles, so about 60 subcategories exist) See partial example on next page
Indirect and Monitoring ELC s
Direct ELC s and Process-Level controls Lists out the Control Activities Denotes automated vs. manual control Denotes significance of judgment There are four relevant Principles (#6 suitable objectives overlaps with indirect ELC s) There are 10 relevant Points of Focus See partial example on next page
Direct ELC s and Process-Level Controls
Information Technology General Controls These should address the following: Access to Programs and Data Program Changes Program Development Computer Operations All key process level and direct ELC s that are automated controls should be mapped to ITGC s
Management Reporting Controls Well designed MRC s cover the following: Availability of documentation Precision of the control Requisite knowledge of control operator Responsive to the identified risk Considers effects from external and external factors Appropriately addresses management bias Uses high quality, relevant information (ie. data) Control output is monitored and evaluated Consistently applied from period to period
SEC Disclosure and Compliance Requirements As part of the COSO 2013 release in May 2013, COSO included a transition period from release through December 15, 2014. The SEC stated: The longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer s use of the 1992 framework satisfies the SEC s requirement to use a suitable, recognized framework (particularly after December 15, 2014, when COSO will consider the 1992 framework to have been superseded by the 2013 framework). 2 Companies must clearly disclose in their internal control report which framework was utilized during the current transition period. For example criteria established in the Internal Control Integrated Framework 2013 issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Management and external auditor use the same framework. Companies must disclose material changes in internal control. 2 http://www.thecaq.org/docs/reports and publications/2013septembe25jointmeetinghls.pdf
Resources Internal Control-Integrated Framework Three volumes: Executive Summary Framework and Appendices Illustrative Tools for Assessing Effectiveness of a System of Internal Control Sets out: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness
Resources Internal Control over External Financial Reporting Illustrates approaches and examples of how principles are applied in preparing financial statements Considers changes in business and operating environments during past two decades Provides examples from a variety of entities public, private, notfor profit, and government Aligns with the updated Framework
Questions Fred J. Peterson Moss Adams LLP Partner 503 471 1262 fred.peterson@mossadams.com