Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0
With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com 949-255-6648 Greg Schu Partner, National Leader of Information Technology Audit Services Greg.Schu@mcgladrey.com 612-376-9520 Mark Kultgen Partner, National Leader of Internal Audit & SOX Services Mark.Kultgen@mcgladrey.com 414-298-2801 McGladrey at a Glance McGladrey is the 5 th largest public accounting firm in the US and is the US member of RSM International, the 7 th largest global network of independent accounting, tax, and consulting firms. Over 6,500 employees nationally located in more than 75 offices and over 700 offices in over 100 countries. We have a global team of over 1,000 risk management professionals. We provide the guidance and support for companies undertaking their first SOX compliance effort, helping them avoid a process that is long, tedious and costly. We help with selecting an appropriate compliance framework, internal controls documentation, a readiness assessment, or a fully outsourced compliance solution. Ranked 2 nd on 2012 Accounting Today VAR 100 for Microsoft Dynamics, Deltek, Intacct and NetSuite. Associate Business Partner of SAP. We have collaborated with our clients on more than 1,000 Sarbanes-Oxley engagements. 1
Agenda & Objectives Topic Minutes Overview of Control Frameworks 20 COSO 2013 20 Impact On Your SOX Program 10 Questions and Closing 10 2
Control Frameworks: Recent Guidance Financial Statement Focus COSO Internal Control Integrated Framework - May 2013 PCAOB Staff Audit Practice Alert No. 11 Considerations For Audits of Internal Control Over Financial Reporting - October 24, 2013 SEC Remarks Before the 2013 AICPA National Conference on Current SEC and PCAOB Developments Audit Policy and Current Auditing and Internal Control Matters - December 9, 2013 IT Focus Sarbanes-Oxley Act 2002 Service Organization Controls (SOC) AICPA, 2011, 2013 COBIT 5 ISACA, 2012 ISO 27002 ISO 2013 HIPAA/HITECH HHS, 2013 Payment Card Industry PCI Security Standards Council, 2013 Framework for Improving Critical Infrastructure Cybersecurity NIST, 2014 Critical Security Controls (CSC, CCS) SANS Institute BITS Shared Assessment Program/Standard Information Gathering (SIG) 3
Control Frameworks: IT Focused 4
Frameworks - Purpose Why all the options? - Different industries, different standards - Healthcare focus - Financial reporting focus - Protecting cardholder information - General IT controls - General security and privacy 5
Frameworks How To Handle What are the identified risks, specifically IT? - Current risk assessment - Prioritized risks based on external and internal activities What framework makes sense? - Based on product and services provided - Based on location of the organization local/global What is the two three year business plan? - Company strategy growing, maintaining, downsizing Map out framework and common requirements. 6
Frameworks Common Themes Common threads across the frameworks: Identify the needs of - Management, stakeholders, shareholders, departments, oversight committees, regulatory functions Apply at an organization level - Protecting the organization - Consider the enterprise level and impact - Consider a holistic approach processes, culture, services, people, locations Oversight of the framework - Manage, monitor, detect, response, escalation 7
Framework for Improving Critical Infrastructure Cybersecurity NIST, 2014 8
COBIT 5 ISACA, 2012 9
ISO 27002 ISO 2013 10
Framework for Improving Critical Infrastructure Cybersecurity NIST, 2014 Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals. ID.RA-1: Asset vulnerabilities are identified and documented. ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources. CCS CSC 4 COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 ISO/IEC 27001:2013 A.6.1.4 NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5 ID.RA-3: Threats, both internal and external, are identified and documented. COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16 11
Framework Impact on People and Systems What options have been considered for personnel? - Adequate staffing - Adequate skills - Train internally or contractor supplement - Co-source specific functions - Full outsourcing What options have been considered for solutions? - Build or buy - Rent (cloud) Evaluate annually and adjust as needed based on business needs and external activities. 12
Frameworks The frameworks require (nothing new): - Sponsorship and support - Policies, processes and procedures - People Time to implement Monitor results Service and support Adjust based on feedback 13
Framework What Is Different Emphasis on technology: - Infrastructure, systems, mobile; data Global risks more prevalent Impact not just to companies, but individuals and employees New normal - Regular monitoring (identity monitoring; LifeLock) - Check accounts, statements regularly - Electronic scams email, text, mobile phone, websites 14
2013 COSO Framework Discussion 15
COSO Overview The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five sponsoring organizations formed in 1985. Provides thought leadership through the development of frameworks and guidance on: - Internal control - Enterprise risk management - Fraud Designed to improve organizational performance and governance, and to reduce the extent of fraud in organizations. Released original Internal Control-Integrated Framework in 1992, which has become the most widely used internal control framework. 16
Select COSO Frameworks Internal Control Integrated Framework (2013) ICOFR Guidance for Smaller Public Companies (2006) Internal Control Integrated Framework (1992) Enterprise Risk Management Integrated Framework (2004) 17
COSO Background Why update what works The 1992 Framework has become the most widely adopted control framework worldwide. Original Framework COSO s Internal Control Integrated Framework (1992 Edition) Refresh Objectives Reflect changes in business & operating environments Expand operations and reporting objectives Articulate principles to facilitate effective internal control Enhancements Updates Context Broadens Application Clarifies Requirements Updated Framework COSO s Internal Control Integrated Framework (2013 Edition) 18
Overview of What Is and Is Not Changing Update expected to increase ease of use and broaden application What is not changing... What is changing... Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness Changes in business and operating environments considered Operations and reporting objectives expanded Fundamental concepts underlying five components articulated as principles with points of focus as additional guidance Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added 19
2013 Framework Articulates Principles and Points of Focus 2013 COSO Cube Control Environment Risk Assessment Control Activities Information and Communication 5 Components 17 Principles Points of focus Controls Principles articulate fundamental concepts of components Points of focus describe important characteristics of principles Monitoring Activities Legend Components and Principles are requirements for an effective system of internal control Points of Focus and Controls are subject to management judgment 20
New Internal Control Principles Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Slide Source: COSO IC-IF Outreach Deck_12 29 11 (http://www.ic.coso.org/pages/about-the-project.aspx) 21
Update Clarifies Requirements for Effective Internal Control Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that: - Each component and each relevant principle is present and functioning - The five components are operating together in an integrated manner Each principle is suitable to all entities; all principles are presumed relevant. Components operate together when: - all components are present and functioning - internal control deficiencies aggregated across components do not result in one or more major deficiencies Components are present and functioning if each relevant principle is present and functioning - no major deficiencies exist. 22
Control Environment More Detail Control Environment The set of standards, processes and structures that provide the basis for carrying out internal control across the organization. Newly defined principles 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence of management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 23
Example Principle and Related Points of Focus Control Environment 1. Demonstrates commitment to integrity and ethical values. Points of Focus: Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in a timely manner 24
Example of Controls Embedded in Other Internal Control Components Component Control Environment Principle 1. Demonstrates commitment to integrity and ethical values. Controls embedded in other components may effect this principle Human Resources review employees confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity. Management obtains and reviews data and information underlying potential deviations captured in whistleblower hotline to assess quality of information. Internal Audit separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon. Control Environment Information & Communication Monitoring Activities 25
Transition & Impact Users are encouraged to transition applications and related documentation to the updated Framework as soon as feasible. Updated Framework will supersede original Framework at the end of the transition period (i.e., December 15, 2014). During the transition period, external reporting should disclose whether the original or updated version of the Framework was used. Impact of adopting the updated Framework will vary by organization: Does your system of internal control need to address changes in business? Does your system of internal control need to be updated to address all principles? Does your organization apply and interpret the original Framework in the same manner as COSO? Is your organization considering new opportunities to apply internal control to cover additional objectives? 26
Steps for Implementing 2013 Framework Understand the Framework Identify key stakeholders Awareness / education / training Map existing controls to principles Gap analysis / remediation Update documentation Timing considerations Updated Framework will supersede original Framework on December 15, 2014 Earlier implementation encouraged During the transition, external reporting should disclose which version of the Framework was used 27
SOX 404 Ramifications 28
Transitioning to COSO 2013 Required for fiscal years ending after December 15, 2014; early adoption is encouraged. During the transition period, external reporting should disclose whether the original or updated version of the Framework was used. In, and by itself, many are finding the transition to COSO 2013 to be a mapping/documentation exercise. - Process level controls: Mostly an exercise in mapping controls to the COSO principles (in addition to the financial statement assertions) - Entity level controls: Enhancing documentation around entity-level controls and then mapping to the COSO principles HOWEVER, there are other considerations 29
Regulatory Observations Recent SEC Remarks some have suggested that auditors and the PCAOB have higher expectations than management when considering the adequacy of entity-level controls or the severity of control deficiencies I continue to question whether all material weaknesses are being properly identified. It is surprisingly rare to see management identify a material weakness in the absence of a material misstatement. it may be useful for management to dust off the SEC s 2007 interpretive guidance and compare management s ICFR evaluation process to the SEC guidance to see if improvements are in order. PCAOB Alert No. 11 Focus Greater testing of system-generated data and reports that support downstream controls More thorough documentation mapping of assertions to the controls identified More substantive testing to evidence auditor s understanding of reviews performed over a control s effectiveness, including the reviewer s competence Increasing the level of control design testing and documentation to more thoroughly evidence the auditor s level of comfort that controls are designed to adequately address their stated objectives 30
Additional Factors to Consider Other considerations while transitioning: - Degree of separation that exists between financial controls in place and those identified for SOX 404 purposes - Degree of documentation that exists for entity-level controls Now may be an opportune time to refresh your entire SOX 404 compliance program, including: - Scope - Entity-level controls - Recent changes (e.g., process changes, acquisitions) - Adequacy of control design documentation - Increased control-based testing vs. inquiry and observation - Financial statement assertion coverage - Tools and templates 31
Recommended Actions It depends: - What is your motivation for considering a formalized internal control framework? - Where is your company in its internal control maturity model? At a minimum: - Familiarize yourself with COSO s updated Framework and other relevant control frameworks - Discuss with audit committee/board and management Consider: - Adopting a formal internal control framework - Establishing a process for identifying, assessing and implementing necessary changes in controls and related documentation - Developing and implementing a plan to meet key objectives of your selected framework 32
Questions? Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com 949-255-6648 Greg Schu Partner, National Leader of Information Technology Audit Services Greg.Schu@mcgladrey.com 612-376-9520 Mark Kultgen Partner, National Leader of Internal Audit & SOX Services Mark.Kultgen@mcgladrey.com 414-298-2801 33
Appendix A Points of Focus 34
Points of Focus Control Environment Principle 1. Demonstrates commitment to integrity and ethical values Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in a timely manner Principle 2. Exercises oversight responsibility Establishes oversight responsibilities Applies relevant expertise Operates independently Provides oversight for the system of internal control Principle 3. Establishes structure, authority and responsibility Considers all structures of the entity Establishes reporting lines Defines, assigns and limits authorities and responsibilities Principle 4. Demonstrates commitment to competence Establishes policies and practices Evaluates competence and addresses shortcomings Attracts, develops and retains individuals Plans and prepares for succession Principle 5. Enforces accountability Enforces accountability through structures, authorities and responsibilities Establishes performance measures, incentives and rewards Evaluates performance measures, incentives and rewards for ongoing relevance Considers excessive pressures Evaluates performance and rewards or disciplines individuals 35
Points of Focus Risk Assessment Principle 6. Specifies suitable objectives Operations objectives Reflects management s choices Considers tolerances for risk Includes operations and financial performance goals Forms a basis for committing resources External financial reporting objectives Complies with applicable accounting standards Considers materiality Reflects entity activities External non-financial reporting objectives Complies with externally established standards and frameworks Considers the required level of precision Reflects entity activities Internal reporting objectives Reflects management s choices Considers the required level of precision Reflects entity activities Compliance objectives Reflects external laws and regulations Considers tolerances for risk Principle 7. Identifies and analyzes risk Includes entity, subsidiary, division, operating unit and functional levels Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified Determines how to respond to risks Principle 8. Assesses fraud risk Considers various types of fraud Assesses incentive and pressures Assesses opportunities Assesses attitudes and rationalizations Principle 9. Identifies and analyzes significant change Assesses change in the external environment Assesses change in the business model Assesses change in leadership 36
Points of Focus Control Activities Principle 10. Selects and develops control activities Integrates with risk assessment Considers entity-specific factors Determines relevant business processes Evaluates a mix of control activity types Considers at what level activities are applied Addresses segregation of duties Principle 11. Selects and develops general controls over technology Determines dependency between the use of technology in business processes and technology general controls Establishes relevant technology infrastructure control activities Establishes relevant security management process control activities Establishes relevant technology acquisition, development and maintenance process control activities Principle 12. Deploys through policies and procedures Establishes policies and procedures to support deployment of management s directives Establishes responsibility and accountability for executing policies and procedures Performs in a timely manner Takes corrective action Performs using competent personnel Reassesses policies and procedures 37
Points of Focus Information and Communication Principle 13. Uses relevant information Identifies information requirements Captures internal and external sources of data Processes relevant data into information Maintains quality throughout processing Considers costs and benefits Principle 15. Communicates externally Communicates to external parties Enables inbound communications Communicates with the board of directors Provides separate communication lines Selects relevant method of communication Principle 14. Communicates internally Communicates internal control information Communicates with the board of directors Provides separate communication lines Selects relevant method of communication 38
Points of Focus Monitoring Activities Principle 16. Conducts ongoing and/or separate evaluations Considers a mix of ongoing and separate evaluations Considers rate of change Establishes baseline understanding Uses knowledgeable personnel Integrates with business processes Adjusts scope and frequency Objectively evaluates Principle 17. Evaluates and communicates deficiencies Assesses results Communicates deficiencies Monitors corrective actions 39
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. McGladrey LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. McGladrey LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. McGladrey, the McGladrey logo, the McGladrey Classic logo, The power of being understood, Power comes from being understood, and Experience the power of being understood are registered trademarks of McGladrey LLP. McGladrey LLP 18401 Von Karman Suite 500 Irvine, CA 92612 800.274.3978 www.mcgladrey.com 40