Recent COSO Internal Control and Risk Management Developments


Published on

Presentation by David L. Landsittel, Former Chair, COSO, September 24, 2013, Chicago, Illinois

Published in: Business, Economy & Finance

Recent COSO Internal Control and Risk Management Developments

  1. 1. Recent COSO Internal Control and Risk Management Developments IFAC and ISO Panel Discussion September 24, 2013 David L. Landsittel Former Chair - COSO
  2. 2. About COSO • Formed in 1985 to sponsor a group to make recommendations on Fraudulent Financial Reporting • A joint initiative of five private sector organizations: ▫ American Accounting Association (AAA) ▫ American Institute of Certified Public Accountants (AICPA) ▫ Financial Executives International (FEI) ▫ Institute of Management Accountants (IMA) ▫ The Institute of Internal Auditors (IIA)
  3. 3. Mission COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.” COSO’s Fundamental Principle Good risk management and internal control are necessary for long term success of all organizations
  4. 4. COSO’s Three Areas of Focus 1. Internal Control 2. Enterprise Risk Management 3. Fraud Deterrence
  5. 5. Timeline 2010: Fraud Study II Fraudulent Financial Reporting: 1998-2007 2004: Enterprise Risk Management Framework 1987: Treadway Commission Report 2009: Guidance on Monitoring Internal Control Systems 1996: Internal Control Issues in Derivatives 1985 1990 1995 2000 1999: Fraud Study I Fraudulent Financial Reporting: 1987-1997 1992: Internal Control – Integrated Framework 2005 2006: Guidance for Smaller Businesses on Internal Control over Financial Reporting 2010 2010-2013: Recent ERM thought papers on current issues
  6. 6. COSO Internal Control Framework • First published in 1992 • Gained wide acceptance following financial control failures of early 2000’s • Most widely used framework in the US • Also widely used around the world – translated into 7 languages
  7. 7. Why Update What Works? ICIF Works Well Today COSO’s Internal Control–Integrated Framework (1992 Edition) Enhancements ICIF Will Work Better Tomorrow Reflect changes in to facilitate effective business & operating internal control Update Objectives Articulate principles environments Clarifies Requirements Updates Context Expand operations and reporting objectives Broadens Application COSO’s Internal Control–Integrated Framework (2013 Edition)
  8. 8. Project Plan & Timetable Assess & Survey Stakeholders 2010 Design & Build 2011 Public Exposure & Assess 2012 Finalize 2013
  9. 9. Project Participants COSO Board of Directors PwC Author and Project Leader COSO Advisory Council Stakeholder Input • • • • • • • • •Survey of over 700 stakeholders and users of the 1992 Internal Control – Integrated Framework AICPA AAA FEI IIA IMA Public Accounting Firms Regulatory observers Others (IFAC, ISACA, others) •Public Exposures of updated Framework draft and supporting documents •Webcasts, round tables, direct correspondence via et al
  10. 10. Summary of Updates … What is not changing... What is changing... 1. Definition of internal control 1. Updated to reflect the current business environment 2. Five components of internal control 3. The fundamental criteria used to assess effectiveness of systems of internal control 4. Use of judgment in designing and implementing controls and in evaluating the effectiveness of systems of internal control 2. Formalized fundamental concepts underlying the five components as principles 3. Expanded financial reporting objective to address internal and external, financial and nonfinancial reporting objectives 4. Increased focus on operations and compliance objectives based on user input
  11. 11. 11 Summary of Updates A changing business environment... Expectations for governance oversight Globalization of markets and operations Changes in business models Demands and complexity of rules, regulations and standards Expectations for competencies and accountabilities Use and reliance on evolving technology Expectations for preventing and detecting fraud Drives updates to the Framework...
  12. 12. 17 Principles of the Updated ICIF Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. 2. 3. 4. 5. Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability 6. 7. 8. 9. Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies
  13. 13. Update Articulates Principles of Effective Internal Control Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
  14. 14. Project Deliverables: Internal ControlIntegrated Framework • Consists of three volumes: ▫ Executive Summary ▫ Framework and Appendices ▫ Illustrative Tools: Assessing Effectiveness of a System of Internal Control • Sets out: ▫ Definition of internal control ▫ Categories of objectives ▫ Components of internal control ▫ and related principles and points of focus Requirements for Effectiveness
  15. 15. Project Deliverables: Internal Control over External Financial Reporting: A Compendium • Provides approaches and Examples illustrating how principles are applied in preparing financial statements for external purposes • Is relevant for variety of entities – public, private, notfor-profit, and government • Is consistent with and does not modify the updated Framework
  16. 16. The ERM Framework • Published in 2004 • Based upon a framework with similarities to the COSO 92 framework • Widely recognized, but not as widely adopted as COSO 92 • Implementation not as robust as COSO 92
  17. 17. Some Current ERM Challenges • Uneven support to adopt any formal risk management process • Less than robust ERM implementation • Difficulty “getting started” with ERM implementation • Difficulty aligning ERM with top management view • Inadequate board oversight of risk management – and regulatory pressure mounting for better oversight • Immature development of risk appetite • Failure to consider low likelihood but high impact risks – overconfidence
  18. 18. 18 COSO ERM Response Our objective – to assist stakeholders in moving up “maturity curve” of an effective ERM process Publication of a series of thought papers
  19. 19. 19 COSO ERM “Thought Papers” • Four Papers issued in 2009 surveying ERM practices – and particularly practices and recommendations related to board of director oversight • Four Papers in 2011 and 2012 focusing on difficult ERM process implementation issues: ▫ “Getting Started” ▫ Developing Key Risk Indicators ▫ Understanding and Communicating Risk Appetite ▫ Risk Assessment Practices • Two Papers in 2012-2013 dealing with applying ERM to current Management issues: ▫ “Cloud” Computing Risks ▫ Sustainability Risks • A Behavioral Paper in 2012 dealing with Judgment Biases
  20. 20. Questions or Comments? Thank You! David Landsittel