Webinar Slides: Is Your Organization Ready for the New COSO Framework?


Published on

Original air date:
Jan. 16, 2014
View a recording at http://www.mhmcpa.com

Featuring Guest Speaker Bob Hirth, COSO Chairman

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal Control – Integrated Framework (the original framework). The original framework has gained broad acceptance and is widely used around the world. It is recognized as a leading framework for designing, implementing and conducting internal control and assessing the effectiveness of internal control.

In 2013, COSO published an updated framework which takes into consideration the dramatic changes in business and operations that have occurred in the twenty years since the original framework was published.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Webinar Slides: Is Your Organization Ready for the New COSO Framework?

  1. 1. MHM Executive Education Series: Is Your Organization Ready for the New COSO Framework Presented by: Bob Hirth, COSO Chair James Comito, MHM Shareholder Rich Howard, MHM Shareholder January 16, 2014
  2. 2. Before We Get Started…  To view this webinar in full screen mode, click on view options in the upper right hand corner.  Click the Support tab for technical assistance.  If you have a question during the presentation, please use the Q&A feature at the bottom of your screen. #MHMwebinar 1
  3. 3. CPE Credit  This webinar is eligible for CPE credit. To receive credit, you will need to answer periodic participation markers throughout the webinar.  External participants will receive their CPE certificate via email immediately following the webinar. #MHMwebinar 2
  4. 4. Disclaimer The information in this Executive Education Series course is a brief summary and may not include all the details relevant to your situation. Please contact your MHM service provider to further discuss the impact on your financial statements. #MHMwebinar 3
  5. 5. Today’s Presenters COSO Chair Bob Hirth, CPA Bob was elected to a three-year term starting in June 2013. He has extensive experience in all of COSO's mission disciplines: enterprise risk management, internal control and fraud deterrence. He has worked on assignments and made presentations in over 15 countries, serving more than 50 organizations and working closely with board members, C-level executives, finance and accounting personnel and accounting firm partners and employees. Bob's career in accounting and finance stretches over 25 years. Most recently, he served as a Senior Managing Director of Protiviti, a global internal audit and business risk consulting firm. He is a recognized leader in the internal audit profession and was recently inducted into The American Hall of Distinguished Audit Practitioners. James Comito, CPA Shareholder 858.795.2029 | jcomito@cbiz.com A member of MHM’s Professional Standards Group, James has expertise in all aspects of revenue recognition, business combinations, impairment of goodwill and other intangible assets, accounting for stock-based compensation, accounting for equity and debt instruments and other accounting issues. Additionally, he has significant experience with a variety of other regulatory and corporate governance issues pertaining to publicly traded companies, including all aspects of internal control. In addition, James frequently speaks on accounting and auditing matters at various events for MHM. #MHMwebinar 4
  6. 6. Today’s Presenters Rich Howard, CPA Shareholder 949.450.4402 | rhoward@cbiz.com Rich serves as Vice President of the Board of Directors of MHM and is a member of both our Executive Committee and Professional Standards Group. He is also the Regional Attest Practice Leader for the West Region. Rich leads our SEC practice nationwide and is on the Executive Committee of the Global Audit Group for Kreston International, the firm’s international accounting network. #MHMwebinar ‹#› 5
  7. 7. Today’s Agenda 1 History of COSO 2 Why use the COSO framework? 3 Changes implemented in the new framework 4 The principles #MHMwebinar 6
  9. 9. 20 Years in the Making… CBIZ Webcast Robert Hirth Chairman, COSO 8
  10. 10. … “…while effective internal control requires leadership from the top, the responsibility for effective implementation of internal control resides with everyone in the organization, not just the finance function. This includes accountants, compliance officers and those involved in making contracts and supporting operations as well as those working on the production line to ensure that products produced meet quality objectives. …the individuals that are responsible for achieving the objectives are also responsible for the quality of internal controls. “ Larry Rittenberg Chair Emeritus, COSO 9
  11. 11. History is Important… 10
  12. 12. Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM) internal control and fraud deterrence. 9,300 386,000 15,000 > 600,000 67,000 180,000 11
  13. 13. Mission COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.” COSO’s Fundamental Principle Good risk management and internal control are necessary for long term success of all organizations 12
  14. 14. National Commission on Fraudulent Financial Reporting formed with James C. Treadway, Jr., former SEC And Thus… Commissioner and General Counsel, Paine Webber as its Chairman – becoming known as the “Treadway Commission” a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on fraudulent corporate financial reporting. Source: sechistorical.org 13
  15. 15. The Internal Control Recommendation All public companies should maintain internal controls that provide reasonable assurance that fraudulent financial reporting will be prevented or subject to early detection - this is a broader concept than internal accounting controls… …The Commission also recommends that its sponsoring organizations cooperate on developing additional, integrated guidance on internal controls… - Treadway Commission report 14
  16. 16. Timeline 2010: Fraud Study II Fraudulent Financial Reporting: 1998-2007 2004: Enterprise Risk Management Framework 1987: Treadway Commission Report 2009: Guidance on Monitoring Internal Control Systems 1996: Internal Control Issues in Derivatives 1985 1990 1995 2000 1999: Fraud Study I Fraudulent Financial Reporting: 1987-1997 1992: Internal Control – Integrated Framework 2005 2006: Guidance for Smaller Businesses on Internal Control over Financial Reporting 2010 2010-2013: Recent ERM thought papers on current issues 15
  17. 17. COSO Overview – Internal Control Publications 1992 2006 2009 2013 16
  18. 18. COSO is more than Internal Control… 17
  19. 19. W In the twenty years since the inception of the hy Make Changes? original framework, business and operating environments have changed dramatically, becoming increasingly complex, technologically driven, and global. At the same time, stakeholders are more engaged, seeking greater transparency and accountability for the integrity of systems of internal control that support business decisions and governance of the organization Source: COSO September 2012 18
  20. 20. Why is COSO a Suitable Model? Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment. Source: SEC 19
  21. 21. Transition & Impact • Users are encouraged to transition applications and related documentation to the updated Framework as soon as feasible • Updated Framework will supersede original Framework at the end of the transition period (i.e., December 15, 2014) • During the transition period, external reporting should disclose whether the original or updated version of the Framework was used 20
  22. 22. SEC Drops New Hint: Update to New COSO Framework (Source: Compliance Week, November 12, 2013) “The staff indicated the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer's use of the 1992 framework satisfies the SEC's requirement for a suitable, recognized framework”, especially after the Dec. 15, 2014, transition date. 21
  23. 23. The revision process 22
  24. 24. Why update what works – The Framework has become the most widely adopted control framework worldwide. Original Framework COSO’s Internal Control–Integrated Framework (1992 Edition) Reflect changes in Refresh Objectives Expand operations and Articulate principles to business & operating reporting objectives facilitate effective environments Enhancements Updated Framework Updates Context internal control Broadens Application Clarifies Requirements COSO’s Internal Control–Integrated Framework (2013 Edition) 23
  25. 25. Project timetable Assess & Survey Stakeholders Design & Build 2010 2011 Public Exposure, Assess & Refine 2012 Finalize 2013 24
  26. 26. Project participants COSO Board of Directors PwC Author & Project Leader COSO Advisory Council Stakeholders • • • • • • • • Over 700 stakeholders in Framework responded to global survey during 2011 AICPA AAA FEI IIA IMA Public Accounting Firms Regulatory observers (SEC, GAO, FDIC, PCAOB) • Others (IFAC, ISACA, others) • Over 200 stakeholders publically commented on proposed updates to Framework during first quarter of 2012 • Over 50 stakeholders publically commented on proposed updates in last quarter of 2012 25
  27. 27. Project deliverable #1 – Internal Control-Integrated Framework (2013 Edition) • Consists of three volumes: ▫ Executive Summary ▫ Framework and Appendices ▫ Illustrative Tools for Assessing Effectiveness of a System of Internal Control • Sets out: ▫ Definition of internal control ▫ Categories of objectives ▫ Components and principles of internal control ▫ Requirements for effectiveness 26
  28. 28. Project deliverable #2 – Internal Control over External Financial Reporting: A Compendium.... • Illustrates approaches and examples of how principles are applied in preparing financial statements • Considers changes in business and operating environments during past two decades • Provides examples from a variety of entities – public, private, not-for-profit, and government • Aligns with the updated Framework 27
  29. 29. Update expected to increase ease of use and broaden application… What is not changing... What is changing... • Core definition of internal control • Changes in business and operating environments considered • Three categories of objectives and five components of internal control • Each of the five components of internal control are required for effective internal control • Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness • Operations and reporting objectives expanded • Fundamental concepts underlying five components articulated as principles • Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added 28
  30. 30. Update considers changes in business and operating environments… Environmental changes... …have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition) 29
  31. 31. Update articulates principles of effective internal control Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. 2. 3. 4. 5. Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability 6. 7. 8. 9. Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 30
  32. 32. Update describes important characteristics of principles, e.g., Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. Points of Focus: • Sets the Tone at the Top • Establishes Standards of Conduct • Evaluates Adherence to Standards of Conduct • Addresses Deviations in a Timely Manner • Points of focus may not be suitable or relevant, and others may be identified • Points of focus may facilitate designing, implementing, and conducting internal control • There is no requirement to separately assess whether points of focus are in place 31
  33. 33. Update describes how various controls effect principles, e.g., Component Principle Controls embedded in other components may effect this principle Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. Human Resources review employees’ confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity Control Environment Management obtains and reviews data and information underlying potential deviations captured in whistleblower hotline to assess quality of information Information & Communication Internal Audit separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon Monitoring Activities 32
  34. 34. Transitioning Internal Control over Financial Reporting (ICFR) • 2013 Framework does not change SOX compliance requirements • If 1992 Framework has been appropriately applied to each of the five components of internal control, the transition should not result in significant changes or incremental efforts • Mapping of principles to controls (using points of focus) may reveal “gaps” in design, • For example, indirect entity-level controls associated with the “softer” components of internal control – Control Environment, Risk Assessment, Information and Communication, Monitoring 33
  35. 35. Transitioning Internal Control over Financial Reporting (ICFR), cont’d • Mapping exercise will support management assertion under SEC regulations • Management reactions and responses will differ depending on entity circumstances • A fresh look may reveal opportunities to re-design or remove controls to enhance effectiveness or efficiency • Points of Focus should assist in the mapping, evaluation and controls identification process 34
  36. 36. Company Preparation and Transition 35
  37. 37. May ‘13 Q2 Q3 Q4 2013 Q1 Q2 Q3 12/31/14 2014 Phase 1 •Educate and Communicate Phase 2 •Conduct Preliminary Assessment Phase 3 Phase 4 •Complete Assessment & Develop Action Plan •Execute Action Plan PwC 36
  38. 38. What You Need To Do… • Read, understand and train others • Meet with your audit firm • Take 17 Principles inventory • Map your Controls to Principles, consider POF’s • Evaluate results and plan change • Meet with your audit firm again • Execute the transition plan, monitor change 37
  39. 39. What Will NOT Change … • Top-down, risk-based approach • “Scoping” the financial statements • ICFR objectives • Identification of processes and controls • Walkthroughs • Risk and Control Matrix • Testing and reliance on work of others • Roll-forward to year-end • ITGC approach • Deficiency identification, assessment and aggregation • Deficiency, Significant Deficiency and Material Weakness Criteria • Evaluation of significant change quarterly and other changes 38
  40. 40. Don’t Be Surprised… • There’s some work to do • Additional documentation • Changes in some controls • Lack of full response from audit firm and changes in their positions • More, not less deficiencies • And then, watch for “PCAOB inspection impact” in 2015, including Auditor’s Report disclosures 39
  41. 41. 40
  42. 42. Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. . 41
  43. 43. Principle 2- Points of Focus • Establishes oversight responsibilities • Applies relevant expertise • Operates independently • Provides oversight to the system of internal control 42
  44. 44. Principle 3 - Points of Focus • Considers all structures of the entity • Establishes reporting lines • Defines, assigns and limits authorities and responsibilities 43
  45. 45. 44
  46. 46. Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. 45
  47. 47. Principle 7- Points of Focus • Includes entity, subsidiary, division, Operating unit and functional levels • Analyzes internal and external factors • Involves appropriate levels of management • Estimates significance of risks identified • Determines how to respond to risks 46
  48. 48. 47
  49. 49. Compliance “Concepts” • Laws, rules, standards and regulations establish minimum standards of conduct • Compliance objectives are established • Management consider acceptable level of variation • Many laws and regulations depend on external factors, geography and industry- and at times, size 48
  50. 50. 49
  51. 51. Update considers changes in business and operating environments… Environmental changes... …have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies COSO Cube (2013 Edition) Expectations relating to preventing and detecting fraud 50
  52. 52. Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place. 51
  53. 53. Principle 11- Points of Focus • Determine dependency between the use of technology in business processes and technology general controls • Establishes relevant: – technology infrastructure control activities –security management process control activities –technology acquisition, development and maintenance control activities 52
  54. 54. Outsourcing Alternative (page 23) “…While in principle, the same considerations apply whether controls are performed internally or by an outsourced service provider, outsourcing presents unique risks and often requires selecting and developing additional controls over the completeness, accuracy, validity of information submitted to and received from the outsourced service provider .” 53
  55. 55. Information & Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. 54
  56. 56. Principle 13- Points of Focus • Identifies information requirements • Captures internal and external sources of data • Processes relevant data into information • Maintains quality throughout processing • Considers costs and benefits 55
  57. 57. • Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that: – Each component and each relevant principle is present and functioning – The five components are operating together in an integrated manner • Each principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e.g., governance, technology) • Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies • A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives 56
  58. 58. does not prescribe controls to be selected, developed, and deployed for effective internal • The Framework control selection of controls to effect relevant principles and associated components is a function of management judgment based on factors unique to the entity • An organization’s • A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles • However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management’s assessment of whether components and relevant principles are present and functioning 57
  59. 59. • Selecting, developing, and deploying controls to effect multiple principles may also reduce the number of discrete, layered-on controls. • Applying an integrated approach to internal control encompassing operations, reporting, and compliance – may lessen complexity. • In assessing severity of internal control deficiencies, use only the relevant classification criteria as set out in the Framework or by regulators, standardsetting bodies, and other relevant third parties, as appropriate (pages 20 and 21). 58
  60. 60. COSO Can Help ALL Organizations! 59
  61. 61. Getting COSO Publications The updated Framework and related Illustrative documents are available in 3 layouts 1. E-book – This layout is ideally suited for those wanting access in electronic format for tablet use. An e-book reader from the AICPA is required to view this layout. Printing is restricted in this layout. • Purchase through www.cpa2biz.com 2. Paper-bound – This layout is ideally suited for those wanting a hard copy. • Purchase through www.cpa2biz.com 3. PDF – This layout is ideally suited for organizations interested in licensing multiple copies. • Contact the AICPA at copyright@aicpa.org 60
  62. 62. Internal Control–Integrated Framework A Suitable Model for ALL 61
  63. 63. 62
  64. 64. Thank You ! 63
  65. 65. 64
  66. 66. Disclaimer I am not employed by the PCAOB. My views and remarks are my own and do not necessarily reflect the views of the Board, its members or staff. 65
  67. 67. PCAOB Mission… To oversee the audits of public companies in order to protect investors and the public interest by promoting informative, accurate and independent audit reports. The PCAOB also oversees the audits of brokerdealers, including compliance reports filed pursuant to federal securities laws to promote investor protection. 66
  68. 68. SAY “GOOD BYE”…. 67
  69. 69. The Current Standards Agenda Audit Transparency (identification of engagement partner and other parties) Auditor’s Reporting Model –now 2014 Related Parties (and Significant Unusual Transactions) Audits of Broker Dealers/Stds Reorganization Going Concern (awaiting FASB actions) Other Auditors, Accountants and Specialists
  70. 70. Other Initiatives • Audit Committee Outreach • Fraud Task Force • Audit Quality Initiative • Broker-Dealer Audits, Standards, Changes • Emerging Growth Company Application • Audit Firm Rotation,Re-Tender,Tenure 69
  71. 71. Connect with Mayer Hoffman McCann linkedin.com/company/ mayer-hoffman-mccannp.c. @mhm_pc youtube.com/ mayerhoffmanmccan n slideshare.net/mhm pc gplus.to/mhmpc facebook.com/mhm pc blog.mhmcpa.com #MHMWebinar #MHMwebinar ‹#› 70