Your SlideShare is downloading. ×
0
COSO Update [10Minutes]
COSO Update [10Minutes]
COSO Update [10Minutes]
COSO Update [10Minutes]
COSO Update [10Minutes]
COSO Update [10Minutes]
COSO Update [10Minutes]
COSO Update [10Minutes]
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

COSO Update [10Minutes]

324

Published on

Businesses face more hidden risks than ever―in social media, sprawling legal entities and in high frequency trading records. Effective internal controls can keep these threats in check, but they need …

Businesses face more hidden risks than ever―in social media, sprawling legal entities and in high frequency trading records. Effective internal controls can keep these threats in check, but they need to evolve with the times too. That's why COSO decided it was time to refresh their Internal Control-Integrated Framework. This update provides an opportunity to consider whether your controls are keeping up.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
324
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 10Minutes on why the COSO Update deserves your attention May 2013 Are your controls keeping pace with your business? Highlights Applying the Update can help you strengthen controls and bolster confidence in meeting your operational, reporting, and compliance objectives. New features in the Update help you uncover hidden risks and apply appropriate controls. The Update helps you identify—and potentially avoid—how people, technology, and processes can cause control breakdowns. Begin assessing how you can use the Update to build upon your current controls to address business changes. Hidden exposures in business—these are what effective internal control can help uncover. In recent years, we’ve witnessed and suffered the higher costs that can result when these threats remain unchecked. Where do the blind spots lurk in your business: In social media, where customer problems brew before a recall becomes necessary? In sprawling legal entities not monitored for satisfying compliance and reporting requirements? In high-frequency trading records that may conceal a staggering loss? The 1992 Internal Control-Integrated Framework developed by COSO has been widely adopted to support external financial reporting requirements. After 20 years, COSO decided it was time for a refresh. The 2013 update,1 authored by PwC, is designed to address reporting, compliance, and operational objectives. This provides businesses and their stakeholders with a common vocabulary for getting a handle on the ever-changing environment. As business evolves, leading companies evolve their internal control systems. The newly released framework provides the perfect opportunity to consider: Are your controls really keeping up? 1 Update to the Committee of Sponsoring Organization’s Internal Control-Integrated Framework, http://coso.org/IC.htm. A fresh look at controls may especially benefit your company if you’re going through... • A major change. Your growth, restructurings, or new markets, products, and partners—they introduce new risks. • Ongoing regulatory oversight and scrutiny. If you’re complying with more regional or global requirements, there may be little room for error. • Greater complexity in your operating model and structure. Taking on new service providers or other partners can create risks that may be far removed from the business. • Expanding reliance on technology. New uses of existing technology and new tech investments may impact risks for internal and external interactions. • New and evolving expectations for nonfinancial reporting. Stakeholders and regulators seek greater transparency and confidence in reporting. • Business failures and brand-damaging events. Businesses in many industries need to re-build trust with customers and stakeholders.
  • 2. At a glance Effective internal control adapts to change What are some changes in business… and how does the COSO Update help? Regulatory scrutiny Accounts for a growing web of global regulations, like financial reporting requirements and environmental standards Increased reliance on technology Provides a principle directed at controls over technology— infrastructure, development, use, and links with other processes Expectation for additional reporting Extends to cover non-financial reporting objectives, like sustainability reports and customer satisfaction measures Complex, interconnected business Helps you customize controls and see if they’re supporting multiple objectives and principles. And these updates will help you check what’s covered and what’s missing across the business—including dispersed and outsourced operations Accelerating pace of businesses Provides principles that help you adapt controls for planned changes and unforeseen circumstances—and keep them in sync with the business Greater complexity in management models and legal structures Explicitly considers business models and helps you apply controls across management operating models and legal entity structures
  • 3. 01 Gain confidence around what matters 1. Reflective of the current environment. The Update reflects how doing business has changed and provides guidance to assess risk and keep related controls current. For instance, the negative impact from a product defect can now be amplified through social media. However, if a company applies controls that enable it to monitor social channels, it could receive early warning. Most businesses are planning changes that can impact controls Do you anticipate a major change at your company in the following areas over the next 12 months? Customer strategies Managing talent 31%_ 23%_ Organizational structure 22%_ M&A, joint venture or strategic alliance 22%_ Technology investment 21%_ Base: 1,330 global CEOs. Source: PwC, 16th Annual Global CEO Survey, January 2013. How can you be sure your system of control remains up to the task? The COSO Framework was updated in three important ways to make it easier for your controls to evolve with the business. 2. Applicable to more business objectives. The Update helps you apply internal control to your growing list of objectives. It now addresses internal reporting, which can satisfy requirements set by senior management and boards. The Update also covers external non-financial reporting requirements driven by laws, regulations, or even heightened stakeholder expectations. As with its predecessor, the Update still applies to financial reporting to support your compliance with Sarbanes-Oxley and enables you to strengthen existing controls, often without significant modification.2 The Update makes it easier for you to address these objectives in an integrated way—more objectives don’t necessarily translate into more work. For example, a biotech company may have compliance requirements around purity standards. It can apply 2 See PwC’s Dataline (May 2013) for a discussion of implications of the Update for external financial reporting. controls to help prevent a breach in purity while at the same time meeting a second objective of bolstering confidence in its reporting. 3. Flexible and customizable. The Update is principles-based, making it more flexible, adaptable, and broadly applicable than a rulesbased framework. It provides 17 principles that formalize fundamental concepts in the original framework. These principles help you specify objectives, assess risks, and deploy controls that you can adapt to meet your unique requirements. They can also help you meet objectives across the organization. For example, principles that you apply to prevent and detect fraud in financial reporting could also help you address fraud risks in wide-ranging operations that, if left unchecked, could impact local compliance objectives. Ramp up in the right areas You can apply internal control to many aspects of your business, but the key is targeting where it’s really needed. The Update can help you clearly identify and communicate where there are important objectives and select the right controls to apply. For example, over half of CEOs say availability of key skills is a top priority.3 The Update has principles you can use to identify the specific, critical objectives that may be jeopardized if you’re unable to find the right talent. This lets you target where other controls may be needed, like greater management oversight or use of technology. 3 PwC, 16th Annual Global CEO Survey, January 2013.
  • 4. 02 Remove the blind spots Without a full view of your business, hidden exposures can put you at risk. The Update is designed to help reveal risks you may be unaware of. Reaching deep to pinpoint problems The Update helps you focus on objectives, related risks, and controls in all reaches of your business— its legal entities, divisions, operating units, and functions. Most businesses have experienced recent changes that can impact controls Companies that have undergone a major business transformation in response to market shifts since mid-2011 67% Consider an executive who’s responsible for a legal entity but lacks the authority over some operations that roll up to it. As we’ve seen in recent crises, public and regulatory backlash is directed at the nominal leaders, even if they didn’t have authority over the operations where problems occurred. Controls should also keep business partners in clear view. One manufacturing company thought it had diversified its suppliers—only to discover that all the suppliers were actually buying from a single source. So when that single source broke down, it disrupted the manufacturer’s operations despite its efforts to diversify. The Update includes principles for specifying objectives and assessing risks across the business, and for establishing structures, authorities, and responsibilities that could head off issues like these. Keeping up with change Base: Over 800 global executives and risk managers Source: PwC, Risk in review—Global risk in the transformation age, 2013. Any change—new leaders and managers, new markets and products, growth, mergers and acquisitions, restructurings, or emerging technologies—introduces risks. The Update includes principles for identifying and assessing the impact of significant changes on internal control. For example, a manufacturer that acquires an online distributor might take on new inventory management risks. The company needs to determine if existing controls cover risks that could get in the way of achieving its operational objectives. Seeing across the business Risks can become problems far from where they begin. The Update can help you make sure your controls don’t miss any of these. Suppose you invest in an emerging market. The new entity could bring unexpected risks from new rules of business, tax and regulatory requirements, and distant operations, to name a few. Just as you’ve used controls for complying with Sarbanes-Oxley, you can apply them here to help you identify and mitigate the most critical risks before they become problems. If internal control is applied to achieve multiple objectives, the Update helps you see the entire business and prevent domino effects. In one case, a company’s financial reporting failure ultimately jeopardized its operations: A restatement of financial results drove down the stock price. This forced the company to break its debt covenants, and banks called in their loans, which led to a cash flow squeeze. The principles around risk assessment and monitoring activities help you identify potential problems before they happen.
  • 5. 03 Take control through people, technology, information, and processes Businesses need to shore up controls 46% of boards have held discussions regarding tone at the top, July 2011–July 20121 Availability of key skills concerns 58% of CEOs2 Speed of technological change concerns 42% of CEOs2 10110010 10011101 10011010 01000111 57% of boards plan to devote more time to information technology opportunities and issues1 1. Base: 860 public company directors. Source: PwC, Insights from the Boardroom, 2012. 2. Base: 1,330 global CEOs. Source: PwC, 16th Annual Global CEO Survey, January 2013. The Update’s principles can help you keep potential gaps from developing, often by looking at how controls intersect with how business gets done. Preparing your people Your control environment establishes the structures, standards, accountabilities, and oversight for carrying out your business’s internal control. Your role here and that of other company leaders is crucial. To see why, just scan the media reports of recent crises, which dug into executive emails to determine if leadership set the right example, even if the breakdowns were far removed. Principles guide you through establishing a solid control environment. The Update helps you address people at all levels of the organization. It includes a principle for attracting, developing, and retaining competent personnel. Managers with key roles in operating units and functions, like supply chain, IT security, and portfolio management, are closest to the risks and changes that could impact them. They’re well-positioned to spot new risks, identify when issues are likely to occur, and select controls to mitigate risks. For instance, some financial services roles require professionals who can determine when transaction risk profiles are changing and take corrective actions. Understanding technology risks Even as technology is the engine of many businesses—connecting employees, partners, and customers—overreliance on technology can introduce risks and mask problems. This is especially true for mobile, social, cloud, and other emerging technologies. The Update includes a principle explicitly focused on controls over the use of technology. Data theft, for example, has become commonplace and companies should be prepared for handling a breach. Yet many businesses that have experienced data theft don’t have sufficient controls in place to even know how the breakdowns occurred and which systems or technologies made it vulnerable. Zeroing in on the right information and processes The Update includes several principles for using relevant information and communicating the right information to the right people. For example, a business could be surprised to find itself in a high risk position if it monitors only net financial positions without seeing the individual pieces that could push it into danger. The Update also addresses your significant processes and reminds businesses that they cannot delegate responsibility for achieving key objectives to business partners or service providers. For instance, many Internet-based businesses relied on a cloud service provider that experienced a service disruption. Those companies that had controls over the outsourced service with contingency plans in place kept operating; those that lacked such controls were forced to suspend operations. Principles address these kinds of situations and help you make sure controls support those processes relevant to achieving objectives across your business.
  • 6. 04 Time to refresh your internal control How can you bring your controls up to speed with the COSO Update? Consider these starting points and questions as you assess the controls you have today and determine where you need to focus your efforts.4 See the big picture Specify objectives that matter to your business and would benefit from applying a comprehensive, integrated control system. • Which recent strategic, business, or operating decisions have introduced new risks? • How do our controls adapt to change? Is our organization prepared to respond to change? • Do we apply controls to objectives relating to internal reporting, non-financial reporting, operations, and compliance? • Can any of our controls be applied to more reporting, compliance, or operational objectives? Have we considered the entire organization? Learn from the past Take a fresh look at your existing controls in relation to the risks of achieving objectives. • What breakdowns have we experienced with our existing controls? Why didn’t we anticipate them? • What issues could have been prevented if we had greater internal control at the root cause? 4 See PwC’s Resilience: A journal of strategy and risk (May 2013) for a discussion of how your business can use the Update to be more agile. • How can we strengthen our systems of internal control by better connecting objectives, risks, and controls? Look at your controls through the Update Map relevant principles to existing controls. Doing this now allows you to leverage the benefits of the Update for important objectives. It also prepares your internal control over financial reporting to use the updated framework, which COSO has announced will supersede the original in December 2014. • How thoroughly have we implemented the fundamental concepts set out in the 1992 framework? • Have we overlooked any principles? Lead the refresh Appoint a leader to marshal the transition to the updated framework. • What is our board’s view on broadening use of internal control and implementing the COSO Update? • How can we use the COSO Update to re-engage executives and the board in strengthening our systems of internal control? • How do we engage divisions, operating units, operations, internal audit, risk management, compliance, finance, technology, and human resources in adopting the updated framework?
  • 7. Upcoming 10Minutes topics Prepare your balance sheet for new leasing rules Getting eco-efficiency right The IASB and FASB are expected to issue their latest proposal on leases, and the potential impact could echo through the entire business. If your company uses leases, take notice: The proposed rules could change the way you present and recognize expenses in your income statement, make lease-vs- buy decisions, and execute agreements. And these changes could ultimately affect your company’s financial performance. Nearly half (48%) of global CEOs in PwC’s 16th Annual Global CEO Survey say they plan to support eco-efficiency in the coming year by reducing environmental impacts. But chances are good these efforts will stall. Projects that are both costeffective and good for the environment may never get off the ground. In this 10Minutes we’ll look at current approaches for making the business case for environmental initiatives, give examples of indirect benefits, and show how intangibles can be factored into your decisions. Managing tax uncertainty through operational effectiveness The tax function is an overlooked area for improvement. It is frequently bogged down by rigidity and antiquated systems, and unprepared for change. Even worse, its antiquated systems represent a hidden source of risk to the company and to the longevity of company CFOs. The tax function is ripe for systemic change, similar to how Lean, Six Sigma, and enterprise resource planning have transformed other company functions. The result: improved risk management, forecasting, analytical abilities—even cash savings.
  • 8. How PwC can help To have a deeper discussion about COSO Update and internal control, please contact: Author & Project Team Leaders Miles Everson Engagement Leader 646 471 8620 miles.everson@us.pwc.com Learn more through videos, interactive graphics, slideshows, and podcasts. Tim Ryan Assurance – US Leader 617 530 7376 tim.ryan@us.pwc.com Stephen Soske Project Lead Partner 617 530 5731 stephen.soske@us.pwc.com 10Minutes are now available in 60 seconds. Download the FREE 10Minutes app. PwC Practice Leaders Dean Simone Risk Assurance – US Leader 267 330 2070 dean.c.simone@us.pwc.com Charles Harris Assurance – Partner 973 236 5340 charles.e.harris@us.pwc.com Dennis Chesley Risk Advisory – Global Leader 703 918 6154 dennis.l.chesley@us.pwc.com Cara Beston Risk Assurance – Partner 408 817 1210 cara.m.beston@us.pwc.com Jason Pett Internal Audit – US Leader 410 659 3380 jason.pett@us.pwc.com © 2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. 10Minutes® is a trademark of PwC US. PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with more than 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com. ST-13-0050

×