2013 COSO What’s new, what’s changed, why does it matter?
Upcoming SlideShare
Loading in...5

2013 COSO What’s new, what’s changed, why does it matter?



A presentation of our recent webinar on COSO

A presentation of our recent webinar on COSO



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Lark to administer this poll question.
  • Speaker Notes:During the webcast registration process we provided you the opportunity to submit your questions regarding the 2013 COSO Framework. We are pleased to report that we received an overwhelming response to this request with more than 2,000 people registering and over 400 questions submitted. Thank you for sharing your questions with us, we have used these questions as we defined the content for our webinar today. The list that is up on the screen is a summary of the topics covered in the questions you submitted. We had varying types of questions asked by the audience that spanned a wide variety of knowledge and experience with the COSO framework. For example , some people wanted to discuss the background of COSO and the reasons for the change, while others were more focused on specific details related to the implementation of the framework. We also had a number of questions driven toward how this might be impacted by specific external audit firms.
  • Speaker Notes:Here is a small representation of the questions that we are hearing in the market and from people like you when you submitted them during the registration process. Because we had such a large number of questions submitted and they covered a wide range of topics, we are developing a webcast series to properly address your questions. We recognize that the transition to the framework will be different for every organization and that the timing and approach that individual companies take will need to be reflective of their own organizations. Today’s webcast is the first of a series of COSO-focused webcasts that Protiviti plans to offer during the remaining of 2013 and into 2014. Due to the number of registrants and the depth of questions, we have decided to have the topic of these webcasts continue to be driven by the registrants
  • Speaker’s Notes:We are very excited to talk to you about the 2013 COSO Framework. Today we will cover the topics outlined here. We realize that this is a small representation of the topics you all submitted during the registration process. We have dedicated the next hour to these topics. Again, this is the first of a series of COSO-focused webcasts that we plan to offer. We will address topics not covered today in a future webcast.
  • Speaker’s Notes:We will host the second webcast in this series during October 2013. During this webcast we will focus on the topic of implementing the 2013 COSO Framework. In that webinar we will get into more details on building the project plan, and how to implement it. You can register for the October webinar via the Attachments link in the webcast software. We will also send out a formal invitation in the coming weeks. We have plenty to cover in the next hour. Because we gathered your questions ahead of time, and in order to stay on topic, we will not have a formal Q&A session at the end of today’s webcast. We want to spend as much time as possible on the topics we’ve identified for today. However, we still would like to hear what questions you have in order to design the content for our future webinars and to see if we need to provide clarity on any of the topics we have on today’s agenda. So, with that in mind, please submit questions that come to mind during today’s event by using the Questions link at the top of the webcast software. Your questions will help design our future COSO webcast series as we want the series to properly reflect the questions top -of-mind to you.
  • Speaker Notes:Keith to transition to Bob for this slide. Bob to introduce this section.
  • Example question received from the audience:What is the purpose of the COSO framework?Are most companies implementing the new COSO model from a SOX perspective (not operational)?Speaker NotesCOSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO Internal Control - Integrated Framework is by far the most commonly used and referenced framework by which companies and their external auditors evaluate their internal controls over financial reporting, particularly for purposes of SOX reporting in the U.S. There is no ‘mandate’ to use the COSO Internal Control framework, however, most companies use it for SOX compliance as it meets the criteria set forth by the SEC for a suitable internal control framework. COSO is an appropriate framework for non-public companies to adopt to improve their internal control structure.
  • Example question received from the audience:Is COSO required for all businesses? Speaker Notes:To build on the PCAOB’s audit standard number 2, a framework is only suitable when it is:Free from biasPermits reasonably consistent qualitative and quantitative measurement of a company’s internal control over financial reportingSufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal control over financial reporting are not omittedRelevant to an evaluation of internal control over financial reportingCOSO Internal Control – Integrated Framework meets these criteria. COSO has been used primarily for SOX compliance, so that is where the attention is with the adoption over the next 12+ months
  • Example question received from the audience:We received 11 questions in the Why Change category.What prompted the changes to the COSO framework?Why were changes in the framework considered necessary?What are the advantages of the change?
  • Example question received from the audience;How does the initial COSO translate into COSO 2013?What are the major differences between new and old frameworks?Speaker Notes For those familiar with the old framework, the new framework will look very familiar.You can get a copy of the framework’s executive summary on COSO’s website. When implementing COSO for SOC, most companies focused on Control Activities to the expense of the other COSO components.
  • Example question received from the audience;How does the initial COSO translate into COSO 2013?What are the major differences between new and old frameworks?Speaker NotesCOSO’s Monitoring Control and ERM guidance are still in effectThe Smaller Public Company guidance issued by COSO is superseded by the new framework.
  • Lark to administer this poll question.
  • Speaker Notes:Jim to introduce this section.
  • Example questions from the audience:We received 19 questions around this topic, particularly as it relates to mapping guidance. Some of them include:What are the most important changes?How often should we expect that all of the 17 Principles will not apply?Do you find that most of the 17 principles can be applied to entity level controls?Are there any resources/guidance around mapping the 17 principles to a company's control environment?Speaker NotesWe expect that all companies will need to evaluate the 17 principles codified in the new framework. Within control activities, companies generally need to increase the precision of management review controls, and this has been a common finding in the PCAOB inspection report findings for SOX.
  • Example questions received from the audience;Are the 81 points of focus to be used as guidelines or as mandatory part of the framework?Speaker NotesCompanies will need to determine whether the points of focus are relevant for their organization.As you think about points of focus, let’s circle back to the three things we should remember about COSO:Overall, the assessment of the effectiveness of internal control is directed to the five components and their underlying principlesWhile points of focus are intended to provide helpful guidance to assist management in designing, implementing and conducting internal control and in assessing whether relevant principles are present and functioning, the New Framework does not require separate evaluations of whether they are in placeIF management intends to use points of focus when evaluating whether the principles to which they apply are present and functioning,assess whether they are suitable, relevant and complete based on the company’s specific circumstances
  • Lark to administer this poll question.
  • Speaker Notes:Jim to introduce this section
  • Example question from the audience:We received 6 questions around testing. Some of them are:Does COSO provide guidance testing operating effectiveness of the controls?What impact will this have on internal audit's approach to SOX (testing & evaluation of deficiencies?Speaker Notes:In determining whether a component of internal control is present and functioning, senior management, with the board of director’s oversight, needs to determine to what extent relevant principles underlying the component are “present and functioning”Principles present and functioning operate within a range of acceptability, and do not need to achieve highest level of performance
  • Example questions from the audience:What are the best methods for determining if components are "operating together?“Speaker Notes“Operating together” refers to “the determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective”Because components operate together, controls in one area of the framework can be leveraged to address other components, providing the opportunity to streamline controls.Another view of “Operating together” recognizes that components are interdependent with a multitude of interrelationships and linkages, particularly in terms of how principles interact within and across components – For example:The development and deployment of policies and procedures as part of Control Activities contributes to the mitigation of risks identified and analyzed within Risk Assessment.The communication of internal control deficiencies to those responsible for taking corrective actions as part of Monitoring Activities reflects a full understanding of the entity’s structures, reporting lines, authorities and responsibilities as set forth in the control environment and as communicated within Information and Communication.
  • Example questions from the audience:Does a "major deficiency" imply a SOX 404 material weakness that precludes an unqualified opinion?When should we expect a final decision regarding new terminology re: deficiencies and weaknesses?What impact will this have on internal audit's approach to SOX (testing & evaluation of deficiencies?Speaker NotesCOSO has new terminology for deficiencies, and defers to regulatory guidance when the framework is used for that purpose.The criteria set forth by the new framework (through the components and principles) provide the basis for management to apply judgment when assessing the effectiveness of internal control
  • Example questions from the audience:Does COSO provide a confidence level to use?Is there guidance on how to implement 2013 COSO Framework for smaller reporting companies? (6 questions around this)
  • Lark to administer this polling question.
  • Speaker Notes:Keith to introduce this section.
  • Questions Received from the Audience:We received 33 questions about transitioning to the new framework. Most centered around the effective date. Here are some examples:Effective date?Will it be possible to continue using the 1992 framework after the 2013 implementation date is passed?Will this be delayed further?SEC Expectations? (5 questions)Speaker NotesCompanies will not want to defer implementing the new framework; you can probably expect the SEC to ask why you used the old framework after December 2014along with external auditor push back.Organizations should do a gap assessment against COSO 2013 before their next yearend report to determine if there are any gaps that might require disclosure under the old COSO framework.There are a limited number of circumstances where immediate application is encouragedCOSO 2013 provides companies with an opportunity to refresh their documentation and look at it with a new set of eyes.
  • Example questions from the audience:We received 9 questions about implementation specific to the actions necessary. Examples include:What do you think the most difficult part of the transition will be?What are the practical ways to apply the new changes?Do you recommend that the project manager be located outside of Internal Audit?How do you convert current documentation to meet the 2013 requirements?Speaker NotesFor companies that are getting ready to go public and are using COSO for the first time, it makes sense to use the new framework now.Consider the implications on outsourced service providers.
  • Example question received from the audience:We received 93 questions around implementation, with 32 of them centering around the timeline for implementation and whether it is mandatory.Can you share a sample transition plan?What are the required transition timeline(s) for implementing the updated framework?What is baseline time frame for implementation?
  • Questions Received from the Audience:We received 25 questions on SOX testing implications.How will this change established SOX programs/testing?How does this impact management's testing of SOX controls?Speaker NotesDepending on how well your organization has kept their SOX documentation up to date, and depending on whether they have experienced any significant changes recently, will drive the level of update effort. For companies that have experienced the rigor of several years of compliance under Section 404 of Sarbanes-Oxley, it won’t be a significant undertakingThe compendium of approaches and examples for application of the framework to internal control over financial reporting may be useful for SOX initiatives and emphasizes the top-down, risk-based approach.
  • Questions Received from the Audience:We received 8 questions on level of effort.What changes are required to implement from a practical perspective?What is the most used approach; identify gaps and then work on the gaps?Anticipated cost and hours?
  • We’ve recently updated our frequently asked questions on COSO Internal Control.
  • Speaker’s Notes:Thank you again for attending today’s webcast and for continuing to submit questions related to the 2013 COSO Framework. As mentioned earlier, we will review these questions to help design our ongoing COSO webcast series. Don’t forget to register for our October webinar using the instructions provided on this slide. We will send out an invitation for this webcast in the near future.