Your SlideShare is downloading. ×
  • Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

IIA Los Angeles Luncheon Third Party Assessments


Learn how the NEW 2013 COSO framework has changed and its impact on how you assess third party providers.

Learn how the NEW 2013 COSO framework has changed and its impact on how you assess third party providers.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • I would switch bullets 4 and 5 and change “How to Proceed” to “Next Steps”So it looks like:Who is Aviva SpectrumNext Steps
  • Should we offer free CCA here? $6500 value? Let’s talk to Sonia.


  • 1. Compliance Made Simple ©
  • 2. Agenda Why it changed? What’s Actually Changing? Areas of the new framework impacting third party vendors Compliance Made Simple ©
  • 3. Key influences to create updated framework Compliance Made Simple © Social media and it’s impact to business processes, relationships and growth strategies were not foreseen factors. Fact: 92% of all companies use social media tools to recruit according to 2012 Jobvite Social Recruitment survey
  • 4. Cloud Computing - Adoption Compliance Made Simple ©(a) 2013 third annual Future of Cloud Computing Survey Cloud adoption continued to rise in 2013, with 75% percent of those surveyed reporting the use of some sort of cloud platform – up from 67% percent last year!(a)
  • 5. How We See Framework Changes? 1992 COSO ―Good‖ ERM 2004 Small COSO 2006 ―Better‖ 2013 COSO ―BEST‖ Compliance Made Simple © 20 Principles (76 Attributes) ?? Principles (?? Attributes)
  • 6. How We See Framework Changes? 1992 COSO ―Good‖ ERM 2004 Small COSO 2006 ―Better‖ 2013 COSO ―BEST‖ Compliance Made Simple © 20 Principles (76 Attributes) 17 Principles (87 Attributes)
  • 7. Grouping “Better to BEST” Compliance Made Simple ©
  • 8. Grouping from “Better to BEST” (Cont.) Compliance Made Simple ©
  • 9. Compliance Made Simple ©
  • 10. What’s been provided by COSO? Compliance Made Simple © •Executive Summary — high-level overview •Framework and Appendices — The New Framework seventeen principles & illustrates many approaches •Illustrative Tools for Assessing a System of Internal Control (Tools) — The Tools provide illustrative templates. •Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples — This publication is for SOX
  • 11. COSO Monitoring Guidance Compliance Made Simple © Vol#3 = Better job in providing how to evaluate third party providers and ties to the new 2013 COSO Framework.
  • 12. Implementation- what does COSO say? O COSO’s press release March 20, 2013: ―it will continue to make available the original framework during the transition period extending to December 15, 2014, after which time COSO will consider it as having been superseded.‖ ―continued use of the original framework during the transition period (May 14, 2013 to December 15, 2014) is appropriate. During that period, the Board believes that application of its Internal Control-Integrated Framework that involves external reporting should clearly disclose whether the original or 2013 version was utilized.‖ Source: Compliance Made Simple ©
  • 13. Implementation - what does SEC say? O SEC’s remarks at the 32nd Annual SEC and Financial Reporting Institute Conference, by Paul Beswick, Chief Accountant, Office of the Chief Accountant, U.S. Securities and Exchange Commission ―SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. However, at this time, I’ll simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition.‖ Source- Compliance Made Simple ©
  • 14. Polling Question? Who’s implementing the new framework in 2014? Compliance Made Simple ©
  • 15. Compliance Made Simple ©
  • 16. What “holds” a principle UP! Compliance Made Simple ©
  • 17. Looking at Third Party Service Providers and New COSO Compliance Made Simple © Example for Vol #3 “Illustrative Tools for Assessing Effectiveness of a System of Internal Control” Company Background: 1. Private Company 2. $200 Million in Annual Revenue in Western US 3. Board is comprised of family members and number of business professionals with significant experience. 4. Internal Audit Dir. with over 15 yrs. exp.
  • 18. CE – Quick Review (Principle #3) Compliance Made Simple © Principle 3: Establishes Structure, Authority, and Responsibility —Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Point of Focus = 3
  • 19. Points of Focus – Quick Review Compliance Made Simple © Considers All Structures of the Entity—Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives. Establishes Reporting Lines—Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization: – Board of Directors — Retains authority over significant decisions and reviews management’s assignments and limitations of authorities and responsibilities – Senior Management—Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities – Management—Guides and facilitates the execution of senior management directives within the entity and its subunits – Personnel—Understands the entity’s standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives – Outsourced Service Providers—Adheres to management’s definition of the scope of authority and responsibility for all non-employees engaged
  • 20. Fast Forward: What did they find? Compliance Made Simple © Page 76: ―CE 3-1: Management has defined and the board of directors has signed off on the company’s structures, reporting lines and authorities and responsibilities. However the business model has since evolved to encompass business partners, outsourced service providers, and new product lines that new or different oversight and control structures are needed. Internal control weaknesses relating to this new dimension of the business could therefore be missed and cause the company to fall short of meeting its internal financial reporting objectives.
  • 21. So how bad is this? (Polling) Compliance Made Simple © MW SD - Mod CD - Low
  • 22. Answer – Vol. #3 O Page 76 - ―This IC deficiency is important, but does not rise to the level of a major deficiency. Currently the business structure changes affect a relatively small portion of the entity‖ Compliance Made Simple ©
  • 23. What would be helpful? Compliance Made Simple ©
  • 24. IT Assessments Compliance Made Simple © COSO wants more ―benchmarking‖ based on it’s cloud computing 2012 Guidance – (PAGE #8 to 16 for Expert Auditor to read) Control Env. – Pr #3 (attribute 1 & 3) (page 34 of ICEFR Compendium) Control Act. (page 85 – 86 of ICEFER Compendium)
  • 25. Cloud Computing and COSO Framework Compliance Made Simple © Despite the security concerns, only 29% of organizations report conducting a heavy review of their cloud service provider’s security policies, procedures and capabilities. Source: CompTIA’s IT Industry Outlook 2012 Survey
  • 26. Example of Risk Assessment and Third Parties O RA 9 -1: Some Operations Personnel do not possess the necessary skills to identify the risks associated with the new technology. Compliance Made Simple ©
  • 27. Answer (page 96 vol 3) O CD – Compensating control was linked to Management’s annual risk assessment process. Compliance Made Simple ©
  • 28. New CLOUD BOD & C-Level responsibilities by COSO Compliance Made Simple © Impact AICPA Audit Committee ToolKit (Tool #19 “Enterprise Risk Management: A Tool for Strategic Oversight‖)
  • 29. Third Party Control Language Good v. Bad Control Language Older Language (“Bad”) Updated Control (“Better”) Compliance Made Simple © Quarterly, the CFO reviews the valuation analysis provided by ABC firm in which the CFO determines if there is an impairment on Goodwill and signs and dates the ―Valuation Report‖ verifying his review process. Quarterly, CFO provides the ABC Firm the quarter-ended ―unadjusted Trial Balance‖ which typically does not contain tax provision amounts and the forecasted revenue line items by geographical location and product line and submitted via email to ABC Partner and Senior Manager. Questions to confirm understanding of the assumptions of the forecasted revenue items are submitted via email and corrections/adjustments to the forecast are done by the CFO and resubmitted to ABC Firm. ABC firm prepared the valuation report and assists management in determining if adjustments are required to Goodwill. Both the valuation report and adjustments if needed (e.g. J/E) are sign and dated by the CFO.
  • 30. So what happens in testing? Compliance Made Simple © BEFORE Review initials – DONE! #1 - Initials #2 – Key reports Review (completeness/accura cy) #3 – Analysis (recomputed assumptions, interviews 3rd party, &/or validate summary) PublicCompany
  • 31. Third Party Control Language Good v. Bad Control Language Older Language (“Bad”) Updated Control (“Better”) Compliance Made Simple © Annually, the CFO reviews SOC reports provided by the payroll service provider and reviews the report for an adverse opinion, if none, then he creates a memo documenting his steps to analyze the conclusion and end-user responsibilities to ensure the organization has met those requirements. Annually, CFO reviews the SOC ―type 1, 2 etc.) reports from ADP and creates a memo documenting his review procedures which includes, a) Opinion/Conclusion review b) End-user Assessment c) Failures in the report and what management has determined is their risk response to such failures.
  • 32. COSO Health Check – On Your Own Compliance Made Simple © Free Tool Evaluation of 87 Attributes go to Included: 1) Introduction 2) Overall Assessment 3) Components (167 rows data) 4) Principles w/Attr. (386 rows of data) 5) Deficiencies
  • 33. Quick Glance Compliance Made Simple ©
  • 34. Compliance Made Simple ©
  • 35. Compliance Made Simple ©
  • 36. Compliance Made Simple ©
  • 37. Compliance Made Simple © 1. Must abide by internal PnP/Memo 2. IT – Different that Financial controls 3. Evaluation tools based on standards (IIA such as GAIT or other publications and state source)
  • 38. Join COSO 2013 LinkedIn Group for FREE templates, advise and learn from others implementing this new framework. Implementation Resources Compliance Made Simple © COSO 2013 Implementation Implementation-4888186/about
  • 39. Contact Information Sonia Luna, President, CEO 700 S. Flower Street #1100 Los Angeles, CA 90017 P: (213) 250-5700 Compliance Made Simple ©