COSO Case Studies from ACS Conference in DC
 

COSO Case Studies from ACS Conference in DC

on

  • 807 views

COSO Case Studies from Sonia Luna's November 2013 ACS Presentation in Washington DC.

COSO Case Studies from Sonia Luna's November 2013 ACS Presentation in Washington DC.

Full Powerpoint Presentation WITH hyperlinks.
Examples from COSO's new 2013 Framework.

Statistics

Views

Total Views
807
Views on SlideShare
806
Embed Views
1

Actions

Likes
1
Downloads
72
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Welcome to Movember:How many of you are in the Mo movement?Movember was started in Australia back in 2003 and today has raised over $147MM to raise awareness to men’s health issues by prompting conversations where ever they go!How may presidents have a moustache on their profile picture?Three: 1) Chester Arthur – 21st President2) Grover Cleveland (2 terms) – 22nd President & 24th President3) Theodore Roosevelt, - 26th President4) William Howard Taft- 27th President
  • Should we offer free CCA here? $6500 value? Let’s talk to Sonia.
  • Its been our professional experience that something that took COSO 20 years to update and the reading materials of just over 500 pages it will take a team to complete the transition in 6 months or more. I would not underestimate this process. I think we all agree that we got a lot of value today, from learning more about COSO’s two major frameworks and more importantly learning together that this TRANSITION is NOT a SLAM DUNK! I know I just proved it to you today that the transition is something to seriously consider who you have in your team for this massive implementationproject. I also know most of you today are going to download the COSO health check tool from our website, but here’s the thing, I want to make sure that this health check is something that YOU DO!It’s something that you can take back to your organization and really make an impact and quite frankly and IMPRESSION to you and your boss or BOSSES for most of you!I don’t want this to be something you tell your office colleagues you liked the webinar and learned so much but I would much RATHER you say “I have a PLAN!”So here’s what I’d like to do.We have already created a unique set of templates and analysis techniques to cover this COSO transition that we call the Control Compliance Analysis. Here’s what I’d like to do there are over 150 participants for this webinar unfortunately I’m not available to make myself personally available to you all BUT What I’d like to personally offer some of you are 10 appointments that have already been carved out of my schedule over the next two weeks by my administrative assistant to have your own custom COSO Transition Road map for your organization. This is my gift to you the live attendees that made the time today to show up and be present for this webinar. This CCA is where I personally provide you more in-depth analysis of what and HOW best to handle this COSO Transition process. Please send an email to info@avivaspectrum.com where my assistant will block off my time for you for this custom transition plan.

COSO Case Studies from ACS Conference in DC COSO Case Studies from ACS Conference in DC Presentation Transcript

  • Compliance Made Simple ©
  • Agenda New 2013 COSO v ERM COSO Case Studies Transition plan exercise Compliance Made Simple ©
  • Implementation Resources Technical Community sharing ideas Templates, WEBINARS advise and learn from others implementing this new framework. http://www.linkedin.com/groups/2013COSO-Implementation-4888186/about Compliance Made Simple ©
  • COSO Deliverables Holy Grail of Internal Control Frameworks Exec Sum. Overview # Pages 10 Vol 2: Framework/App 186 Vol 3: Tools/Effectiveness 146 Vol 4: SOX ICFR 159 Total pages 501 Compliance Made Simple © Vol/Name
  • Compliance Made Simple © Evaluating Better to “BEST”
  • Compliance Made Simple © Grouping “Better to BEST”
  • Organization ID and Assess Changes that “COULD” Significantly impact system IC a) b) c) d) Mgmt Changes System (IT) Process flow changes External reg changes Compliance Made Simple © Grouping “Better to BEST”
  • Compliance Made Simple © Grouping from “Better to BEST” (Cont.)
  • Where to get SOURCE Documents? AICPA (2008) Audit Committee Toolkit (Approx. 7 templates will change) Monitoring Guidance (2008) (over 400 pages in 3 vol. set) New 2013 COSO (over 500 pages then 150+ for ICFR guidance) Compliance Made Simple © 2013 Illustrative Tools (145 pages)
  • How does this impact ERM? Compliance Made Simple © • ERM still EXISTS • Both frameworks are COMPLIMENTARY to each other and NEITHER is SUPERSEDING the OTHER!
  • How does ERM and IC Visually LOOK? ERM is just PART of the OVERALL GOVERNANCE Process in an ERM is much BROADER than just looking at effective Internal Controls (Strategy/Risk Assessment) Internal Controls is the “BASE” or FOUNDATION Compliance Made Simple © organization
  • v Compliance Made Simple © COSO ERM
  • v Compliance Made Simple © COSO ERM
  • IC = Objectives are a PRECONDITION to an effective system of controls v ERM Compliance Made Simple © COSO Objective Setting component of ERM Framework considers the process used by Mgmt & BOD for setting operations, reporting and compliance objectives.
  • v ERM Compliance Made Simple © COSO IC = Mgmt trying to meet these specific objectives. Strategic Objectives reflect Mgt’s choice of how the Entity will CREATE VALUE for its stakeholders
  • v ERM Compliance Made Simple © COSO IC = Concept of Risk Tolerance is included as a precondition to IC but NOT SEPARATE COMPONENT ERM = Risk Assessment Expanded, but only INTRODUCES Risk Appetite and Risk Tolerance concepts
  • Compliance Made Simple © Now let’s take a look at NEW COSO
  • Compliance Made Simple ©
  • Compliance Made Simple © COSO Cheat Sheets http://www.avivaspectrum.com/blog
  • Compliance Made Simple © COSO Version (Long) (Ex. Pr#1)
  • Compliance Made Simple © WIP – to ref to Approaches and page #
  • POINTS of FOCUS Compliance Made Simple © What “holds” a principle UP!
  • Principle# Points of Focus 1 4 2 4 3 3 4 4 5 6 Compliance Made Simple ©
  • New Framework and ERM Differences Control Environment Intro. New & Expanded in ERM ERM Exclusive Pr. #1 - Demonstrates Pr. #2 -Exercises oversight commitment to integrity responsibility & ethical values Establishes Risk Mgmt Philosophy Pr.#3 - Est. structures, authority & responsibility Est. risk culture Pr. #4 - Demonstrates commitment to competency Est. risk appetite Pr. #5 - Enforces accountability Compliance Made Simple © Common to BOTH
  • Control Environment Key Differences 1. 2. Provides Examples of how shared beliefs and attitudes characterizing HOW an entity considers risks? How it reflects on these values and influences its culture and operating style. Compliance Made Simple © • ERM has a whole chapter devoted to “Entity’s Risk Management Philosophy” included in the section called “Internal Environment”.
  • Organization demonstrates a commitment to integrity and ethical values Points of Focus: 1. Sets the Tone at the Top 2. Est. Standards of Conduct 3. Evaluates Adherence to Standards of Conduct 4. Addresses Deviations in a Timely Manner Compliance Made Simple © Control Environment (Pr. #1)
  • CASE STUDY 1 - CE Vol. #3 – COSO IC Effectiveness (pg.65-66) QUICK BACKGROUND: • Private Co., retail furniture company (family owned) • $200MM Rev and exclusively in Western US Sales • Evaluation of Principle #1 COSO 2013 FINDINGS 1. No formal training program to make employees aware of importance to adherence to standards of conduct. 2. No process to evaluate EEs against the published integrity & ethics policy 3. Processes to ID & Address Deviations are ad hoc QUESTION: Is this a Control Deficiency, Significant Def., or Major Deficiency? Compliance Made Simple ©
  • Points of Focus: 1. Sets the Tone at the Top 2. Est. Standards of Conduct 3. Evaluates Adherence to Standards of Conduct 4. Addresses Deviations in a Timely Manner Approaches: 1. Establishing Standards of Conduct 2. Leading by example on matters of integrity & ethics 3. Evaluating Mgmt & Other personnel, OS service providers & Bus. Partners for Adherence to Standards of Conduct 4. Developing Processes to report & promptly act on deviations from standards of conduct Compliance Made Simple © Control Environment (Pr. #1)
  • Principle# Points of Focus 6 3 7 5 8 4 9 3 Compliance Made Simple ©
  • New Framework and ERM Differences Risk Assessment Intro. New but expanded in ERM ERM Exclusive Pr. #8 - Assesses Fraud risk ID & analyzes risks/events (Pr#7) Distinguishes risk & Opportunities Pr. #9 - ID & Analyzes Significant Change Develops Portfolio view Compliance Made Simple © Common to BOTH
  • 1. Potential events with positive impact represent opportunities, while those with negative impact represent risks 2. ERM = Risks are “Inherent” & “Residual” 3. ERM Addresses “Interrelated Risks”, which are risks that include a “single event which may create MULTIPLE RISKS” Compliance Made Simple © ERM ADVANTAGE = Risk Assessment
  • ERM ADVANTAGE = Risk Assessment Compliance Made Simple © Real Life and Real Miley!
  • Points of Focus: • Includes Entity, Subsidiary, Divisio n, Operating Unit & Functional levels • Analyzes internal and External Factors • Involves Appropriate levels of management • Estimates significance of risks ID • Determines how to respond to risks Approaches • Applying a Risk ID process • Assessing risks to significant FS Accounts • Meeting with Entity personnel • Assessing Likelihood & Significance of ID risks • Considering Internal & External Factors • Evaluating Risk Responses Compliance Made Simple © Risk Assessment – Pr.#7
  • Miley Cyrus = Career Risk Assessment Step 1: Internal Environment “Leverage your Assets!” 1. Translated into 100 languages 2. Only single to reach triple platinum and #1 single in 1992 (Australia) Compliance Made Simple © Achy breaky heart has:
  • 2013 COSO: Compliance w/laws and Regulations of PARENTS! Compliance Made Simple © Step 2: Objective setting
  • ERM and Miley Cyrus ERM = Risk Assessment Process Compliance Made Simple © Step 3: EVENT Identification= Disney (Pure Brand)
  • ERM and Miley Cyrus Compliance Made Simple © Step 4: Risk Assessment (Part 1 )= Music Career
  • ERM and Miley Cyrus Compliance Made Simple © Step 5: Risk Assessment (Part 2 )= Ditch Good Girl Look to Riskier Looks & Music
  • ERM and Miley Cyrus Step 6: Risk Response = RISKIER LOOKS & VMA Actions Compliance Made Simple ©
  • ERM and Miley Cyrus Miley’s “Risk Response” Choices Like IC & ERM Four Categories are……. 1. Avoid = Run Back to Disney Roots! Compliance Made Simple ©
  • ERM and Miley Cyrus Miley’s “Risk Response” Choices Like IC & ERM Four Categories are….. 2. Reduce = Cut Down on Bad Girl Image (keep your clothes on!) Compliance Made Simple ©
  • ERM and Miley Cyrus Miley’s “Risk Response” Choices Like IC & ERM Four Categories are….. 3.Share the Risk = Be weirder than “Lady Gaga” Compliance Made Simple ©
  • ERM and Miley Cyrus Miley’s “Risk Response” Choices Like IC & ERM Four Categories are….. 4. Accept = Remember what happened to Britney or “Britney who?” Compliance Made Simple ©
  • ERM and Miley Cyrus Miley’s “Risk Response” Choices Like IC & ERM Four Categories are….. 4. Accept = Remember what happened to Britney or “Britney who?” Get reactions like this! Compliance Made Simple ©
  • Quick Poll: Miley’s “Risk Response” Choices Like IC & ERM Four Categories 1. Avoid = Run Back to Disney Roots! 2. Reduce = Stop the Bad Girl Image 3. Share = Befriend “Lady Gaga” 4. Accept = Too Late No Turning back RISK Response should be ? Compliance Made Simple ©
  • ERM Risk Assessment Solution Time Machine Get back to her good girl success patterns Compliance Made Simple ©
  • Miley’s Plan B Get with a real Manager and sort out other assets for next 60 years! Remember she’s only 20 years old! Compliance Made Simple ©
  • Compliance Made Simple © Case Study 2
  • Task: Map Suggested Approach to Point of Focus that it achieves Compliance Made Simple © Area: Risk Assessment – (10-15 minutes)
  • Compliance Made Simple ©
  • Compliance Made Simple ©
  • Compliance Made Simple ©
  • Compliance Made Simple ©
  • Case Study 3 Compliance Made Simple ©
  • Area: Risk Assessment Task: Identify & analyze significant change and resulting new risks to be considered Compliance Made Simple ©
  • Compliance Made Simple © Background: ABC Inc. became aware of a hurricane approaching at some of its manufacturing locations that had potential to cause significant supply disruptions. Risk Response: In response, the company immediately established internal working team to assess the risks of such disruption to its manufacturing capabilities, and the risks of its own affected facilities to its overall manufacturing footprint. All significant suppliers were contacted, via phone and email, and asked to assess the potential hurricane disruption to their production abilities. Parts that might be delayed for production and shipping was inventoried by the ABC “internal working team”, and alternative suppliers were identified and contacted. When no alternative suppliers were identified, ABC internal team created a prioritization list of which manufacturing locations should receive the limited number of parts as they became available. Extracted from and modified - Source: Internal Control – Integrated Framework , Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, May 2013, Page 75.
  • Case Study #3 TASK Task (5 – 8 minutes) Identify three new risks that may impact the financial reporting and the Finance & Accounting Team needs to consider Compliance Made Simple © Extracted from and modified -Source: Internal Control – Integrated Framework , Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, May 2013, Page 75.
  • Risk Assessment Policy - Workshop Compliance Made Simple © Solutions to Pr. #9
  • GROUP Discussion – How Would you great “LAYOUT” of RA Policy (5-8 minutes) Compliance Made Simple © Background – Policy Writing
  • Principle# Points of Focus 10 6 11 4 12 6 Compliance Made Simple ©
  • 2. IT Cloud Environment – COSO wants more “benchmarking” based on it’s cloud computing 2012 Guidance – (PAGE #8 to 16 for Expert Auditor to read) Control Env. – Pr #3 (attribute 1 & 3) (page 34 of ICEFR Compendium) Control Act. (page 85 – 86 of ICEFER Compendium) Compliance Made Simple © IT Assessments
  • Despite the security concerns, only 29% of organizations report conducting a heavy review of their cloud service provider’s security policies, procedures and capabilities. Source: CompTIA’s IT Industry Outlook 2012 Survey Compliance Made Simple © Cloud Computing and COSO Framework
  • Compliance Made Simple © New CLOUD BOD & C-Level responsibilities by COSO Impact AICPA Audit Committee ToolKit (Tool #19 “Enterprise Risk Management: A Tool for Strategic Oversight”)
  • New Framework and ERM Differences Control Activities Intro. New but expanded in ERM ERM Exclusive Pr. #10 - Selects & develops control activities Pr. #11 - Selects & develops general controls over IT Pr. #12 - Deploys through policies and procedures NONE NONE Compliance Made Simple © Common to Both
  • Principle# Points of Focus 13 5 14 4 15 5 Compliance Made Simple ©
  • New Framework and ERM Differences Information & Communication ERM Exclusive Pr. #14 - Communicates Internally Pr. #13 - Uses relevant information NONE Pr. #15 - Communicates Externally ERM takes a broader view of Info/Comm. by highlighting data derived from past, present and potential future events. Compliance Made Simple © Common BOTH Intro. NEW but expanded in ERM
  • Principle# Points of Focus 16 7 17 3 Compliance Made Simple ©
  • New Framework and ERM Differences Monitoring Intro. New & Expanded in ERM ERM Exclusive Pr. #16 - Conducts ongoing &/or separate evaluations NONE NONE Pr. #17 - Evaluates & Communicates deficiencies NONE NONE The NEW 2013 IC Framework presents a more current view of monitoring a using a baseline & monitoring external service providers! Compliance Made Simple © Common to BOTH
  • Compliance Made Simple © Example - Def. Policy
  • If design or operating deficiencies are noted, the potential impact of control gaps or deficiencies on financial reporting shall be discussed with management. The magnitude or significance of the deficiency will determine if it should be categorized as a control deficiency, a significant deficiency, or a material weakness (see section 30.6). Corrective action plans (CAPs) shall be created and implemented to remediate identified deficiencies (see section 40). The contractor shall submit corrective action plans for all deficiencies (control deficiencies, significant deficiencies, and material weaknesses) identified as a result of A-123 Appendix A reviews and SSAE 16 Section I findings. Compliance Made Simple © 4) Identify and Correct Deficiencies
  • Compliance Made Simple © O/S Party Control Def. Reporting
  • Compliance Made Simple © PCAOB – Moves Forward
  • Older Language (“Bad”) Quarterly, Controller reviews the AR allowance for adequacy and reasonableness of reserve amounts by initialing and dating the “AR reserve” analysis. Updated Control (“Better”) Quarterly, Controller reviews AR balances of significant customers with o/s balances greater than $10K and 5% of AR balance and those under that threshold by customer type (e.g. geographical location, types of orders, etc.), to review the AR allowance for accuracy and completeness. Adjustments, if needed, are sent via email to the AR manager, final review of the AR reserve analysis is initialed and dated by the Controller which agrees to the final g/l balance for the period. Compliance Made Simple © Good v. Bad Control Language
  • So what happens in testing? #1 - Initials #2 - AR Threshold Analysis (completeness/accuracy) #3 - AR Emails w/follow-up interview documentation Compliance Made Simple © BEFORE Review initials – DONE!
  • Included: 1) Introduction 2) Overall Assessment 3) Components (167 rows data) 4) Principles w/POF (386 rows of data) 5) Deficiencies Free Tool Evaluation of 86 Attributes go to www.AvivaSpectrum.com/Blog Compliance Made Simple © COSO Health Check – On Your Own
  • Compliance Made Simple © COSO’s guidance IMPLEMENTATION IN 2014
  • Compliance Made Simple © COSO’s Transition guidance
  • GROUP DISCUSSION Compliance Made Simple © • TRANSITION PLAN – What are measurable results for the transition? List Top 3 – Activities to achieve results
  • What the materials say about transition? Understand what are key documents to read. Compliance Made Simple ©
  • CCA Transition Plan Step 1 – Awareness & Education! Document Delivery Date Next Steps Board of Directors Executive Summary FY 2013 3rd Quarter Meeting Agreement on Transition plan C-Level Executive Summary FY 2013 3rd Quarter Meeting Internal Transition meeting Dec. 13, 2013 SOX Director • Nov. 4th Draft Transition plan for Dec. 13th meeting (Dec. 6th) • • All Four COSO Materials COSO Cloud Based Guidance Monitoring guidance Vol #3 Compliance Made Simple © Group
  • CCA Transition Plan Step 2 – Preliminary Impact Assessment Map your existing system of internal control against the updated COSO Framework. Area Assessment File name Items/Con trols Covered New 2013 Impact # of Approache s (Vol. 4) Est. Eval. Lead Time Due Date Impact inventory listing due ELC 2013-ELC Assessment.xls 45 5 PR & 17 POF 25 Unique Examples 2 weeks Nov. 1st Nov. 8th These are NOT Controls Estimate 2-3 Controls per approach Compliance Made Simple ©
  • CCA Transition Plan Step 3: BOD & External Auditors Each business unit or location may prepare its own local level assessment. Fin Division 1 Fin IT IT Operating Unit Fin IT Compliance Made Simple © Corporate Office
  • Compliance Made Simple © CCA Transition Plan
  • CCA Transition Plan In-Scope Entity With Control Deficiency from Prior Year Compliance Made Simple © Initial Impact Analysis should give WARNINGS to BOD & C-Level Mgmt Immediately!
  • Step 4: Develop & Execute the Plan Company SOX Aggregate Impact (3 mos. lead time) Finance & IT Deliverables Impact assessment (3-4 mos. lead time) Control Compliance Analysis (“CCA”) Compliance Made Simple © Overview/Forecast (2 mos. lead time)
  • Info@AvivaSpectrum.com Compliance Made Simple © Control Compliance Analysis
  • Contact Information Sonia Luna, President, CEO Sonia.Luna@AvivaSpectrum.com 700 S. Flower Street #1100 Los Angeles, CA 90017 P: (213) 250-5700 Compliance Made Simple ©
  • “You can go ahead and cheat by looking at the answers ahead of everyone but its only you that gets cheated.” – Sonia Luna ANSWER SHEET Compliance Made Simple © “Nearly all men can stand adversity, but if you want to test a man's character, give him power." — Abraham Lincoln
  • Compliance Made Simple ©
  • Compliance Made Simple ©
  • Compliance Made Simple ©
  • Case Study #3 Answers Some of the new risk areas to consider could be: 1. Potential penalties contained within various sales contracts 2. Inventory Obsolescence 3. Impact from delays in supply of parts 4. Insurance claims & potential losses 5. Incremental risks from required system & process changes Consider: Audit Evidence Required to Mitigate the Risk. Extracted from and modified -Source: Internal Control – Integrated Framework , Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, May 2013, Page 75.
  • Workshop Risk Policy Answers Contents Page No. 1. Introduction 4 2. Responsibilities 4 3. Definitions 5 4. Hazard Identification 5 5. Risk Evaluation and Estimation 7 6. Risk Control 10 7. Communication 12 8. Record Keeping 12 9. Monitoring and Review 13 10. Further Reading 13 11. Review of Policy 13 Appendix 1: Hazard Checklist 14 Appendix 2: Regulations requiring risk assessment 15 Compliance Made Simple ©