2009 COSO guidance overview set of slides. At the end I have contact information but that is now outdated. You can reach me at Sonia.Luna@avivaspectrum.com if you have questions.

1. 2009 COSO Guidance & Impact
1

2. Agenda
How COSO’s 2009
Monitoring Guidance
Impacts Smaller Co.
Leveraging 2009 Guidance to
Cut Costs
Practical SOX Compliance
Steps
Dealing with External
Auditors
Key Remediation and
Reporting Issues
2

3. Quick Overview of COSO
 COSO was formed in 1985
 Introduced a Framework for internal controls in 1992
 COSO is comprised by five professional associations:
 American Accounting Association
 AICPA (American Institute of Certified Public Accountants)
 FEI (Financial Executives International)
 IIA (The Institute of Internal Auditors) and
 IMA (Institute of Management Accountants)
3

4. The Face of COSO
Mr. Treadway
Committee of
Sponsoring
Organizations of
Treadway Commission
(aka COSO)
Charles C. Cox (far left); Bevis Longstreth (second from left); John S. R. Shad (second from
right); James C. Treadway, Jr. (far right)
Source: www.sechistorical.org
4

5. COSO Guidance - Timeline
1987 - 1997 Fraud
Monitoring Monitoring
report on public
Guidance on ERM Framework Guidance
u9
a1
d8
r7
F companies – Issued Issued 2004
Derivatives Issued
r
tp
re
o 1999
Issued 1996 Feb. 2009
2010
1985
oaG
fciu
red
n d7–1
a 29
u07
rF
Framework lprr
iboe
np
cuto
Introduced ua
ib
l
c rS
Pm
l
e
sac
–no
im
ep
in 1992 iaC
sno
ep m
iC
ngo
Sm
on
2us
0nu
Je
6ed I
9e(
J
2u
)0n
5

6. How to get COSO Materials
Free download to executive summaries (e.g.
introduction or overview documents) of their
guidance materials located at
http://www.coso.org/guidance.htm
www.cpa2biz.com : site represents AICPA and
COSO related products. Search terms such as
Internal controls, or COSO etc.
6

7. 2009 COSO Monitoring Guidance
Introduction
Free Download
Intended for CFO, CEO, BOD
and AC members
Vol. 1 Guidance Overview
Intended for C-Level, BOD
and AC Members, and
Director of Internal Audit
7

8. 2009 COSO Monitoring Guidance
Vol.II Application
Discusses How guidance Impacts
And Links to 1992 and 2006 COSO
Guidance materials
Audience: DIA, Internal Audit Staff etc.
Vol. III Examples
Provides templates to leverage
Monitoring Guidance Theory
Audience: DIA, Internal Audit
Staff etc.
8

9. Vol. #1 - Overview
• Four Sections
1. Purpose of Guidance
2. Nature & Purpose of Monitoring
3. A Model for Monitoring
4. Summary Considerations
9

10. The Purpose of the Guidance
Two Primary Objectives:
1. To help improve the effectiveness & efficiency of their
internal control systems
2. To provide practical guidance that illustrates how
monitoring can be incorporated into an organization’s
internal control process.
10

11. Application of Guidance
Designed to meet all three control
objectives of COSO Framework
Due to SOX compliance Guidance
has a primary focus on internal
controls over financial reporting
11

12. Guidance Does Not:
Change to COSO framework or its 2006 guidance
Dictate risks or controls that organization must
consider
Mandate the exact monitoring procedures that
organizations must follow
Increase the monitoring effort for organizations in
areas where monitoring is already effective or
Mandate a certain level or formality of monitoring
documentation, including the use of certain terms
12

13. Nature and Purpose of Monitoring
COSO Framework states that “monitoring ensures
that internal controls continues to operate effectively”
by leveraging two related principles:
1. Ongoing and/or separate evaluations enable
management to determine whether the other
components of internal control continue to function
over time.
2. Internal control deficiencies are identified and
communicated in a timely manner to those parties
responsible for taking corrective action and to
management and the board as appropriate.
13

14. Linking the 2 Principles to 2006 COSO guidance
Principle #19: Ongoing
& Separate
Evaluations
Principle #20:
Reporting Deficiencies
Source: 2006 COSO guidance, vol #3
14

15. Establishing a Model for Monitoring
Effective approach to
monitoring involves:
1. Establishing a
Foundation
2. Designing &
Executing Monitoring
procedures
3. Assessing & Reporting
15

16. Establishing a Foundation
A tone at the top that stresses
the importance of monitoring
Effective organizational structure that considers the
roles of management and the board in regard to
monitoring, and places people with appropriate
capabilities, objectivity, authority and resources in
monitoring roles and
Baseline understanding of internal control
effectiveness
16

17. Design & Execute
Prioritize Risks: Evaluate controls in areas of
meaningful risk
ID Controls: select appropriate controls for
evaluation from across any or all of COSO’s 5
components
ID information that will be persuasive in supporting
conclusions about control effectiveness
Implement monitoring procedures: evaluate that
information through a mix of ongoing monitoring and
separate evaluations
17

18. Assessing and Reporting
Results
Prioritize findings
Provide support at the
appropriate organization level
for conclusions regarding the
effectiveness of internal
controls and
Follow up on corrective action:
Facilitate prompt corrective
actions and documentation as
necessary
18

19. Assessing and Reporting Results
* Prioritize & Communicate Results
ID and Prioritizing potential control deficiencies
allows organizations to determine
1. The levels to which the potential deficiencies should
be reported and
2. Corrective action, if any, that should be taken
Factors influencing prioritization include:
1. Likelihood that deficiency will materially affect the
achievement of organizational objective
2. Effectiveness of compensating controls and
3. Aggregating effect of multiple deficiencies
19

20. Assessing and Reporting Results
*Reporting
Internally: Usually ELC (entity-level controls) are
reported to senior management and the board
Externally:
1. Each Co. will have different requirements as to the
depth of reporting requirements (e.g. private co. vs.
publicly traded).
2. Management should evaluate third parties which may
require reporting documents (e.g. external auditors,
regulators etc.).
20

21. Other Considerations in Reporting
Monitoring Controls Outsourced to Others
1. For SOX SAS 70 reports and their evaluations may be
sufficient
2. Management must evaluate both financial and
operational outsourced providers
21

22. Vol. II – Application Overview
22

23. Vol. II – Application
“Quick Tip”
Concept and it’s
application in
Grey area
Tips on How to Read
Vol.II: Grey areas are
only suggestions.
Application may vary
Co. by Co.
23

24. Application of
“Tone at the Top”
 Management’s tone influences the way employees conduct and react
to monitoring.
 Examples of documenting the monitoring of “Tone at the Top”
include:
 Communicating expectations to employees (via employee manual,
performance evaluation, sign-off on risk/control matrices, or other
SOX related documents).
 Taking action for control problems by documenting control
failures and including remediation plan or compensating control
for each gap.
 Documentation of follow-up procedures for any control failures
identified (via ____________ or ______________)
Action Item: Update Performance Evaluations 24

25. Application of “Organizational Structure”
 Role of Management & the BOD
 Senior Management evaluates the day-to-day control and monitoring activities
(Evidenced in SOX or other related document sign-off)
 BOD has an oversight role, in which they are responsible for
 Understanding risks to organizational objectives
 Controls that management has put in place to mitigate those risks
 How management monitors to help ensure that the internal system continues to
operate effectively
 NOTE: Evidence should be documented in the BOD/AC minutes
 Guidance offers four suggestions for the BOD to perform it’s oversight
responsibilities (1) Inquiries & Observation of management, (2) Internal audit
function (if present) (3) Hired resources or specialists when necessary and (4)
external auditors.
 Characteristics of Evaluators
Action Item: Principle #19 and #2 of COSO can leverage evidence of
Monitoring Risks 25

26. Application of “Organizational Structure” (continued)
 Characteristics of Evaluators
 Self-review: evaluation of one’s own work
 Benefit: usually affords the 1st opportunity to ID control deficiencies
 Peer Review: evaluation of co-worker’s or peer’s work
 Benefit: the individual is close to the control and maybe in the best position
to ID and correct control deficiencies
 Supervisory Review: evaluation of subordinate’s work
 Benefit: same as above Peer Review
 Impartial Review: often includes internal audit function, people from other
departments or external parties
 Benefit: Most objective concerning results and can place more reliance on the
effectiveness of ICFR
Source: Vol.2: Figure 5, pg13 26

27. Baseline Understanding of Internal Control Effectiveness
 COSO provides three primary reasons internal control systems fail
due to:
1. Not designed and implemented properly
2. Designed & Implemented properly BUT environment changes
and control system DOESN’T change accordingly
3. Designed & Implemented properly BUT operation changes
rendering the control as ineffective to mitigate control risks
 Based upon the three primary reasons controls fail, COSO
suggests a baseline allows management to have a starting point
to address changes (i.e. process or control variances) in “real-
time”
27

28. Monitoring Changes
COSO offers a high-level overview of an internal
control change continuum as follows:
28

29. Change Continuum Definitions
 Control Baseline — Monitoring starts with a supported understanding of the internal control
system’s design and of whether controls have been implemented to accomplish the
organization’s internal control objectives. As management gains experience with monitoring, its
baseline understanding will expand based on the results of monitoring. Baseline is the starting
point and a new control baseline established over time through monitoring.
 Change Identification — The risk assessment component of internal control identifies changes
in processes or risks and verifies that the design of underlying controls remains effective.
Monitoring, through the use of ongoing and separate evaluations, should consider the risk
assessment component’s ability to identify and address those changes .
 Change Management — When changes in the operation of controls have occurred, or when
needed changes in control design are identified, monitoring verifies that the internal control
system manages the changes and establishes a new control baseline for the modified controls.
 Control Revalidation/Update — When ongoing monitoring procedures use persuasive
information, they can routinely revalidate the conclusion that controls are effective, thus
maintaining a continuous control baseline. When ongoing monitoring uses less-persuasive
information, or when the level of risk warrants, monitoring periodically revalidates control
operation through separate evaluations using appropriately persuasive information.
29

30. Change Continuum Evidence
Risk/Control
Narrative/Flowcharts ELC - Assessment
matrices
30

31. Change Continuum Evidence
Test Scripts with Sub-certifications
supporting on Controls
documents
31

32. Change Continuum Evidence
Policy &
Change Mgmt Documentation
Procedure for
Form Authorization with
changes Changes (1)
(1) See Appendix B-Chg Mgmt Narrative Form
32

33. Vol. II Application of Design & Execute
Source: Vol.2 Figure 7
COSO 2009 Monitoring
Guidance
33

34. Risk Assessment
•COSO’s monitoring guidance does not state
to create a separate risk assessment just for
monitoring
•Prioritizing risks will allow management to
decide on the type, timing and extent of
monitoring of controls
•Risk Factors to consider:
1. Nature of Operations
2. Changes in Operations
3. Environmental Factors
4. Susceptibility to Theft or Fraud
34

35. COSO’s Risk Assessment Examples
Revenue
Example without
score detail and
objective = Vol.2
Inventory
Example with
score detail
without objective
= Vol.3
35

36. 36

37. ID Key Controls
• Key-Controls determination can occur at various levels within an
organization (e.g. supervisor of a plant has different key
monitoring controls than the CFO.
• Key-Control Analysis can be facilitated by considering factors
that increase the risk that the internal control system will fail to
properly manage or mitigate a given risk, these factors are:
1. Complexity
2. Judgment
3. Manual vs. Automated
4. Known Control Failures
5. Competence/experience of personnel
6. Risk of management override
7. Likelihood of control failure detection
37

38. ID Persuasive Information
•Persuasive information is both suitable AND
sufficient in the circumstances and give the
evaluator reasonable, but not necessarily
absolute, support for the conclusion regarding
the continued effectiveness of the internal
control system in a given risk area.
•Suitable information MUST be relevant,
reliable and timely.
•Sufficiency is a measure of the quantity of
information (i.e., whether the evaluator has
enough suitable information)
38

39. ID Persuasive Information (Cont.)
Relevance of Information
 Direct vs. Indirect Information
 Information that directly confirms the operations of the control is
more relevant than indirect
 Direct: substantiates the operation of controls and obtained by:
1. Observing controls in operation
2. Reperformance or
3. Otherwise evaluating their operation directly and can be useful in
both ongoing monitoring and separate evaluations
 Indirect: is all other information that may indicate a change or failure
in the operation of controls such as:
1. Operating statistics
2. Key risk indicators
3. Key performance indicators and
4. Comparative industry metrics
39

40. ID Persuasive Information (Cont.)
Reliability of Information
 Reliable information: is accurate, verifiable and comes from an
objective source.
 Accurate information: represents the degree to which information can
reasonably be expected to be free from error and/or to communicate
results that reflect reality.
 Verifiable: represents information that can be established, confirmed or
substantiated as true.
 Objectivity: is the degree to which the information source is unbiased
when evaluated
40

41. ID Persuasive Information (Cont.)
Sufficient Information
 Management is required to maintain sufficient
suitable information to support its conclusion
on the effectiveness of internal controls.
 SEC has provided smaller public companies
with a general guideline dependent upon risks
to determine the sufficient level of support.
41

42. SEC’s Guidance on Information
http://www.sec.gov/info/s
mallbus/404guide.pdf
42

43. AICPA new sampling rules
Better understanding of how much is enough in Multi-
Locations
•May 2008: AICPA issued new Sampling
guidelines to align better with their risk
based auditing standards (i.e. SAS 101 to
SAS 112).
•Management should consider multi-location
issues as documented in this new guidance
as PCAOB and SEC do not provide best
practices on how to make sample selections
on a risk-based approach for multi-locations.
43

44. Implementing Monitoring
COSO Provides in
Vol.3 Example of
Implementing
Monitoring Processes
for Inventory, which
the template can be
applied to any
business cycle,
including IT.
Can add columns for
1)Evidence to Collect
2)Qty of Evidence (is it all stores
and all months, if so what
periods)
44

45. Assess & Report
Prioritize Findings by Risk
Risk Examples
provided by Vol.
2, have one
example of
each type of
Risk Rating
Type (by
Significance
and Likelihood)
45

46. Vol. 2 – Applying Concepts of Monitoring
Prioritized Risks
Extends the concept in
prior slide, in how to
prioritize monitoring
efforts by rating as well
(i.e. High, Med. Low)
46

47. IT Guidance to Help Prioritize Findings
2006 SOX IT Guidance
helps users to assess the
prioritization based upon
risks
Site: www.isaca.org
47

48. Reporting Results
Internal Reporting: protocol must be established.
Typically includes senior management and the board.
External Reporting: a properly designed & executed
monitoring program helps support external
certifications or assertions because it provides
persuasive information that internal control operated
effectively at a point in time or during a particular
period.
48

49. Follow-up Corrective
Action
COSO’s suggested documentation should include
evidence of:
Reporting items agrees to source scoping documents
Evidence collected support that the control has been
adequately corrected/remediated
Management approval of corrective action and related
evidence
49

50. Leveraging 2009 Guidance
Linking Monitoring Principles (i.e. Principal #19 and
20) to actual business processes (i.e. Financial
Statement Close Process, Inventory etc.) will reduce
the number of key controls required to assess for SOX
Providing more detailed monitoring reports
substantiates management’s evidence of reviewing
key controls
Guidance provides management more information on
how to leverage key controls for more than one type
of risk
50

51. Practical Steps Using 2009 Guidance
 Step 1: Entity-Level Control Assessment, use color coding offered by
2006 COSO Guidance
 Step2: Risk Assessment exercise should include IT to prevent any
miscommunication of prioritizing risks for the organization
 Step 3: Evaluate Monitoring guidance issued 2009 by COSO, especially
considering three top templates from the guidance:
1. Quarterly and Annual Management Representations (vol.3 –
Appendix B)
2. Enterprise Wide Risk Matrix (vol.3 – Appendix C)
3. Prioritize Risk and Controls (vol.2 – pg. 51 to pg. 55)
51

52. Segregation of Duties (SOD)
2009 Due to economy less staff and more work
allocated to others.
Leveraging too smaller staff size may cause a lack of
SOD.
2009 & 2006 COSO Guidance have stated
compensating controls are the critical factor to avoid
a material weakness.
52

53. SOD Case Study
53

54. Dealing with External Auditors
Early discussions about the guidance and where you
plan to leverage the guidance
Planning & Scoping: leverage guidance to lower number
key controls on entity-level assessment
Risk assessment process: may require technical memo
to provide to sox files and distributed to external
auditors how guidance has revised and prioritized
resources for sox assessment
Key Control ID: inform external auditors on where they
may be able to leverage more monitoring controls
54

55. Key Remediation and Reporting Issues
Material weaknesses
IT General Controls: primarily related to change
management.
Financial Close Process: primarily related to high risk
areas dealing with accounting transactions, which are
complex and/or involve significant judgment
 Tax issues
 Valuation
 Going Concern related issues (intangibles etc.)
55

56. Q&A
My Contact info:
Sonia Luna:
Office: (213) 250-5700 x206
Cell: (323) 828-5862
700 S. Flower St. #1100, Los Angeles, CA 90017
Email: sluna@sox-solutions.com
Blog: www.sox-blog.com
Twitter: http://twitter.com/Sox_Solutions
56