Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

COSO Implementation: Getting Real, Getting It Right


Published on

Join this webcast featuring senior-level financial executives with deep knowledge of the updated internal control framework released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Hear first-hand how Pfizer, Raytheon and Dow have implemented the updated framework (which will supersede COSO’s original 1992 guidelines at the end of this year).

Published in: Software
  • Dating for everyone is here: ❤❤❤ ❤❤❤
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ ❤❤❤
    Are you sure you want to  Yes  No
    Your message goes here

COSO Implementation: Getting Real, Getting It Right

  1. 1. FEI - BlackLine Systems Webinar July 24, 2014 12 pm ET / 9am PT 1.5 CPE
  2. 2. Introduction This session will cover key areas to focus on when transitioning to COSO’s updated internal control framework, to make implementation most efficient and effective. Now that its mid-July, 2014, with COSO’s 2013 framework set to supersede the COSO’s 1992 framework less than six months from now (as announced by COSO, as of Dec. 15, 2014), it’s time for your COSO Implementation to “Get Real” and “Get it Right!”
  3. 3. Program Outline Housekeeping/CPE Capsule Overview of COSO 2013 Project Planning, Roles & Responsibilities Mapping from COSO ‘92 to COSO 2013 Working with Auditors; Sarbanes-Oxley Implementation issues; Fraud Assessment Q&A Benefits Closing Remarks
  4. 4. CPE Credits and Supplemental Information We are offering 1.5 CPE credits for this webinar To be eligible to receive these credits, please ensure you answer at least four (4) out of the five (5) polling questions You will receive the CPE certificate via e-mail approximately 4 weeks after the webinar date Register for the remaining webinars in this series hosted by BlackLine Systems in conjunction with FEI. Watch for announcements to be posted on: – FEI’s COSO Resources page, ,and on – BlackLine’s webinars page 4
  5. 5. WHY IS THE UPDATED COSO FRAMEWORK IMPORTANT Internal controls are critical yet companies don’t always update them for changes in the business, industry or environment Companies are now faced with new risks and opportunities that should be considered – Reliance on technologies – Increasing regulatory requirements and oversight – Social media – Outsourcing business functions – Emphasis on controls around non-financial reporting – More focus on fraud 5
  6. 6. Polling Question 1 How far along are you in completing your COSO 2013 implementation?  Haven’t started yet  Early stages  About mid-way  Mostly done  Management done, but we haven’t really consulted with our auditors yet as to the effectiveness of internal control under COSO 2013  Management done, and we know where we stand with our auditors on the effectiveness of internal control under COSO 2013  Not applicable (e.g. I don’t work for a company that has to implement COSO 2013)
  7. 7. SPEAKERS
  8. 8. SPEAKERS
  9. 9. Overview COSO’s Updated Internal Control Framework
  10. 10. Update considers changes in business and operating environments Changes in environments... Drive updates to the Framework... Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in the business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube
  11. 11. What is not changing... What is changing... 1. Retain core definition of internal control 2. Retain five components of internal control 3. Retain requirement of five components for an effective of system of internal control 4. Retain important role of judgment in designing, implementing, and conducting internal control, and in assessing effectiveness of internal control 1. Articulate fundamental concepts underlying the five components as principles 2. Consider changes in business and operating environments 3. Expand operations and reporting objectives 4. Provide additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives Update intends to ease use and application
  12. 12. Requirements for Effective Internal Control Effective internal control requires that: – Each of the five components of internal control and relevant principles are present and functioning – The five components are operating together in an integrated manner When a component or relevant principle is deemed not present and functioning or when components are deemed not operating together, a “major deficiency” exists When a major deficiency exists, the entity cannot conclude that it has met the requirements for effective internal control
  13. 13. Requirements for Effective Internal Control Components operate together when: – Components are present and functioning – Internal control deficiencies aggregated across components do not result in one or more major deficiencies – An internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives is a major deficiency – A major deficiency exists when management determines that a component and relevant principle is not present or functioning or components are not operating together – Management uses only relevant criteria (as established by regulators, standard- setting bodies, and other relevant third parties) for defining severity of, evaluating, and reporting internal control deficiencies
  14. 14. The Five Components of Internal Control Control Environment Risk Assessment Control Activities Information & Communication Monitoring Components of Internal Control Remain Unchanged from COSO’s 1992 Framework
  15. 15. Update articulates principles of effective internal control (continued) Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
  16. 16. Update articulates principles of effective internal control (continued) Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control.
  17. 17. Update articulates principles of effective internal control (continued) Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place.
  18. 18. Update articulates principles of effective internal control (continued) Information & Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
  19. 19. Update articulates principles of effective internal control (continued) Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
  20. 20. Points of Focus The Framework describes points of focus that are important characteristics of the principles – Some points of focus may not relevant, and others may be identified based on specific circumstances – The points of focus may facilitate designing, implementing, and conducting internal control and assessing its effectiveness There is no requirement to separately assess whether points of focus are in place
  21. 21. Transition Timing May 2013 – Paul Beswick, SEC Chief Accountant: – SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. However, at this time, I’ll simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition” September 2013 – Center for Audit Quality, SEC Regulations Committee meeting highlights: – [SEC Staff] indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement to use a suitable, recognized framework
  22. 22. Draft Disclosure A key part of your disclosure will be to identify which version of the COSO Framework you have used: COSO 1992 or COSO 2013.
  23. 23. Possible Impact Does your organization apply and interpret the narrative included in the 1992 Framework in the same manner as the COSO Board? Does your system of internal control cover all 17 principles? Does your SOX program include the documentation and evaluation of all 5 components, or only of Control Activities? Does your risk assessment give enough consideration to fraud risk? Do your controls extend to processes that have been outsourced? Have you documented and evaluated your Board’s oversight of the system of internal controls? How will you use the framework – for SOX only, or also for other reporting, operating, or compliance objectives?
  24. 24. Recap The framework hasn’t really changed much at all – Same definition of internal control / 5 components – Still follow SEC guidance in determining severity of deficiencies – Areas of emphasis: • Considering fraud in the risk assessment • Controls over outsourced processes • Role of Board in oversight of the system of internal controls All relevant principles must be present and functioning (Points of Focus are not required). Are all of the principles covered in your SOX 404 program? – Do you have the gaps in control, documentation, or monitoring? – Your evaluation of the system of IC at the end of the year will need to address all relevant principles.
  25. 25. Polling Question 2 What is required under COSO 2013 for Internal Control to be deemed “effective”?  All 17 Principles have to be Present and Functioning  The 5 core components of internal control have to operate together  The 87 Points of Focus have to map to your Entity-Level Controls  All of the above  Just the first two points above
  26. 26. Project Management, Roles and Responsibilities
  27. 27. Dow’s COSO 2013 Transition: Project Planning Dow will transition to COSO 2013 during 2014 Focused on Internal Control over External Financial Reporting Project managed by the Internal Control Compliance Group Broad awareness and communication – Key functions engaged (Finance, IT, HR, etc.) – Coordinated with Internal Audit Audit Committee oversight External auditor engagement Consideration of ICEFR “hot topics”
  28. 28. Polling Question 3 Which of the following most closely describes your company’s approach to mapping for COSO 2013?  We are mapping our existing controls to COSO 2013’s 17 Principles, but not to the 87 points of focus.  We are mapping our existing controls to COSO 2013’s 17 Principles AND all 87 points of focus, because of strong pressure from our auditors to do so.  We are mapping our existing controls to COSO’s 17 principles and most or all of COSO’s 87 points of focus voluntarily because we found it helpful to do so.  We are mapping our existing controls to COSO’s 17 principles and most or all of COSO’s 87 points of focus voluntarily, because we believe it will reduce the work and cost of our external auditor engaging in the same activity by enabling them to review our having done that exercise.  Don’t know
  29. 29. Mapping Your Controls To COSO 2013
  30. 30. Mapping Analysis Background Internal Control is not a new concept COSO’s 5 core components are not “new” Sarbanes-Oxley Section 404 is not “new” Judgment is still required in designing, implementing, and assessing internal control Transition from COSO 1992 to COSO 2013 considered by many, as a practical matter, a “mapping” exercise
  31. 31. Gap Analysis “Mapping” or Alternative Method of Gap Analysis Will Vary Degree of documentation and effort will vary, company by company based on … – Current state of internal control – Degree to which current controls have kept up with change – Quality and quantity of existing documentation – Size and complexity of the business
  32. 32. Mapping Analysis: Raytheon’s Approach We started with the COSO Excel templates available when Framework purchased We modified the COSO standard templates to map our key controls to the points of focus for each of the 17 principles – Explanations for each assignment were documented to serve as a record of why the control met the point of focus The mapping exercise identified the level of coverage for the points of focus within each principle and allowed us to: – Assess if all points of focus were covered – Assess strength/weakness of coverage
  33. 33. Mapping Analysis: Lessons we Learned Took longer than expected to complete COSO material was helpful throughout the process Focused on the impact to Internal Control Over Financial Reporting to ensure completion in 2014 Project timeline was helpful to ensure communication with stakeholders, including internal and external auditors Required documentation enhancements in selected areas
  34. 34. Dow’s COSO 2013 Transition: Controls Mapping & Gap Assessment Performed a robust gap assessment – Mapped existing controls to Points of Focus and Principles Will not result in a significant change to Dow’s SOX compliance process or controls – Expanded documentation of specific attributes of certain controls – Will need to obtain specific evidence of operating effectiveness – Enhanced controls in a few areas
  35. 35. Polling Question 4 How confident are you that Chief Executive Officers and the Boards of Directors that oversee them are up to speed about the changes to the COSO internal control framework and how it plays into the CEOs and CFOs Sarbanes-Oxley assertions for calendar-year-end companies beginning this year-end?  Very confident  Confident  Not very confident
  36. 36. Working with the Auditors Management’s Perspective Since 2004, our SOX programs have evolved and improved. Most of us have robust systems of controls and have developed thorough and efficient programs for monitoring our controls and evaluating effectiveness. Our auditors have audited our controls and have given their opinions year after year. COSO 2013 is not a major change to the 1992 Framework. So, the transition project should not be a major effort. We shouldn’t be starting over on SOX, with a blank sheet of paper and a top-to-bottom documentation exercise.
  37. 37. Working with the Auditors Auditors Perspective Since 2004/2007, audits of internal controls have been based on AS2/AS5, and have been influenced by PCAOB inspections. COSO 2013’s 17 principles and 60 or so Points of Focus are new elements in the internal controls audit. The PCAOB alert issued in November included several areas in the audit of internal controls that auditors are going to focus on this year, in addition to COSO (e.g.; management review controls). The PCAOB will be looking for documentation on all of the above, so the Auditors will be cascading these requirements on their clients. The firms have developed templates for collecting the documentation; the comprehensive nature of these templates can potentially generate more work than the minor tweaks to the framework might suggest would be necessary.
  38. 38. Suggestions: We have engaged with our auditors early and often, sharing our plans and early assessments, and seeking their feedback. Our project plan includes reviews with them at each step along the way: – Preliminary Assessment – Project Plan Review – Mapping Exercise – Documentation / Remediation – Testing and Evaluation We have segregated the COSO project from work related to other PCAOB-highlighted topics. We have tried wherever possible to use our auditors templates, in the interest of overall efficiency, but we have discussed the need to limit the amount of detail we are trying to collect in these forms.
  39. 39. Benefits The COSO board firmly believes that the principles in the COSO framework can help companies be more successful.
  40. 40. Risk Assessment One of the most significant updates to COSO’s framework, from management’s perspective, is Principle 8, which requires Management to perform a Fraud Risk Assessment.
  41. 41. Dow’s COSO 2013 Transition: Consideration of Fraud Risk Internal Control Compliance Group conducts formal ICFR fraud risk assessment annually Input from a multiple groups across the organization Identify & document fraud schemes specific to ICFR Consider what groups could commit the fraud and how Identify controls in place to detect and mitigate each fraud risk Consideration of fraud risks at Outsourced Service Providers Audit Committee oversight Fraud awareness training and communication Ongoing monitoring activities
  42. 42. Polling Question 5 Who leads your COSO Project Planning Team at your company?  Internal Audit  Sarbanes-Oxley Group in Corp. Compliance Dept.  Sarbanes-Oxley Group in Corporate Controllers  Internal Control/Financial Control Group in Corporate Compliance  Internal Control/Financial Control Group in Corporate Controllers  Finance/Corporate Controllers Dept – Other  Other
  43. 43. ABOUT BLACKLINE Global headquarters in Los Angeles with regional main offices in London and Sydney More than 850 clients (many in the Fortune 500/Global 1000) Over 100,000 users worldwide in 100+ countries First to market and offer software to automate the entire financial close process BlackLine Certified Implementation Professionals all around the world
  45. 45. About COSO For more information about COSO, go to When ordering the COSO Internal Control Framework, FEI members use Discount Code FEIIC Visit
  46. 46. About FEI / FERF For more information about COSO, internal controls, Governance Risk and Compliance and topics of interest to senior-level financial executives, audit committee members, and academics, visit Financial Executives International (FEI), Financial Executives Research Foundation (FERF) and FEI Daily.
  47. 47. 48 Join FEI before August 31 and pay $399. Join online and enter discount code COSO714 during check-out. Questions? Contact FEI’s Member Services Dept. 973.765.1000 | 877.359.10710 | Become FEI’s Newest Member!