2013 COSO What’s new, what’s changed, why does it matter?

2,194 views

Published on

A presentation of our recent webinar on COSO

Published in: Business, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,194
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
165
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Lark to administer this poll question.
  • Speaker Notes:During the webcast registration process we provided you the opportunity to submit your questions regarding the 2013 COSO Framework. We are pleased to report that we received an overwhelming response to this request with more than 2,000 people registering and over 400 questions submitted. Thank you for sharing your questions with us, we have used these questions as we defined the content for our webinar today. The list that is up on the screen is a summary of the topics covered in the questions you submitted. We had varying types of questions asked by the audience that spanned a wide variety of knowledge and experience with the COSO framework. For example , some people wanted to discuss the background of COSO and the reasons for the change, while others were more focused on specific details related to the implementation of the framework. We also had a number of questions driven toward how this might be impacted by specific external audit firms.
  • Speaker Notes:Here is a small representation of the questions that we are hearing in the market and from people like you when you submitted them during the registration process. Because we had such a large number of questions submitted and they covered a wide range of topics, we are developing a webcast series to properly address your questions. We recognize that the transition to the framework will be different for every organization and that the timing and approach that individual companies take will need to be reflective of their own organizations. Today’s webcast is the first of a series of COSO-focused webcasts that Protiviti plans to offer during the remaining of 2013 and into 2014. Due to the number of registrants and the depth of questions, we have decided to have the topic of these webcasts continue to be driven by the registrants
  • Speaker’s Notes:We are very excited to talk to you about the 2013 COSO Framework. Today we will cover the topics outlined here. We realize that this is a small representation of the topics you all submitted during the registration process. We have dedicated the next hour to these topics. Again, this is the first of a series of COSO-focused webcasts that we plan to offer. We will address topics not covered today in a future webcast.
  • Speaker’s Notes:We will host the second webcast in this series during October 2013. During this webcast we will focus on the topic of implementing the 2013 COSO Framework. In that webinar we will get into more details on building the project plan, and how to implement it. You can register for the October webinar via the Attachments link in the webcast software. We will also send out a formal invitation in the coming weeks. We have plenty to cover in the next hour. Because we gathered your questions ahead of time, and in order to stay on topic, we will not have a formal Q&A session at the end of today’s webcast. We want to spend as much time as possible on the topics we’ve identified for today. However, we still would like to hear what questions you have in order to design the content for our future webinars and to see if we need to provide clarity on any of the topics we have on today’s agenda. So, with that in mind, please submit questions that come to mind during today’s event by using the Questions link at the top of the webcast software. Your questions will help design our future COSO webcast series as we want the series to properly reflect the questions top -of-mind to you.
  • Speaker Notes:Keith to transition to Bob for this slide. Bob to introduce this section.
  • Example question received from the audience:What is the purpose of the COSO framework?Are most companies implementing the new COSO model from a SOX perspective (not operational)?Speaker NotesCOSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO Internal Control - Integrated Framework is by far the most commonly used and referenced framework by which companies and their external auditors evaluate their internal controls over financial reporting, particularly for purposes of SOX reporting in the U.S. There is no ‘mandate’ to use the COSO Internal Control framework, however, most companies use it for SOX compliance as it meets the criteria set forth by the SEC for a suitable internal control framework. COSO is an appropriate framework for non-public companies to adopt to improve their internal control structure.
  • Example question received from the audience:Is COSO required for all businesses? Speaker Notes:To build on the PCAOB’s audit standard number 2, a framework is only suitable when it is:Free from biasPermits reasonably consistent qualitative and quantitative measurement of a company’s internal control over financial reportingSufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal control over financial reporting are not omittedRelevant to an evaluation of internal control over financial reportingCOSO Internal Control – Integrated Framework meets these criteria. COSO has been used primarily for SOX compliance, so that is where the attention is with the adoption over the next 12+ months
  • Example question received from the audience:We received 11 questions in the Why Change category.What prompted the changes to the COSO framework?Why were changes in the framework considered necessary?What are the advantages of the change?
  • Example question received from the audience;How does the initial COSO translate into COSO 2013?What are the major differences between new and old frameworks?Speaker Notes For those familiar with the old framework, the new framework will look very familiar.You can get a copy of the framework’s executive summary on COSO’s website. When implementing COSO for SOC, most companies focused on Control Activities to the expense of the other COSO components.
  • Example question received from the audience;How does the initial COSO translate into COSO 2013?What are the major differences between new and old frameworks?Speaker NotesCOSO’s Monitoring Control and ERM guidance are still in effectThe Smaller Public Company guidance issued by COSO is superseded by the new framework.
  • Lark to administer this poll question.
  • Speaker Notes:Jim to introduce this section.
  • Example questions from the audience:We received 19 questions around this topic, particularly as it relates to mapping guidance. Some of them include:What are the most important changes?How often should we expect that all of the 17 Principles will not apply?Do you find that most of the 17 principles can be applied to entity level controls?Are there any resources/guidance around mapping the 17 principles to a company's control environment?Speaker NotesWe expect that all companies will need to evaluate the 17 principles codified in the new framework. Within control activities, companies generally need to increase the precision of management review controls, and this has been a common finding in the PCAOB inspection report findings for SOX.
  • Example questions received from the audience;Are the 81 points of focus to be used as guidelines or as mandatory part of the framework?Speaker NotesCompanies will need to determine whether the points of focus are relevant for their organization.As you think about points of focus, let’s circle back to the three things we should remember about COSO:Overall, the assessment of the effectiveness of internal control is directed to the five components and their underlying principlesWhile points of focus are intended to provide helpful guidance to assist management in designing, implementing and conducting internal control and in assessing whether relevant principles are present and functioning, the New Framework does not require separate evaluations of whether they are in placeIF management intends to use points of focus when evaluating whether the principles to which they apply are present and functioning,assess whether they are suitable, relevant and complete based on the company’s specific circumstances
  • Lark to administer this poll question.
  • Speaker Notes:Jim to introduce this section
  • Example question from the audience:We received 6 questions around testing. Some of them are:Does COSO provide guidance testing operating effectiveness of the controls?What impact will this have on internal audit's approach to SOX (testing & evaluation of deficiencies?Speaker Notes:In determining whether a component of internal control is present and functioning, senior management, with the board of director’s oversight, needs to determine to what extent relevant principles underlying the component are “present and functioning”Principles present and functioning operate within a range of acceptability, and do not need to achieve highest level of performance
  • Example questions from the audience:What are the best methods for determining if components are "operating together?“Speaker Notes“Operating together” refers to “the determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective”Because components operate together, controls in one area of the framework can be leveraged to address other components, providing the opportunity to streamline controls.Another view of “Operating together” recognizes that components are interdependent with a multitude of interrelationships and linkages, particularly in terms of how principles interact within and across components – For example:The development and deployment of policies and procedures as part of Control Activities contributes to the mitigation of risks identified and analyzed within Risk Assessment.The communication of internal control deficiencies to those responsible for taking corrective actions as part of Monitoring Activities reflects a full understanding of the entity’s structures, reporting lines, authorities and responsibilities as set forth in the control environment and as communicated within Information and Communication.
  • Example questions from the audience:Does a "major deficiency" imply a SOX 404 material weakness that precludes an unqualified opinion?When should we expect a final decision regarding new terminology re: deficiencies and weaknesses?What impact will this have on internal audit's approach to SOX (testing & evaluation of deficiencies?Speaker NotesCOSO has new terminology for deficiencies, and defers to regulatory guidance when the framework is used for that purpose.The criteria set forth by the new framework (through the components and principles) provide the basis for management to apply judgment when assessing the effectiveness of internal control
  • Example questions from the audience:Does COSO provide a confidence level to use?Is there guidance on how to implement 2013 COSO Framework for smaller reporting companies? (6 questions around this)
  • Lark to administer this polling question.
  • Speaker Notes:Keith to introduce this section.
  • Questions Received from the Audience:We received 33 questions about transitioning to the new framework. Most centered around the effective date. Here are some examples:Effective date?Will it be possible to continue using the 1992 framework after the 2013 implementation date is passed?Will this be delayed further?SEC Expectations? (5 questions)Speaker NotesCompanies will not want to defer implementing the new framework; you can probably expect the SEC to ask why you used the old framework after December 2014along with external auditor push back.Organizations should do a gap assessment against COSO 2013 before their next yearend report to determine if there are any gaps that might require disclosure under the old COSO framework.There are a limited number of circumstances where immediate application is encouragedCOSO 2013 provides companies with an opportunity to refresh their documentation and look at it with a new set of eyes.
  • Example questions from the audience:We received 9 questions about implementation specific to the actions necessary. Examples include:What do you think the most difficult part of the transition will be?What are the practical ways to apply the new changes?Do you recommend that the project manager be located outside of Internal Audit?How do you convert current documentation to meet the 2013 requirements?Speaker NotesFor companies that are getting ready to go public and are using COSO for the first time, it makes sense to use the new framework now.Consider the implications on outsourced service providers.
  • Example question received from the audience:We received 93 questions around implementation, with 32 of them centering around the timeline for implementation and whether it is mandatory.Can you share a sample transition plan?What are the required transition timeline(s) for implementing the updated framework?What is baseline time frame for implementation?
  • Questions Received from the Audience:We received 25 questions on SOX testing implications.How will this change established SOX programs/testing?How does this impact management's testing of SOX controls?Speaker NotesDepending on how well your organization has kept their SOX documentation up to date, and depending on whether they have experienced any significant changes recently, will drive the level of update effort. For companies that have experienced the rigor of several years of compliance under Section 404 of Sarbanes-Oxley, it won’t be a significant undertakingThe compendium of approaches and examples for application of the framework to internal control over financial reporting may be useful for SOX initiatives and emphasizes the top-down, risk-based approach.
  • Questions Received from the Audience:We received 8 questions on level of effort.What changes are required to implement from a practical perspective?What is the most used approach; identify gaps and then work on the gaps?Anticipated cost and hours?
  • We’ve recently updated our frequently asked questions on COSO Internal Control.
  • Speaker’s Notes:Thank you again for attending today’s webcast and for continuing to submit questions related to the 2013 COSO Framework. As mentioned earlier, we will review these questions to help design our ongoing COSO webcast series. Don’t forget to register for our October webinar using the instructions provided on this slide. We will send out an invitation for this webcast in the near future.
  • 2013 COSO What’s new, what’s changed, why does it matter?

    1. 1. COSO 2013 What’s New, What’s Changed, Why Does it Matter and Other Frequently Asked Questions
    2. 2. A Reminder… Following the webinar, all attendees will receive a link to a copy of the recorded webcast. You can download a PDF version of the slides through the Attachments link. If you are experiencing technical difficulties during the webcast, let us know by clicking on the Questions link at the top of your screen. Please provide your e-mail address for a swift reply. Although we will not have a formal Q&A at the end of this webcast, we encourage you to submit your questions throughout the webcast. We will address your questions throughout today’s COSO webinar or the remaining COSO webinar series we have planned in 2013 and 2014. If you are having trouble hearing the audio through the computer, separate phone lines are available. International United States Conference ID 2 +44 (0) 1452 555566 + 1 866 966 9439 36201187 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    3. 3. CPE Credits and Supplemental Information We are issuing 1 CPE credit for this presentation • To be eligible for CPE credit, please answer four (4) out of the five (5) polling questions throughout the duration of this webinar • Download the CPE Course Evaluation Form through the Attachments link in the webcast software – Return this evaluation form to Lark Scheierman at Protiviti via e-mail: lark.scheierman@protiviti.com • Download the PDF version of today’s presentation through the Attachments link Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 3 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    4. 4. Today’s Presenters Keith Kawashima is a Managing Director in Protiviti’s Silicon Valley office. Keith has over 20 years of experience in finance and accounting including 10+ years with Protiviti/Arthur Andersen’s Internal Audit practice and more than 10 years corporate experience in both Finance and Operations prior to joining Protiviti. He has been involved in all aspects of a company’s internal audit function from establishing a charter and developing a risk-based internal audit plan, to developing and executing work programs, through reporting at the audit committee and board level. Email: Keith.Kawashima@protiviti.com Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 4 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    5. 5. Today’s Presenters Bob Hirth serves as COSO Chair and was unanimously elected by the board of its sponsoring organizations to serve a three year term beginning June 1, 2013. His experience includes all of COSO’s mission disciplines; Enterprise Risk Management, Internal Control and Fraud Deterrence. He has worked on assignments and made presentations in over 15 countries, serving more than 50 organizations and working closely with board members, C-level executives, finance and accounting personnel and accounting firm partners and employees. Most recently, he served as a Senior Managing Director of Protiviti, a global internal audit and business risk consulting firm that operates in 22 countries. Prior to that, he was Executive Vice President, Global internal audit and a member of the Firm’s six-person executive management team for the first ten years of Protiviti’s development. In 2012, Bob was appointed to serve a two year term on the Standing Advisory Group of the Public Company Accounting Oversight Board (PCAOB). In March 2013, he was inducted into The American Hall of Distinguished Audit Practitioners. E-mail: Robert.Hirth@protiviti.com Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 5 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    6. 6. Today’s Presenters Jim DeLoach is a Managing Director in Protiviti’s Houston office. He has served on the COSO Advisory Council with respect several COSO projects since 2002, the most recent project being the Internal Control – Integrated Framework Update. He has worked with, and delivered numerous presentations on risk management to, hundreds of companies and groups in 30 countries. He writes Protiviti’s Flash Reports, The Bulletin and Board Perspectives: Risk Oversight. In addition, he writes a monthly blog on the online magazine of the National Association of Corporate Directors and a monthly column for Corporate Compliance Insights. He also wrote all four editions of Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements. E-mail: Jim.DeLoach@protiviti.com Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 6 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    7. 7. Poll Question #1 Have you read the COSO Internal Control Integrated Framework Executive Summary? • Yes • No, but it is on my to-do list • No, didn’t know how to access it Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 7 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    8. 8. Topics of Questions You Submitted • Background and history of COSO • Implications for SOX • Reason for change • Guidance from the SEC • Most important changes • IT implications • 17 principles • Public vs. private sectors • Points of focus • Working with external auditor • Present and functioning • Risk assessment • Internal control deficiencies • Implementation guidance • Components operating together • ERM • Transitioning to the new framework • Fraud • Level of effort required • Internal audit • Change management • Continuous improvement • Size of company Thank you for all of your questions! 8 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    9. 9. Questions We are Hearing • What has changed and what does it mean to us? • Do we need to move to COSO 2013, or can I stay with COSO 1992? • What will our external auditors require? • When do we need to change? • Under what circumstances should we consider being an early adopter? • How much effort will it take for our organization to transition to COSO 2013? • If we stay with COSO 1992 this year with the intent to transition next year, do we need to map our controls to the COSO 2013 principles this year? • What will happen if we do not transition to COSO 2013 by next year? • Will the SEC issue any guidance? • If we transition to COSO 2013 next year, do we need to use it for purposes of our Q1 Section 302 executive certification? 9 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    10. 10. Today We Will Cover… Background on COSO Why Change? Important Changes Deficiency Evaluation Transitioning to the New Framework 10 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    11. 11. Future COSO Webinars Next Webinar: COSO Implementation Guidance Register for our second webinar in this series, scheduled for October 30th, via the Attachments link in the webcast software Future Webinar Topics • • • • • 11 Discuss IT General Controls Implications for Internal Audit Linkage and Impact to ERM Use of COSO for Non-ICFR And More…Keep Your Questions Coming!! © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    12. 12. Question from our audience: Why were changes in the framework considered necessary? Why Change?
    13. 13. Background and History of COSO N S O A TI PE R MONITORING INFORMATION AND COMMUNICATION CONTROL ACTIVITIES • COSO Internal Control Integrated Framework was developed in 1992 • Used by the majority of companies to evaluate their internal control environment, particularly as it relates to internal controls over financial reporting 13 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ACTIVITY 3 ACTIVITY 2 ACTIVITY 1 UNIT B UNIT A • Voluntary private sector organization O • Formed in 1985 in response to corrupt and unethical business practices in the 1970’s and 80’s FI N R AN EP C O IA R L TI N G C O M PL IA N C E • Committee Of Sponsoring Organizations of the Treadway Commission RISK ASSESSMENT CONTROL ENVIRONMENT COSO Cube (1992 Edition)
    14. 14. What is COSO and Why is it a Suitable Model? Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment. Source: PCAOB AS 2 14 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    15. 15. Why Change? • Environment changes… • …have driven Framework updates • Expectations for governance oversight • Risk and risk-based approaches receive greater attention • Globalization of markets and operations • Increased complexity of business and organizational structures • Use of, and reliance on, evolving technologies • Demands and complexity in laws, rules, regulations and standards • Large-scale governance and internal control breakdowns COSO Cube (2013 Edition)* • Expectations for competencies and accountabilities • Expectations relating to preventing and detecting fraud 15 * © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Source: Chapter 2 of COSO Internal Control: Integrated Framework (2013).
    16. 16. What Hasn’t Changed Core definition of internal control Internal control is a process effected by the entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to: Operations Reporting Compliance The cube retains its familiarity: Objectives represent the columns Components represent the rows Objectives may be set at the entity, division, operating unit or functional levels 16 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    17. 17. What Hasn’t Changed The criteria used to assess the effectiveness of an internal control system remain largely unchanged. Assessed, using a principles-based approach, relative to the five components of internal control To have an effective system of internal control relating to one, two or more categories of objectives, all five components must be: • Present and functioning, and • Operating together The significant role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness. Principles are provided for each component and management exercises judgment in determining the extent to which these principles are present and functioning 17 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    18. 18. What’s Changed 1 Codifies 17 principles supporting the five components of internal control 6 Enhances consideration of antifraud expectations in its own principle 2 Clarifies role of objective-settling as a precursor to internal control 7 Increases the focus on non-financial reporting objectives to broaden use 3 Reflects increased relevance of technology 4 18 Incorporates an enhanced discussion of governance concepts 5 8 Additional approaches and examples for operations, compliance and non-financial reporting objectives Expands the reporting category of objectives to include non-financial and internal © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    19. 19. Poll Question #2 How do you document your SOX fraud risk assessment? • As a separate standalone analysis • Integrated into our process level risk and controls documentation • Both at an entity level and process level • We don’t evaluate fraud risk explicitly 19 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    20. 20. Question from our audience: How often should we expect that all of the 17 Principles will not apply? Important Changes
    21. 21. The Most Important Change: 17 Principles Representing Fundamental Concepts Associated with Each Component No of POF Questions CONTROL ENVIRONMENT Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability 4 4 3 4 5 RISK ASSESSMENT • • • • Specifies relevant objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change 5 5 4 3 CONTROL ACTIVITIES • • • Selects and develops control activities Selects and develops general controls over technology Deploys through policies and procedures 6 4 6 INFORMATION & COMMUNICATION • • • Uses relevant information Communicates internally Communicates externally 5 4 5 MONITORING ACTIVITIES 21 • • • • • • • Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies 7 3 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    22. 22. Points of Focus Represent Important Characteristics Associated With the Principles Principles can be present and functioning without all points of focus. Points of focus represent helpful guidance and do not require separate evaluations. Management must use judgment on the relevance of the points of focus. They are not meant to imply a checklist. An example of these for the Control Environment, Commitment to Integrity and Ethical Values is below. Sets the Tone at the Top The board of directors and management at all levels of the entity demonstrate through their directives, actions and behaviors the importance of integrity and ethical values to support the functioning of the system of internal control The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct 22 Establishes Standards of Conduct Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    23. 23. Poll Question #3 Did you use COSO’s 2006 Internal Control over Financial Reporting - Guidance for Smaller Public Companies to guide your SOX documentation? • Yes • No • Not sure 23 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    24. 24. Question from our audience: What are the best methods for determining if components are “operating together”? Deficiency Evaluation
    25. 25. Present and Functioning To determine that a principle and component are “present and functioning”, the organization must: Understand the intent of the principle and how it is being applied Work to help personnel understand and apply the principle consistently across the entity View weaknesses in absence of a principle as a matter requiring management’s attention • “Present” refers to “the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives” (Design and Implementation Effectiveness) • “Functioning” refers to “the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives” (Operating Effectiveness) • Determine to what extent relevant principles underlying the component are “present and functioning” 25 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    26. 26. Assessing Whether Components Operate Together • Focus of evaluation is on how each of the five components is being applied as an integral part of the overall system of internal control, not just functioning on its own • Components are interdependent with a multitude of interrelationships and linkages, particularly in terms of how principles interact within and across components • From a practical standpoint, management can demonstrate that components operate together when they are present and functioning AND internal control deficiencies aggregated across components do not result in the determination that one or more major deficiencies exist • Therefore, aggregate internal control deficiencies across components to assess whether major deficiencies exist 26 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    27. 27. Assessment of Internal Control Deficiencies A deficiency is “a short-coming in a component or components and relevant principle(s) that reduces the likelihood that the entity can achieve its objectives.” Not every deficiency will result in a conclusion that the entity does not have an effective system of internal control. Major deficiency = “an internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives” Management may be required to consider additional criteria established by external parties (e.g., regulators, standard-setting bodies, listing agencies, etc.) Alternative or compensating controls may further support a conclusion that a principle is present and functioning 27 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    28. 28. Limitations on Internal Control • No such thing as absolute assurance • The framework comments on limitations of internal control, which results from: – The quality and suitability of objectives established as a precondition to internal control – The potential for flawed human judgment in decision-making – Management’s consideration of the relative costs and benefits in responding to risk and establishing controls – The potential for breakdowns that can occur because of human failures (such as simple errors or mistakes) – The possibility that controls can be circumvented by collusion of two or more people – The ability of management to override internal control functions and decisions 28 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    29. 29. Poll Question #4 Were you aware that the criteria for evaluating deficiencies for SOX is unchanged? • No • Yes 29 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    30. 30. Question from our audience: What do you think will be the most difficult part of the transition? Transitioning to the New Framework
    31. 31. Transitioning to the New Framework Transition as soon as feasible, but don’t wait too long • 1992 Framework superseded on December 15, 2014 • Organizations can continue their use of the original version until December 15, 2014 Use of 1992 Framework beyond transition period is not an option • There is a presumption the New Framework will be used after the transition period • Must disclose which framework was used in the SOX internal control report • The SEC staff has said they plan to monitor the transition for issuers 31 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    32. 32. Next Steps • Become familiar with COSO 2013 • Meet with management to discuss COSO 2013 • Establish a plan that will help your organization to successfully transition to COSO 2013 • Consider deploying a centralized, project management office (PMO)-like discipline to ensure a top-down, costeffective approach to converting the underlying documentation to support a determination that the underlying principles outlined in the New Framework are present and functioning • Designate roles, responsibilities and authorities for converting the documentation • Discuss with external auditor as soon as possible to discuss expectations • Develop a timeline for transition with appropriate milestones • Internal audit should develop and communicate a transition plan to the new framework for purposes of planning, conducting and reporting on risk-based audits 32 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    33. 33. Next Steps Q3/Q4 2013 Q1 2014 Project Kick-off Management training on COSO 2013 • Establish PMO • Adopt project plan for transition to COSO 2013 33 Q2 2014 Q3 2014 Q4 2014 Begin control testing to assess controls under new framework Revise documentation to reflect change to COSO 2013 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Conclude on Internal controls over financial reporting under new framework
    34. 34. Implications for SOX • Top-down, risk-based approach is unchanged • Clearly disclose in the internal control report whether the original or 2013 version was utilized during the transition period • Convert existing internal control documentation to the principles-based approach • Expect dialogue on the best time to map controls documentation to the 17 Principles • Decide whether points of focus should be used and, if so, assess whether they are suitable, relevant and complete based on the company’s specific circumstances 34 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    35. 35. Poll Question #5 When do you plan on implementing the COSO 2013 framework for ICEFR? • For year-end 2014 • This year • Not sure 35 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    36. 36. Impact – Considerations for Your Adoption of the 2013 Framework Impact of adopting the updated Framework will vary by organization: • Does your system(s) of internal control need to address changes in business? • Does your system(s) of internal control need to be updated to address all principles? • Does your organization apply and interpret the original Framework in the same manner as COSO? • Is your organization considering new applications to cover new objectives? 36 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    37. 37. Protiviti’s COSO FAQ – 2nd Edition • The New Framework issued by COSO is an important development, as it facilitates efforts by the organizations to develop costeffective systems of internal control to achieve important business objectives and sustain and improve performance • It also supports organizations as they adapt to the increasing complexity and pace of a changing business environment, manage risks to acceptable levels and improve the reliability of information decision-making 37 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    38. 38. Future COSO Webinars Next Webinar: COSO Implementation Guidance Register for our second webinar in this series, scheduled for October 30th, via the Attachments link in the webcast software Future Webinar Topics • • • • • 38 Discuss IT General Controls Implications for Internal Audit Linkage and Impact to ERM Use of COSO for Non-ICFR And More…Keep Your Questions Coming!! © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    39. 39. Tools Publications CPE AuditNet Over 1.400 audit programs, checklists, questionnaires, methodologies, policies, charters and templates. Hot topics, regulatory updates, survey reports and other actionable publications. Upgrade to access 42 CPE credits through our online, self-paced courses. Access to hundreds more audit programs and other tools on AuditNet. Access our COSO topic and many more! $595 per subscriber, per year. Find discounts and group pricing on www.knowledgeleader.com/Subscribe. Have questions? Call 866-925-8513 (US and Canada) | 415-402-6489 (International) or email knowledgeleader@protiviti.com. 39 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
    40. 40. 40 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    ×