Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2013 COSO What’s new, what’s changed, why does it matter?

2,978 views

Published on

A presentation of our recent webinar on COSO

Published in: Business, Technology
  • Be the first to comment

2013 COSO What’s new, what’s changed, why does it matter?

  1. 1. COSO 2013 What’s New, What’s Changed, Why Does it Matter and Other Frequently Asked Questions
  2. 2. A Reminder… Following the webinar, all attendees will receive a link to a copy of the recorded webcast. You can download a PDF version of the slides through the Attachments link. If you are experiencing technical difficulties during the webcast, let us know by clicking on the Questions link at the top of your screen. Please provide your e-mail address for a swift reply. Although we will not have a formal Q&A at the end of this webcast, we encourage you to submit your questions throughout the webcast. We will address your questions throughout today’s COSO webinar or the remaining COSO webinar series we have planned in 2013 and 2014. If you are having trouble hearing the audio through the computer, separate phone lines are available. International United States Conference ID 2 +44 (0) 1452 555566 + 1 866 966 9439 36201187 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  3. 3. CPE Credits and Supplemental Information We are issuing 1 CPE credit for this presentation • To be eligible for CPE credit, please answer four (4) out of the five (5) polling questions throughout the duration of this webinar • Download the CPE Course Evaluation Form through the Attachments link in the webcast software – Return this evaluation form to Lark Scheierman at Protiviti via e-mail: lark.scheierman@protiviti.com • Download the PDF version of today’s presentation through the Attachments link Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 3 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  4. 4. Today’s Presenters Keith Kawashima is a Managing Director in Protiviti’s Silicon Valley office. Keith has over 20 years of experience in finance and accounting including 10+ years with Protiviti/Arthur Andersen’s Internal Audit practice and more than 10 years corporate experience in both Finance and Operations prior to joining Protiviti. He has been involved in all aspects of a company’s internal audit function from establishing a charter and developing a risk-based internal audit plan, to developing and executing work programs, through reporting at the audit committee and board level. Email: Keith.Kawashima@protiviti.com Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 4 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  5. 5. Today’s Presenters Bob Hirth serves as COSO Chair and was unanimously elected by the board of its sponsoring organizations to serve a three year term beginning June 1, 2013. His experience includes all of COSO’s mission disciplines; Enterprise Risk Management, Internal Control and Fraud Deterrence. He has worked on assignments and made presentations in over 15 countries, serving more than 50 organizations and working closely with board members, C-level executives, finance and accounting personnel and accounting firm partners and employees. Most recently, he served as a Senior Managing Director of Protiviti, a global internal audit and business risk consulting firm that operates in 22 countries. Prior to that, he was Executive Vice President, Global internal audit and a member of the Firm’s six-person executive management team for the first ten years of Protiviti’s development. In 2012, Bob was appointed to serve a two year term on the Standing Advisory Group of the Public Company Accounting Oversight Board (PCAOB). In March 2013, he was inducted into The American Hall of Distinguished Audit Practitioners. E-mail: Robert.Hirth@protiviti.com Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 5 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  6. 6. Today’s Presenters Jim DeLoach is a Managing Director in Protiviti’s Houston office. He has served on the COSO Advisory Council with respect several COSO projects since 2002, the most recent project being the Internal Control – Integrated Framework Update. He has worked with, and delivered numerous presentations on risk management to, hundreds of companies and groups in 30 countries. He writes Protiviti’s Flash Reports, The Bulletin and Board Perspectives: Risk Oversight. In addition, he writes a monthly blog on the online magazine of the National Association of Corporate Directors and a monthly column for Corporate Compliance Insights. He also wrote all four editions of Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements. E-mail: Jim.DeLoach@protiviti.com Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 6 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  7. 7. Poll Question #1 Have you read the COSO Internal Control Integrated Framework Executive Summary? • Yes • No, but it is on my to-do list • No, didn’t know how to access it Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 7 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  8. 8. Topics of Questions You Submitted • Background and history of COSO • Implications for SOX • Reason for change • Guidance from the SEC • Most important changes • IT implications • 17 principles • Public vs. private sectors • Points of focus • Working with external auditor • Present and functioning • Risk assessment • Internal control deficiencies • Implementation guidance • Components operating together • ERM • Transitioning to the new framework • Fraud • Level of effort required • Internal audit • Change management • Continuous improvement • Size of company Thank you for all of your questions! 8 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  9. 9. Questions We are Hearing • What has changed and what does it mean to us? • Do we need to move to COSO 2013, or can I stay with COSO 1992? • What will our external auditors require? • When do we need to change? • Under what circumstances should we consider being an early adopter? • How much effort will it take for our organization to transition to COSO 2013? • If we stay with COSO 1992 this year with the intent to transition next year, do we need to map our controls to the COSO 2013 principles this year? • What will happen if we do not transition to COSO 2013 by next year? • Will the SEC issue any guidance? • If we transition to COSO 2013 next year, do we need to use it for purposes of our Q1 Section 302 executive certification? 9 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  10. 10. Today We Will Cover… Background on COSO Why Change? Important Changes Deficiency Evaluation Transitioning to the New Framework 10 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  11. 11. Future COSO Webinars Next Webinar: COSO Implementation Guidance Register for our second webinar in this series, scheduled for October 30th, via the Attachments link in the webcast software Future Webinar Topics • • • • • 11 Discuss IT General Controls Implications for Internal Audit Linkage and Impact to ERM Use of COSO for Non-ICFR And More…Keep Your Questions Coming!! © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  12. 12. Question from our audience: Why were changes in the framework considered necessary? Why Change?
  13. 13. Background and History of COSO N S O A TI PE R MONITORING INFORMATION AND COMMUNICATION CONTROL ACTIVITIES • COSO Internal Control Integrated Framework was developed in 1992 • Used by the majority of companies to evaluate their internal control environment, particularly as it relates to internal controls over financial reporting 13 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ACTIVITY 3 ACTIVITY 2 ACTIVITY 1 UNIT B UNIT A • Voluntary private sector organization O • Formed in 1985 in response to corrupt and unethical business practices in the 1970’s and 80’s FI N R AN EP C O IA R L TI N G C O M PL IA N C E • Committee Of Sponsoring Organizations of the Treadway Commission RISK ASSESSMENT CONTROL ENVIRONMENT COSO Cube (1992 Edition)
  14. 14. What is COSO and Why is it a Suitable Model? Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment. Source: PCAOB AS 2 14 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  15. 15. Why Change? • Environment changes… • …have driven Framework updates • Expectations for governance oversight • Risk and risk-based approaches receive greater attention • Globalization of markets and operations • Increased complexity of business and organizational structures • Use of, and reliance on, evolving technologies • Demands and complexity in laws, rules, regulations and standards • Large-scale governance and internal control breakdowns COSO Cube (2013 Edition)* • Expectations for competencies and accountabilities • Expectations relating to preventing and detecting fraud 15 * © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Source: Chapter 2 of COSO Internal Control: Integrated Framework (2013).
  16. 16. What Hasn’t Changed Core definition of internal control Internal control is a process effected by the entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to: Operations Reporting Compliance The cube retains its familiarity: Objectives represent the columns Components represent the rows Objectives may be set at the entity, division, operating unit or functional levels 16 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  17. 17. What Hasn’t Changed The criteria used to assess the effectiveness of an internal control system remain largely unchanged. Assessed, using a principles-based approach, relative to the five components of internal control To have an effective system of internal control relating to one, two or more categories of objectives, all five components must be: • Present and functioning, and • Operating together The significant role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness. Principles are provided for each component and management exercises judgment in determining the extent to which these principles are present and functioning 17 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  18. 18. What’s Changed 1 Codifies 17 principles supporting the five components of internal control 6 Enhances consideration of antifraud expectations in its own principle 2 Clarifies role of objective-settling as a precursor to internal control 7 Increases the focus on non-financial reporting objectives to broaden use 3 Reflects increased relevance of technology 4 18 Incorporates an enhanced discussion of governance concepts 5 8 Additional approaches and examples for operations, compliance and non-financial reporting objectives Expands the reporting category of objectives to include non-financial and internal © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  19. 19. Poll Question #2 How do you document your SOX fraud risk assessment? • As a separate standalone analysis • Integrated into our process level risk and controls documentation • Both at an entity level and process level • We don’t evaluate fraud risk explicitly 19 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  20. 20. Question from our audience: How often should we expect that all of the 17 Principles will not apply? Important Changes
  21. 21. The Most Important Change: 17 Principles Representing Fundamental Concepts Associated with Each Component No of POF Questions CONTROL ENVIRONMENT Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability 4 4 3 4 5 RISK ASSESSMENT • • • • Specifies relevant objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change 5 5 4 3 CONTROL ACTIVITIES • • • Selects and develops control activities Selects and develops general controls over technology Deploys through policies and procedures 6 4 6 INFORMATION & COMMUNICATION • • • Uses relevant information Communicates internally Communicates externally 5 4 5 MONITORING ACTIVITIES 21 • • • • • • • Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies 7 3 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  22. 22. Points of Focus Represent Important Characteristics Associated With the Principles Principles can be present and functioning without all points of focus. Points of focus represent helpful guidance and do not require separate evaluations. Management must use judgment on the relevance of the points of focus. They are not meant to imply a checklist. An example of these for the Control Environment, Commitment to Integrity and Ethical Values is below. Sets the Tone at the Top The board of directors and management at all levels of the entity demonstrate through their directives, actions and behaviors the importance of integrity and ethical values to support the functioning of the system of internal control The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct 22 Establishes Standards of Conduct Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  23. 23. Poll Question #3 Did you use COSO’s 2006 Internal Control over Financial Reporting - Guidance for Smaller Public Companies to guide your SOX documentation? • Yes • No • Not sure 23 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  24. 24. Question from our audience: What are the best methods for determining if components are “operating together”? Deficiency Evaluation
  25. 25. Present and Functioning To determine that a principle and component are “present and functioning”, the organization must: Understand the intent of the principle and how it is being applied Work to help personnel understand and apply the principle consistently across the entity View weaknesses in absence of a principle as a matter requiring management’s attention • “Present” refers to “the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives” (Design and Implementation Effectiveness) • “Functioning” refers to “the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives” (Operating Effectiveness) • Determine to what extent relevant principles underlying the component are “present and functioning” 25 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  26. 26. Assessing Whether Components Operate Together • Focus of evaluation is on how each of the five components is being applied as an integral part of the overall system of internal control, not just functioning on its own • Components are interdependent with a multitude of interrelationships and linkages, particularly in terms of how principles interact within and across components • From a practical standpoint, management can demonstrate that components operate together when they are present and functioning AND internal control deficiencies aggregated across components do not result in the determination that one or more major deficiencies exist • Therefore, aggregate internal control deficiencies across components to assess whether major deficiencies exist 26 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  27. 27. Assessment of Internal Control Deficiencies A deficiency is “a short-coming in a component or components and relevant principle(s) that reduces the likelihood that the entity can achieve its objectives.” Not every deficiency will result in a conclusion that the entity does not have an effective system of internal control. Major deficiency = “an internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives” Management may be required to consider additional criteria established by external parties (e.g., regulators, standard-setting bodies, listing agencies, etc.) Alternative or compensating controls may further support a conclusion that a principle is present and functioning 27 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  28. 28. Limitations on Internal Control • No such thing as absolute assurance • The framework comments on limitations of internal control, which results from: – The quality and suitability of objectives established as a precondition to internal control – The potential for flawed human judgment in decision-making – Management’s consideration of the relative costs and benefits in responding to risk and establishing controls – The potential for breakdowns that can occur because of human failures (such as simple errors or mistakes) – The possibility that controls can be circumvented by collusion of two or more people – The ability of management to override internal control functions and decisions 28 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  29. 29. Poll Question #4 Were you aware that the criteria for evaluating deficiencies for SOX is unchanged? • No • Yes 29 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  30. 30. Question from our audience: What do you think will be the most difficult part of the transition? Transitioning to the New Framework
  31. 31. Transitioning to the New Framework Transition as soon as feasible, but don’t wait too long • 1992 Framework superseded on December 15, 2014 • Organizations can continue their use of the original version until December 15, 2014 Use of 1992 Framework beyond transition period is not an option • There is a presumption the New Framework will be used after the transition period • Must disclose which framework was used in the SOX internal control report • The SEC staff has said they plan to monitor the transition for issuers 31 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  32. 32. Next Steps • Become familiar with COSO 2013 • Meet with management to discuss COSO 2013 • Establish a plan that will help your organization to successfully transition to COSO 2013 • Consider deploying a centralized, project management office (PMO)-like discipline to ensure a top-down, costeffective approach to converting the underlying documentation to support a determination that the underlying principles outlined in the New Framework are present and functioning • Designate roles, responsibilities and authorities for converting the documentation • Discuss with external auditor as soon as possible to discuss expectations • Develop a timeline for transition with appropriate milestones • Internal audit should develop and communicate a transition plan to the new framework for purposes of planning, conducting and reporting on risk-based audits 32 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  33. 33. Next Steps Q3/Q4 2013 Q1 2014 Project Kick-off Management training on COSO 2013 • Establish PMO • Adopt project plan for transition to COSO 2013 33 Q2 2014 Q3 2014 Q4 2014 Begin control testing to assess controls under new framework Revise documentation to reflect change to COSO 2013 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Conclude on Internal controls over financial reporting under new framework
  34. 34. Implications for SOX • Top-down, risk-based approach is unchanged • Clearly disclose in the internal control report whether the original or 2013 version was utilized during the transition period • Convert existing internal control documentation to the principles-based approach • Expect dialogue on the best time to map controls documentation to the 17 Principles • Decide whether points of focus should be used and, if so, assess whether they are suitable, relevant and complete based on the company’s specific circumstances 34 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  35. 35. Poll Question #5 When do you plan on implementing the COSO 2013 framework for ICEFR? • For year-end 2014 • This year • Not sure 35 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  36. 36. Impact – Considerations for Your Adoption of the 2013 Framework Impact of adopting the updated Framework will vary by organization: • Does your system(s) of internal control need to address changes in business? • Does your system(s) of internal control need to be updated to address all principles? • Does your organization apply and interpret the original Framework in the same manner as COSO? • Is your organization considering new applications to cover new objectives? 36 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  37. 37. Protiviti’s COSO FAQ – 2nd Edition • The New Framework issued by COSO is an important development, as it facilitates efforts by the organizations to develop costeffective systems of internal control to achieve important business objectives and sustain and improve performance • It also supports organizations as they adapt to the increasing complexity and pace of a changing business environment, manage risks to acceptable levels and improve the reliability of information decision-making 37 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  38. 38. Future COSO Webinars Next Webinar: COSO Implementation Guidance Register for our second webinar in this series, scheduled for October 30th, via the Attachments link in the webcast software Future Webinar Topics • • • • • 38 Discuss IT General Controls Implications for Internal Audit Linkage and Impact to ERM Use of COSO for Non-ICFR And More…Keep Your Questions Coming!! © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  39. 39. Tools Publications CPE AuditNet Over 1.400 audit programs, checklists, questionnaires, methodologies, policies, charters and templates. Hot topics, regulatory updates, survey reports and other actionable publications. Upgrade to access 42 CPE credits through our online, self-paced courses. Access to hundreds more audit programs and other tools on AuditNet. Access our COSO topic and many more! $595 per subscriber, per year. Find discounts and group pricing on www.knowledgeleader.com/Subscribe. Have questions? Call 866-925-8513 (US and Canada) | 415-402-6489 (International) or email knowledgeleader@protiviti.com. 39 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
  40. 40. 40 © 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

×