policyIQ for COSO 2013 Internal Control - Integrated Framework


Published on

The policyIQ Team was joined by Senior Practice Director of RGP’s Governance Risk & Compliance (GRC) practice, Les Sussman, to discuss how the updated COSO framework will impact companies and, specifically, policyIQ clients or prospects. Mr. Sussman recaptured the highlights from a webinar that he co-presented with RGP’s Global Managing Director of the Finance & Accounting practice, Shauna Watson. Their session, “Effective Transition to the 2013 COSO Framework and SOX Compliance”, drew more than a thousand registrants and received great reviews for addressing considerations that have not been discussed in other COSO-related sessions.

With a diverse audience of current policyIQ users and many participants who are not currently using policyIQ, we took time to introduce some highlights of policyIQ. We went on to demonstrate how easily and quickly we amended our policyIQ configuration to accommodate the updated 2013 COSO Internal Control – Integrated Framework.

RGP recommends that companies employ both a top down and a bottom up approach to mapping Principles and Controls to one another. We discussed this and how policyIQ reports can be applied to make quick work of mapping, gap analysis, control rationalization and reporting to the Audit Committee and External Auditors.

Reach out to us with any questions: sbuehrle@rgp.com or support@policyIQ.com.

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

policyIQ for COSO 2013 Internal Control - Integrated Framework

  1. 1. COSO 2013 Internal Control-Integrated Framework, Efficiently Transition Using policyIQ March 6, 2014
  2. 2. Objectives By the end of the session, you will  Be aware of key changes in updated COSO Framework  Have more information about how to plan your transition project  Understand what policyIQ is and how to navigate  See that you can easily configure policyIQ to capture COSO Principles  Recognize how you can use reports for analysis and final reporting 2
  3. 3. COSO Updates Framework, May 14, 2013 The New Framework 3 Internal Control – Integrated Framework Framework and Appendices
  4. 4. The New Framework  Expands the financial reporting category of objectives to include other forms of reporting (internal and non- financial)  Explicitly formalizes principles introduced in original framework  Provides approaches and examples illustrating how principles are applied in financials  Supersedes 1992 Framework on December 15, 2014 4
  5. 5. 2013 COSO Framework 5 The updated framework formalizes 17 principles that were introduced and embedded in the original framework. Companies choosing to follow the COSO Framework will need to demonstrate that all 17 Principles are present and functioning in their Internal Control Framework.
  6. 6. 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures Control Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Control Environment 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Risk Assessment 13. Uses relevant information 14. Communicates internally 15. Communicates externally Information & Communication 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Monitoring Activities 2013 COSO Framework 6
  7. 7. Transition Strategy 7  Project ownership  it is important that someone takes responsibility for dates and deliverables  Project communication  include all parties touched by the change in communications  Resource constraints  assess the time and people that you have, reach out to RGP or others for support  Coordination with external auditors  touch base with auditors early and often to ensure that you are on the same page  Top down versus bottom up  RGP recommends doing both
  8. 8. Project Approach and TimelineActivities Phase 1 - Plan • Establish project ownership / management • Develop detailed approach and timeline • Identify resources and assign responsibility • Communicate plan and train • Consult with auditors P4 1/1/2014 – 3/31/2014 Q1 – Year-end close, financial audits, Year-end write-up 4/1/2014 – 6/30/2014 Q2 Testing for 1st half of the year 7/1/2014 – 9/30/2014 Q3 – Testing 2nd part of the year 10/1/2014 – 12/31/2014 Q4 – Year-end & Remediation Testing 3/31/2014 6/30/2014 9/30/2014 12/31/2014Today P3P2P1 Phase 2 - Map • Update risk assessment • Start mapping from top down • Link principles to controls • Consider points of focus • Coordinate with other service providers Phase 3 - Assess • Identify deficiencies • Evaluate deficiencies • Determine controls requiring remediation • Consider eliminating orphan controls Phase 4 - Implement • Design new controls • Train control owners • Schedule testing 8
  9. 9. Introduction policyIQ 9
  10. 10. Web-based Governance, Risk & Compliance Customizable and flexible A workflow, oversight, management reporting tool Secure (certifications, SSL, Username/PW) 10 Introduction policyIQ
  11. 11. Contract Procedure Policy Test Control Risk Fields:  Text  Dropdown  Multi-Select  Date  Number  Currency Restrict:  Creators  Approvers Page Procedure Template name date text 11 Introduction policyIQ Create Pages for your Risks, COSO Principles, Narratives, Controls, and so on from Templates that drive consistency and sound information governance practices
  12. 12. Contract Procedure Policy Test Control Risk Page upload & attach Folder Page Page Folder Folder 12 Introduction policyIQ Take advantage of the database and easy-to-use interface to eliminate issues with multiple versions, to manage workpapers and supporting documentation and to relate content appropriately for powerful reporting capabilities.
  13. 13. Introduction to policyIQ 13
  14. 14. Introduction to policyIQ 14 Remember SOX in Year 1 or 2 and manually managing Risk/Control matrices in Excel?
  15. 15. Introduction to policyIQ 15 Remember SOX in Year 1 or 2 and manually managing Risk/Control matrices in Excel? You might be comforted knowing that policyIQ plays well with Excel—as in this example above of a matrix (Detail Link Report) exported to Excel.
  16. 16. Introduction to policyIQ 16 Remember that the root object in policyIQ is a page… …with the ability to link pages to one another. Pages are created from Templates with the fields that you want. You can define who should have read, write and approve access to all content and can index Pages into one or multiple Folders.
  17. 17. Introduction to policyIQ 17 Getting around is very easy—using familiar actions to drill down into Folders, select items in the table on the right and choose the appropriate action from the toolbar above. We do these things everyday while working with documents on our hard drive or in shared network folders.
  18. 18. Introduction to policyIQ 18 To configure (retrofit) policyIQ for the new COSO framework, we recommend adding a Folder structure called “COSO” to which you can add subfolders for each of the COSO Components. This is where you will file or index your pages for each of your COSO Principles.
  19. 19. Introduction to policyIQ 19 To create those Principle Pages, you must first create a Page Template. Similar to the navigation elsewhere in policyIQ, drill down into the appropriate Page Template Category and then choose the appropriate action (Add Template for Pages) from the toolbar. Follow similar navigation to highlight the Principle template on the left and add one Short Text field to capture the more detailed description of each Principle.
  20. 20. Introduction to policyIQ 20 Populating policyIQ with your Principles, Points of Focus (and Risks, Controls, Tests, etc. if you are new to policyIQ) is as simple as arranging the information in Excel for Import.
  21. 21. Introduction to policyIQ 21 The result of the import is: your pages have been created, appropriate security rights have been assigned, pages are indexed into the appropriate folders and you can even link pages to one another.
  22. 22. Using policyIQ for Analysis and Reporting 22
  23. 23. Mapping Process – Top-down Approach 23 Without policyIQ, you could use COSO’s Illustrative Tools to help you manage your top-down methodology of mapping your Principles to Points of Focus and then to relevant Controls.
  24. 24. Mapping Process – Top-down Approach 24 With policyIQ, you could use the tool and linking capability to manage your top-down methodology of mapping your Principles to Points of Focus and then to relevant Controls.
  25. 25. You could also use policyIQ to review all of your controls and map them to relevant Principles or Points of Focus. This process will set the stage for using policyIQ to thoroughly (and quickly) review and rationalize the reduction of controls and, therefore, testing (and related costs). Mapping Process – Bottom-up Approach 25
  26. 26. policyIQ Reports – To Identify Gaps 26 With a simple report, it is apparent when gaps exist.
  27. 27. policyIQ Reports – Control Rationalization 27 Reports also allow you to easily see where some Principles might be more than adequately controlled and when it makes sense to remove Controls from the SOX framework (noting they are “out of scope” for SOX).
  28. 28. policyIQ Reports – To Summarize 28 Focus only on necessary information in Results You may also use policyIQ Reports to summarize information—selecting only the pertinent information—to share with the Audit Committee, External Auditors, and so on.
  29. 29.  Start the transition process as soon as possible  Use the opportunity to streamline key controls and reduce costs  Leverage technology to promote effectiveness and efficiency  Mapping process  Control Rationalization – Gaps and Redundancies  Reporting to the Audit Committee and External Auditors Summary 29
  30. 30. Contact Information LESTER SUSSMAN Senior Practice Director, GRC Lester.Sussman@rgp.com STEPHENIE BUEHRLE Product Director, policyIQ Stephenie.Buehrle@rgp.com POLICYIQ INFORMATION Information@policyIQ.com 30 Reach out to us with any questions about the framework, methodology for transitioning, project management, project support or policyIQ!