2009 COSO guidance overview set of slides. At the end I have contact information but that is now outdated. You can reach me at Sonia.Luna@avivaspectrum.com if you have questions.
A new emphasis on enterprise risk management from regulators has heightened awareness among bankers to get educated and adopt these best practices at their institution. In response to this increased focus, the RMA ERM Council developed the ERM framework and associated competencies, which became the foundation for a series of highly practical workbooks for implementing effective ERM.
A new emphasis on enterprise risk management from regulators has heightened awareness among bankers to get educated and adopt these best practices at their institution. In response to this increased focus, the RMA ERM Council developed the ERM framework and associated competencies, which became the foundation for a series of highly practical workbooks for implementing effective ERM.
Difference Between IASB And FASB conceptual framework Ro'ya Abd Elhafez
This paper clarifies the difference between the conceptual framework issued by IASB and issued by FASB, as many differences between them have been shown.
Identifying, understanding and evaluating an organization’s most significant risk areas will set the foundation for a robust enterprise risk management (ERM) program. This sample guide outlines an effective and proven approach to building ERM capabilities that will ultimately enhance corporate governance, align and integrate varying views of risk and risk management, and respond to the changing business environment.
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS - Firm-wide Risk Control & Methodology) voor het Zanders Risicomanagement Seminar 1 november 2012
Risk-based auditing is a style of auditing which focuses upon the analysis and management of risk. ... A traditional audit would focus upon the transactions which would make up financial statements such as the balance sheet. A risk-based approach will seek to identify risks with the greatest potential impact.
COSO's Internal Control - Integrated Framework.
Includes:
Objectives;
Components;
Principles relating to the components and
Point of Focus assisting users in determining whether the principles are present and functioning
Discover a simple score-card approach to implementing COSO 2013 Framework. Learn the unique aspects of adding a point system to each point of focus and understand how different stakeholders evaluate this targeted approach. Each user can identify where gaps may be hidden in your internal control processes.
Presented By: Sonia Luna, CPA, CIA, CRMA, CEO of Aviva Spectrum & Aruna Ashok CPA, CIA, Compliance Manager at eBay Marketplaces.
Difference Between IASB And FASB conceptual framework Ro'ya Abd Elhafez
This paper clarifies the difference between the conceptual framework issued by IASB and issued by FASB, as many differences between them have been shown.
Identifying, understanding and evaluating an organization’s most significant risk areas will set the foundation for a robust enterprise risk management (ERM) program. This sample guide outlines an effective and proven approach to building ERM capabilities that will ultimately enhance corporate governance, align and integrate varying views of risk and risk management, and respond to the changing business environment.
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS - Firm-wide Risk Control & Methodology) voor het Zanders Risicomanagement Seminar 1 november 2012
Risk-based auditing is a style of auditing which focuses upon the analysis and management of risk. ... A traditional audit would focus upon the transactions which would make up financial statements such as the balance sheet. A risk-based approach will seek to identify risks with the greatest potential impact.
COSO's Internal Control - Integrated Framework.
Includes:
Objectives;
Components;
Principles relating to the components and
Point of Focus assisting users in determining whether the principles are present and functioning
Discover a simple score-card approach to implementing COSO 2013 Framework. Learn the unique aspects of adding a point system to each point of focus and understand how different stakeholders evaluate this targeted approach. Each user can identify where gaps may be hidden in your internal control processes.
Presented By: Sonia Luna, CPA, CIA, CRMA, CEO of Aviva Spectrum & Aruna Ashok CPA, CIA, Compliance Manager at eBay Marketplaces.
ASOPRS 2013 Meeting - June 2013 - Hyatt Regency in Newport, Rhode Island - American Society of Opthalmic Plastic & Reconstructive Surgery. Facebook visibility tips, maximizing Facebook's EdgeRank score, online and offline branding strategies for cosmetic medical practices.
Une sécurité totale pour protéger les données sensibles des cadres mobiles et des décisionnaires dans les entreprises
Gemalto est au cœur de l’évolution du monde numérique. Chaque jour, des entreprises et des gouvernements du monde entier placent en nous leur confiance pour les aider à offrir à leurs utilisateurs des services où facilité d’usage rime avec sécurité.
Aujourd’hui, avec des collaborateurs de plus en plus mobiles, les risques associés aux données exposées en dehors du périmètre protégé du bureau sont croissants.
Avec ExecProtect, les cadres sont assurés que leurs ordinateurs portables et leurs données sont en sécurité, parfaitement protégés par le cryptage et les identifiants d’accès les plus puissants au monde. Même en cas de vol ou de perte de leur ordinateur portable, les informations sensibles restent inaccessibles au commun des utilisateurs qui ne parviendront pas à déjouer l’authentification et l’autorisation multi-facteurs.
"Recent research from the HSE (1) confirms QBE’s long held view that the burden of musculoskeletal disorders (MSDs) to employers is significant, with the highest cost relating to time lost from work. It is no coincidence that financial losses associated with extended lost time often make up the largest component of high-value personal injury claims, offering a component of the business case and a logical rationale for promoting proactive rehabilitation and absence management. We acknowledge the vital importance of ensuring early and appropriate intervention for those who experience MSDs, particularly where this has the potential to
escalate into extended absence. In meeting this objective, the role of the case manager is pivotal in liaising between affected individuals and
the organisation to facilitate a successful return to work – a point echoed within the HSE report.
"
Thought leadership insurance document from QBE European Operations.
This guide has been constructed to help you and your staff through the potentially complex aftermath of a serious or fatal accident on site. It covers key areas of the law and offers practical guidance on what to do when organisations and individuals are faced with criminal charges under health and safety and corporate manslaughter legislation.
The idea of creating a guide to the possible implications of Brexit came into being before the date for the Brexit referendum was set and the referendum campaign had begun. Now that the countdown to the June 23 vote is well underway, this has become a much more topical and current issue for everyone in the UK and I think that many more UK businesses are now engaged in active study and planning for Brexit scenarios.
Finance Department COSO Implementation MemoTownofAddison
Finance Department Director and Addison CFO Eric Cannon presented this memo and update to City Council on February 10, 2015 concerning the implementation of COSO standards.
Understand the impact of Federal TAX regulations that impact HEMP and CBD oil manufacturing. Learn that 280E is now lifted for hemp farmers and CBD manufacturers and what you can do to start your business.
Don’t know where to start when setting up your admin roles in BlackLine? Wondering how to save hours every year when reviewing your profiles and roles? Want to know what auditors really need when they inquire on user permissions and roles? Then you’ll need to view our slides and understand the key tools and techniques to ease yourself into BlackLine implementation. We’ll cover the key aspects and give you 5 proven best practices that you can use immediately.
Personal Branding On LinkedIn to Optimize Your Job SearchAviva Spectrum™
Discover some of the best practices to get noticed on LinkedIn. Whether you're looking for your next job, or just want to keep your options open for your next big move, it pays to have a winning LinkedIn profile.
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
Worried your passwords are not strong enough for today’s sophisticated hackers? Cyber security breaches happen every day, as evidenced in recent headlines. Presentation covers key User Access threats both internal and external and ways to protect yourself and your company from malicious hackers. Learn from key case studies.
Worried about implementing the new Revenue Recognition standards? Afraid of missing reporting deadlines? Spending too much time trying to pass an internal controls audit for the new revenue standards? Then you’ll need to view our slides and understand the key tools and techniques to pass your internal control audit for the new revenue recognition standards. We’ll cover the internal controls aspects of the new 5-step model to recognize revenue.
Stop Auditing the Old Fashion WAY! Start working smarter on each audit engagement and actually add value at the same time to your clients. COSO framework suggests that monitoring is a timely assessment of the design and operation of controls to effectively manage risk and provide greater transparency in the monitoring process. Discover a new approach to Continuous Monitoring for Internal Control Effectiveness, with Case Studies in the Hospitality Industry.
Presenters: Sonia Luna, CPA, CIA, CRMA, CEO of Aviva Spectrum & S. Ramakrishnan, S. Narasimhan, Partners with PKF Sridhar & Santhana, Chartered Accountants with over 30 years of experience.
IPE Webinar with Sonia Luna-Aviva Spectrum-10/16/14Aviva Spectrum™
What should auditors audit in this ever-changing environment in light of IPE? How have key report testing requirements changed and how will this impact IT and Finance? This webinar will walk you through what you need to know today.
PCAOB Audit Alert #11: New Internal Control Testing Standards & ExcelAviva Spectrum™
Learn what the new PCAOB Audit Alert Standard #11 is all about. What are the new internal control testing standards for public companies. How does it impact your testing of critical excel files when you close the books.
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
Slides from the 2014 GRC Conference Presented by:
Jeff Spivey, CRISC, CPP
Vice President of Strategy, RiskIQ, Inc.
President, Security Risk Management, Inc
Adair Barton, CPA, CISA
Vice President of Internal Audit
Dycom Industries, Inc.
and
David A. Less, CISA, CISM
CIO & SVP
Sunteck, Inc.
Risk Assessments Best Practice and Practical Approaches WebinarAviva Spectrum™
Risk assessments are the primary component when planning, executing and delivering value in an internal audit. They are the building blocks of your internal audit activities and operational audit program. Sonia Luna CPA, CIA, CEO of Aviva Spectrum and Monica Raffety, CIA
Senior Manager, Financial Controls at Kaiser Permanente will help you to:
Understand risk assessment tools available
Learn how and when to apply risk assessment techniques
Leverage different forms of quantitative and qualitative analysis techniques
Learn when to deviate from risk assessment templates with a memo or scoring
Understand what external auditors, management and the Board need to know when executing a risk assessment.
Understand how risk assessment impact the internal audit activities, from walkthroughs to testing
Top 5 Pitfalls to Avoid Implemeting COSO 2013Aviva Spectrum™
Learn about the 5 pitfalls you should avoid when implementing COSO's 2013 framework. This presentation will provide you with background on what could go wrong for SOX testing and other pitfalls to be aware of.
US Economic Outlook - Being Decided - M Capital Group August 2021.pdfpchutichetpong
The U.S. economy is continuing its impressive recovery from the COVID-19 pandemic and not slowing down despite re-occurring bumps. The U.S. savings rate reached its highest ever recorded level at 34% in April 2020 and Americans seem ready to spend. The sectors that had been hurt the most by the pandemic specifically reduced consumer spending, like retail, leisure, hospitality, and travel, are now experiencing massive growth in revenue and job openings.
Could this growth lead to a “Roaring Twenties”? As quickly as the U.S. economy contracted, experiencing a 9.1% drop in economic output relative to the business cycle in Q2 2020, the largest in recorded history, it has rebounded beyond expectations. This surprising growth seems to be fueled by the U.S. government’s aggressive fiscal and monetary policies, and an increase in consumer spending as mobility restrictions are lifted. Unemployment rates between June 2020 and June 2021 decreased by 5.2%, while the demand for labor is increasing, coupled with increasing wages to incentivize Americans to rejoin the labor force. Schools and businesses are expected to fully reopen soon. In parallel, vaccination rates across the country and the world continue to rise, with full vaccination rates of 50% and 14.8% respectively.
However, it is not completely smooth sailing from here. According to M Capital Group, the main risks that threaten the continued growth of the U.S. economy are inflation, unsettled trade relations, and another wave of Covid-19 mutations that could shut down the world again. Have we learned from the past year of COVID-19 and adapted our economy accordingly?
“In order for the U.S. economy to continue growing, whether there is another wave or not, the U.S. needs to focus on diversifying supply chains, supporting business investment, and maintaining consumer spending,” says Grace Feeley, a research analyst at M Capital Group.
While the economic indicators are positive, the risks are coming closer to manifesting and threatening such growth. The new variants spreading throughout the world, Delta, Lambda, and Gamma, are vaccine-resistant and muddy the predictions made about the economy and health of the country. These variants bring back the feeling of uncertainty that has wreaked havoc not only on the stock market but the mindset of people around the world. MCG provides unique insight on how to mitigate these risks to possibly ensure a bright economic future.
What price will pi network be listed on exchangesDOT TECH
The rate at which pi will be listed is practically unknown. But due to speculations surrounding it the predicted rate is tends to be from 30$ — 50$.
So if you are interested in selling your pi network coins at a high rate tho. Or you can't wait till the mainnet launch in 2026. You can easily trade your pi coins with a merchant.
A merchant is someone who buys pi coins from miners and resell them to Investors looking forward to hold massive quantities till mainnet launch.
I will leave the telegram contact of my personal pi vendor to trade with.
@Pi_vendor_247
NO1 Uk Black Magic Specialist Expert In Sahiwal, Okara, Hafizabad, Mandi Bah...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Currently pi network is not tradable on binance or any other exchange because we are still in the enclosed mainnet.
Right now the only way to sell pi coins is by trading with a verified merchant.
What is a pi merchant?
A pi merchant is someone verified by pi network team and allowed to barter pi coins for goods and services.
Since pi network is not doing any pre-sale The only way exchanges like binance/huobi or crypto whales can get pi is by buying from miners. And a merchant stands in between the exchanges and the miners.
I will leave the telegram contact of my personal pi merchant. I and my friends has traded more than 6000pi coins successfully
Tele-gram
@Pi_vendor_247
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
how to sell pi coins on Bitmart crypto exchangeDOT TECH
Yes. Pi network coins can be exchanged but not on bitmart exchange. Because pi network is still in the enclosed mainnet. The only way pioneers are able to trade pi coins is by reselling the pi coins to pi verified merchants.
A verified merchant is someone who buys pi network coins and resell it to exchanges looking forward to hold till mainnet launch.
I will leave the telegram contact of my personal pi merchant to trade with.
@Pi_vendor_247
The secret way to sell pi coins effortlessly.DOT TECH
Well as we all know pi isn't launched yet. But you can still sell your pi coins effortlessly because some whales in China are interested in holding massive pi coins. And they are willing to pay good money for it. If you are interested in selling I will leave a contact for you. Just telegram this number below. I sold about 3000 pi coins to him and he paid me immediately.
Telegram: @Pi_vendor_247
how to sell pi coins in South Korea profitably.DOT TECH
Yes. You can sell your pi network coins in South Korea or any other country, by finding a verified pi merchant
What is a verified pi merchant?
Since pi network is not launched yet on any exchange, the only way you can sell pi coins is by selling to a verified pi merchant, and this is because pi network is not launched yet on any exchange and no pre-sale or ico offerings Is done on pi.
Since there is no pre-sale, the only way exchanges can get pi is by buying from miners. So a pi merchant facilitates these transactions by acting as a bridge for both transactions.
How can i find a pi vendor/merchant?
Well for those who haven't traded with a pi merchant or who don't already have one. I will leave the telegram id of my personal pi merchant who i trade pi with.
Tele gram: @Pi_vendor_247
#pi #sell #nigeria #pinetwork #picoins #sellpi #Nigerian #tradepi #pinetworkcoins #sellmypi
Introduction to Indian Financial System ()Avanish Goel
The financial system of a country is an important tool for economic development of the country, as it helps in creation of wealth by linking savings with investments.
It facilitates the flow of funds form the households (savers) to business firms (investors) to aid in wealth creation and development of both the parties
The European Unemployment Puzzle: implications from population agingGRAPE
We study the link between the evolving age structure of the working population and unemployment. We build a large new Keynesian OLG model with a realistic age structure, labor market frictions, sticky prices, and aggregate shocks. Once calibrated to the European economy, we quantify the extent to which demographic changes over the last three decades have contributed to the decline of the unemployment rate. Our findings yield important implications for the future evolution of unemployment given the anticipated further aging of the working population in Europe. We also quantify the implications for optimal monetary policy: lowering inflation volatility becomes less costly in terms of GDP and unemployment volatility, which hints that optimal monetary policy may be more hawkish in an aging society. Finally, our results also propose a partial reversal of the European-US unemployment puzzle due to the fact that the share of young workers is expected to remain robust in the US.
how can I sell my pi coins for cash in a pi APPDOT TECH
You can't sell your pi coins in the pi network app. because it is not listed yet on any exchange.
The only way you can sell is by trading your pi coins with an investor (a person looking forward to hold massive amounts of pi coins before mainnet launch) .
You don't need to meet the investor directly all the trades are done with a pi vendor/merchant (a person that buys the pi coins from miners and resell it to investors)
I Will leave The telegram contact of my personal pi vendor, if you are finding a legitimate one.
@Pi_vendor_247
#pi network
#pi coins
#money
2. Agenda
How COSO’s 2009
Monitoring Guidance
Impacts Smaller Co.
Leveraging 2009 Guidance to
Cut Costs
Practical SOX Compliance
Steps
Dealing with External
Auditors
Key Remediation and
Reporting Issues
2
3. Quick Overview of COSO
COSO was formed in 1985
Introduced a Framework for internal controls in 1992
COSO is comprised by five professional associations:
American Accounting Association
AICPA (American Institute of Certified Public Accountants)
FEI (Financial Executives International)
IIA (The Institute of Internal Auditors) and
IMA (Institute of Management Accountants)
3
4. The Face of COSO
Mr. Treadway
Committee of
Sponsoring
Organizations of
Treadway Commission
(aka COSO)
Charles C. Cox (far left); Bevis Longstreth (second from left); John S. R. Shad (second from
right); James C. Treadway, Jr. (far right)
Source: www.sechistorical.org
4
5. COSO Guidance - Timeline
1987 - 1997 Fraud
Monitoring Monitoring
report on public
Guidance on ERM Framework Guidance
u9
a1
d8
r7
F companies – Issued Issued 2004
Derivatives Issued
r
tp
re
o 1999
Issued 1996 Feb. 2009
2010
1985
oaG
fciu
red
n d7–1
a 29
u07
rF
Framework lprr
iboe
np
cuto
Introduced ua
ib
l
c rS
Pm
l
e
sac
–no
im
ep
in 1992 iaC
sno
ep m
iC
ngo
Sm
on
2us
0nu
Je
6ed I
9e(
J
2u
)0n
5
6. How to get COSO Materials
Free download to executive summaries (e.g.
introduction or overview documents) of their
guidance materials located at
http://www.coso.org/guidance.htm
www.cpa2biz.com : site represents AICPA and
COSO related products. Search terms such as
Internal controls, or COSO etc.
6
7. 2009 COSO Monitoring Guidance
Introduction
Free Download
Intended for CFO, CEO, BOD
and AC members
Vol. 1 Guidance Overview
Intended for C-Level, BOD
and AC Members, and
Director of Internal Audit
7
8. 2009 COSO Monitoring Guidance
Vol.II Application
Discusses How guidance Impacts
And Links to 1992 and 2006 COSO
Guidance materials
Audience: DIA, Internal Audit Staff etc.
Vol. III Examples
Provides templates to leverage
Monitoring Guidance Theory
Audience: DIA, Internal Audit
Staff etc.
8
9. Vol. #1 - Overview
• Four Sections
1. Purpose of Guidance
2. Nature & Purpose of Monitoring
3. A Model for Monitoring
4. Summary Considerations
9
10. The Purpose of the Guidance
Two Primary Objectives:
1. To help improve the effectiveness & efficiency of their
internal control systems
2. To provide practical guidance that illustrates how
monitoring can be incorporated into an organization’s
internal control process.
10
11. Application of Guidance
Designed to meet all three control
objectives of COSO Framework
Due to SOX compliance Guidance
has a primary focus on internal
controls over financial reporting
11
12. Guidance Does Not:
Change to COSO framework or its 2006 guidance
Dictate risks or controls that organization must
consider
Mandate the exact monitoring procedures that
organizations must follow
Increase the monitoring effort for organizations in
areas where monitoring is already effective or
Mandate a certain level or formality of monitoring
documentation, including the use of certain terms
12
13. Nature and Purpose of Monitoring
COSO Framework states that “monitoring ensures
that internal controls continues to operate effectively”
by leveraging two related principles:
1. Ongoing and/or separate evaluations enable
management to determine whether the other
components of internal control continue to function
over time.
2. Internal control deficiencies are identified and
communicated in a timely manner to those parties
responsible for taking corrective action and to
management and the board as appropriate.
13
14. Linking the 2 Principles to 2006 COSO guidance
Principle #19: Ongoing
& Separate
Evaluations
Principle #20:
Reporting Deficiencies
Source: 2006 COSO guidance, vol #3
14
15. Establishing a Model for Monitoring
Effective approach to
monitoring involves:
1. Establishing a
Foundation
2. Designing &
Executing Monitoring
procedures
3. Assessing & Reporting
15
16. Establishing a Foundation
A tone at the top that stresses
the importance of monitoring
Effective organizational structure that considers the
roles of management and the board in regard to
monitoring, and places people with appropriate
capabilities, objectivity, authority and resources in
monitoring roles and
Baseline understanding of internal control
effectiveness
16
17. Design & Execute
Prioritize Risks: Evaluate controls in areas of
meaningful risk
ID Controls: select appropriate controls for
evaluation from across any or all of COSO’s 5
components
ID information that will be persuasive in supporting
conclusions about control effectiveness
Implement monitoring procedures: evaluate that
information through a mix of ongoing monitoring and
separate evaluations
17
18. Assessing and Reporting
Results
Prioritize findings
Provide support at the
appropriate organization level
for conclusions regarding the
effectiveness of internal
controls and
Follow up on corrective action:
Facilitate prompt corrective
actions and documentation as
necessary
18
19. Assessing and Reporting Results
* Prioritize & Communicate Results
ID and Prioritizing potential control deficiencies
allows organizations to determine
1. The levels to which the potential deficiencies should
be reported and
2. Corrective action, if any, that should be taken
Factors influencing prioritization include:
1. Likelihood that deficiency will materially affect the
achievement of organizational objective
2. Effectiveness of compensating controls and
3. Aggregating effect of multiple deficiencies
19
20. Assessing and Reporting Results
*Reporting
Internally: Usually ELC (entity-level controls) are
reported to senior management and the board
Externally:
1. Each Co. will have different requirements as to the
depth of reporting requirements (e.g. private co. vs.
publicly traded).
2. Management should evaluate third parties which may
require reporting documents (e.g. external auditors,
regulators etc.).
20
21. Other Considerations in Reporting
Monitoring Controls Outsourced to Others
1. For SOX SAS 70 reports and their evaluations may be
sufficient
2. Management must evaluate both financial and
operational outsourced providers
21
23. Vol. II – Application
“Quick Tip”
Concept and it’s
application in
Grey area
Tips on How to Read
Vol.II: Grey areas are
only suggestions.
Application may vary
Co. by Co.
23
24. Application of
“Tone at the Top”
Management’s tone influences the way employees conduct and react
to monitoring.
Examples of documenting the monitoring of “Tone at the Top”
include:
Communicating expectations to employees (via employee manual,
performance evaluation, sign-off on risk/control matrices, or other
SOX related documents).
Taking action for control problems by documenting control
failures and including remediation plan or compensating control
for each gap.
Documentation of follow-up procedures for any control failures
identified (via ____________ or ______________)
Action Item: Update Performance Evaluations 24
25. Application of “Organizational Structure”
Role of Management & the BOD
Senior Management evaluates the day-to-day control and monitoring activities
(Evidenced in SOX or other related document sign-off)
BOD has an oversight role, in which they are responsible for
Understanding risks to organizational objectives
Controls that management has put in place to mitigate those risks
How management monitors to help ensure that the internal system continues to
operate effectively
NOTE: Evidence should be documented in the BOD/AC minutes
Guidance offers four suggestions for the BOD to perform it’s oversight
responsibilities (1) Inquiries & Observation of management, (2) Internal audit
function (if present) (3) Hired resources or specialists when necessary and (4)
external auditors.
Characteristics of Evaluators
Action Item: Principle #19 and #2 of COSO can leverage evidence of
Monitoring Risks 25
26. Application of “Organizational Structure” (continued)
Characteristics of Evaluators
Self-review: evaluation of one’s own work
Benefit: usually affords the 1st opportunity to ID control deficiencies
Peer Review: evaluation of co-worker’s or peer’s work
Benefit: the individual is close to the control and maybe in the best position
to ID and correct control deficiencies
Supervisory Review: evaluation of subordinate’s work
Benefit: same as above Peer Review
Impartial Review: often includes internal audit function, people from other
departments or external parties
Benefit: Most objective concerning results and can place more reliance on the
effectiveness of ICFR
Source: Vol.2: Figure 5, pg13 26
27. Baseline Understanding of Internal Control Effectiveness
COSO provides three primary reasons internal control systems fail
due to:
1. Not designed and implemented properly
2. Designed & Implemented properly BUT environment changes
and control system DOESN’T change accordingly
3. Designed & Implemented properly BUT operation changes
rendering the control as ineffective to mitigate control risks
Based upon the three primary reasons controls fail, COSO
suggests a baseline allows management to have a starting point
to address changes (i.e. process or control variances) in “real-
time”
27
29. Change Continuum Definitions
Control Baseline — Monitoring starts with a supported understanding of the internal control
system’s design and of whether controls have been implemented to accomplish the
organization’s internal control objectives. As management gains experience with monitoring, its
baseline understanding will expand based on the results of monitoring. Baseline is the starting
point and a new control baseline established over time through monitoring.
Change Identification — The risk assessment component of internal control identifies changes
in processes or risks and verifies that the design of underlying controls remains effective.
Monitoring, through the use of ongoing and separate evaluations, should consider the risk
assessment component’s ability to identify and address those changes .
Change Management — When changes in the operation of controls have occurred, or when
needed changes in control design are identified, monitoring verifies that the internal control
system manages the changes and establishes a new control baseline for the modified controls.
Control Revalidation/Update — When ongoing monitoring procedures use persuasive
information, they can routinely revalidate the conclusion that controls are effective, thus
maintaining a continuous control baseline. When ongoing monitoring uses less-persuasive
information, or when the level of risk warrants, monitoring periodically revalidates control
operation through separate evaluations using appropriately persuasive information.
29
32. Change Continuum Evidence
Policy &
Change Mgmt Documentation
Procedure for
Form Authorization with
changes Changes (1)
(1) See Appendix B-Chg Mgmt Narrative Form
32
33. Vol. II Application of Design & Execute
Source: Vol.2 Figure 7
COSO 2009 Monitoring
Guidance
33
34. Risk Assessment
•COSO’s monitoring guidance does not state
to create a separate risk assessment just for
monitoring
•Prioritizing risks will allow management to
decide on the type, timing and extent of
monitoring of controls
•Risk Factors to consider:
1. Nature of Operations
2. Changes in Operations
3. Environmental Factors
4. Susceptibility to Theft or Fraud
34
35. COSO’s Risk Assessment Examples
Revenue
Example without
score detail and
objective = Vol.2
Inventory
Example with
score detail
without objective
= Vol.3
35
37. ID Key Controls
• Key-Controls determination can occur at various levels within an
organization (e.g. supervisor of a plant has different key
monitoring controls than the CFO.
• Key-Control Analysis can be facilitated by considering factors
that increase the risk that the internal control system will fail to
properly manage or mitigate a given risk, these factors are:
1. Complexity
2. Judgment
3. Manual vs. Automated
4. Known Control Failures
5. Competence/experience of personnel
6. Risk of management override
7. Likelihood of control failure detection
37
38. ID Persuasive Information
•Persuasive information is both suitable AND
sufficient in the circumstances and give the
evaluator reasonable, but not necessarily
absolute, support for the conclusion regarding
the continued effectiveness of the internal
control system in a given risk area.
•Suitable information MUST be relevant,
reliable and timely.
•Sufficiency is a measure of the quantity of
information (i.e., whether the evaluator has
enough suitable information)
38
39. ID Persuasive Information (Cont.)
Relevance of Information
Direct vs. Indirect Information
Information that directly confirms the operations of the control is
more relevant than indirect
Direct: substantiates the operation of controls and obtained by:
1. Observing controls in operation
2. Reperformance or
3. Otherwise evaluating their operation directly and can be useful in
both ongoing monitoring and separate evaluations
Indirect: is all other information that may indicate a change or failure
in the operation of controls such as:
1. Operating statistics
2. Key risk indicators
3. Key performance indicators and
4. Comparative industry metrics
39
40. ID Persuasive Information (Cont.)
Reliability of Information
Reliable information: is accurate, verifiable and comes from an
objective source.
Accurate information: represents the degree to which information can
reasonably be expected to be free from error and/or to communicate
results that reflect reality.
Verifiable: represents information that can be established, confirmed or
substantiated as true.
Objectivity: is the degree to which the information source is unbiased
when evaluated
40
41. ID Persuasive Information (Cont.)
Sufficient Information
Management is required to maintain sufficient
suitable information to support its conclusion
on the effectiveness of internal controls.
SEC has provided smaller public companies
with a general guideline dependent upon risks
to determine the sufficient level of support.
41
42. SEC’s Guidance on Information
http://www.sec.gov/info/s
mallbus/404guide.pdf
42
43. AICPA new sampling rules
Better understanding of how much is enough in Multi-
Locations
•May 2008: AICPA issued new Sampling
guidelines to align better with their risk
based auditing standards (i.e. SAS 101 to
SAS 112).
•Management should consider multi-location
issues as documented in this new guidance
as PCAOB and SEC do not provide best
practices on how to make sample selections
on a risk-based approach for multi-locations.
43
44. Implementing Monitoring
COSO Provides in
Vol.3 Example of
Implementing
Monitoring Processes
for Inventory, which
the template can be
applied to any
business cycle,
including IT.
Can add columns for
1)Evidence to Collect
2)Qty of Evidence (is it all stores
and all months, if so what
periods)
44
45. Assess & Report
Prioritize Findings by Risk
Risk Examples
provided by Vol.
2, have one
example of
each type of
Risk Rating
Type (by
Significance
and Likelihood)
45
46. Vol. 2 – Applying Concepts of Monitoring
Prioritized Risks
Extends the concept in
prior slide, in how to
prioritize monitoring
efforts by rating as well
(i.e. High, Med. Low)
46
47. IT Guidance to Help Prioritize Findings
2006 SOX IT Guidance
helps users to assess the
prioritization based upon
risks
Site: www.isaca.org
47
48. Reporting Results
Internal Reporting: protocol must be established.
Typically includes senior management and the board.
External Reporting: a properly designed & executed
monitoring program helps support external
certifications or assertions because it provides
persuasive information that internal control operated
effectively at a point in time or during a particular
period.
48
49. Follow-up Corrective
Action
COSO’s suggested documentation should include
evidence of:
Reporting items agrees to source scoping documents
Evidence collected support that the control has been
adequately corrected/remediated
Management approval of corrective action and related
evidence
49
50. Leveraging 2009 Guidance
Linking Monitoring Principles (i.e. Principal #19 and
20) to actual business processes (i.e. Financial
Statement Close Process, Inventory etc.) will reduce
the number of key controls required to assess for SOX
Providing more detailed monitoring reports
substantiates management’s evidence of reviewing
key controls
Guidance provides management more information on
how to leverage key controls for more than one type
of risk
50
51. Practical Steps Using 2009 Guidance
Step 1: Entity-Level Control Assessment, use color coding offered by
2006 COSO Guidance
Step2: Risk Assessment exercise should include IT to prevent any
miscommunication of prioritizing risks for the organization
Step 3: Evaluate Monitoring guidance issued 2009 by COSO, especially
considering three top templates from the guidance:
1. Quarterly and Annual Management Representations (vol.3 –
Appendix B)
2. Enterprise Wide Risk Matrix (vol.3 – Appendix C)
3. Prioritize Risk and Controls (vol.2 – pg. 51 to pg. 55)
51
52. Segregation of Duties (SOD)
2009 Due to economy less staff and more work
allocated to others.
Leveraging too smaller staff size may cause a lack of
SOD.
2009 & 2006 COSO Guidance have stated
compensating controls are the critical factor to avoid
a material weakness.
52
54. Dealing with External Auditors
Early discussions about the guidance and where you
plan to leverage the guidance
Planning & Scoping: leverage guidance to lower number
key controls on entity-level assessment
Risk assessment process: may require technical memo
to provide to sox files and distributed to external
auditors how guidance has revised and prioritized
resources for sox assessment
Key Control ID: inform external auditors on where they
may be able to leverage more monitoring controls
54
55. Key Remediation and Reporting Issues
Material weaknesses
IT General Controls: primarily related to change
management.
Financial Close Process: primarily related to high risk
areas dealing with accounting transactions, which are
complex and/or involve significant judgment
Tax issues
Valuation
Going Concern related issues (intangibles etc.)
55
56. Q&A
My Contact info:
Sonia Luna:
Office: (213) 250-5700 x206
Cell: (323) 828-5862
700 S. Flower St. #1100, Los Angeles, CA 90017
Email: sluna@sox-solutions.com
Blog: www.sox-blog.com
Twitter: http://twitter.com/Sox_Solutions
56