Join this webcast featuring senior-level financial executives with deep knowledge of the updated internal control framework released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Hear first-hand how Pfizer, Raytheon and Dow have implemented the updated framework (which will supersede COSO’s original 1992 guidelines at the end of this year).
COSO Implementation: Getting Real, Getting It Right
1. FEI - BlackLine Systems Webinar
July 24, 2014
12 pm ET / 9am PT
1.5 CPE
2. Introduction
This session will cover key areas to focus on when transitioning to
COSO’s updated internal control framework, to make implementation
most efficient and effective.
Now that its mid-July, 2014, with COSO’s 2013 framework set to
supersede the COSO’s 1992 framework less than six months from now
(as announced by COSO, as of Dec. 15, 2014), it’s time for your
COSO Implementation to “Get Real” and “Get it Right!”
3. Program Outline
Housekeeping/CPE
Capsule Overview of COSO 2013
Project Planning, Roles & Responsibilities
Mapping from COSO ‘92 to COSO 2013
Working with Auditors; Sarbanes-Oxley
Implementation issues; Fraud Assessment
Q&A
Benefits
Closing Remarks
4. CPE Credits and Supplemental Information
We are offering 1.5 CPE credits for this webinar
To be eligible to receive these credits, please ensure you answer at
least four (4) out of the five (5) polling questions
You will receive the CPE certificate via e-mail approximately 4
weeks after the webinar date
Register for the remaining webinars in this series hosted by
BlackLine Systems in conjunction with FEI. Watch for
announcements to be posted on:
– FEI’s COSO Resources page, www.financialexecutives.org/coso ,and on
– BlackLine’s webinars page https://www.blackline.com/news-events/webinars
4
5. WHY IS THE UPDATED COSO FRAMEWORK IMPORTANT
Internal controls are critical yet companies don’t always update them
for changes in the business, industry or environment
Companies are now faced with new risks and opportunities that
should be considered
– Reliance on technologies
– Increasing regulatory requirements and oversight
– Social media
– Outsourcing business functions
– Emphasis on controls around non-financial reporting
– More focus on fraud
5
6. Polling Question 1
How far along are you in completing your COSO 2013 implementation?
Haven’t started yet
Early stages
About mid-way
Mostly done
Management done, but we haven’t really consulted with our
auditors yet as to the effectiveness of internal control under COSO
2013
Management done, and we know where we stand with our
auditors on the effectiveness of internal control under COSO 2013
Not applicable (e.g. I don’t work for a company that has to
implement COSO 2013)
10. Update considers changes in business and
operating environments
Changes in environments... Drive updates to the Framework...
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in the business
Demands and complexities in laws, rules,
regulations, and standards
Expectations for competencies and accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and detecting
fraud COSO Cube
11. What is not changing... What is changing...
1. Retain core definition of internal
control
2. Retain five components of internal
control
3. Retain requirement of five
components for an effective of system
of internal control
4. Retain important role of judgment in
designing, implementing, and
conducting internal control, and in
assessing effectiveness of internal
control
1. Articulate fundamental concepts
underlying the five components as
principles
2. Consider changes in business and
operating environments
3. Expand operations and reporting
objectives
4. Provide additional approaches and
examples relevant to operations,
compliance, and non-financial
reporting objectives
Update intends to ease use and application
12. Requirements for Effective Internal Control
Effective internal control requires that:
– Each of the five components of internal control and relevant principles are
present and functioning
– The five components are operating together in an integrated manner
When a component or relevant principle is deemed not present and
functioning or when components are deemed not operating together,
a “major deficiency” exists
When a major deficiency exists, the entity cannot conclude that it has
met the requirements for effective internal control
13. Requirements for Effective Internal Control
Components operate together when:
– Components are present and functioning
– Internal control deficiencies aggregated across components do not result in one
or more major deficiencies
– An internal control deficiency or combination of deficiencies that severely
reduces the likelihood that the entity can achieve its objectives is a major
deficiency
– A major deficiency exists when management determines that a component and
relevant principle is not present or functioning or components are not operating
together
– Management uses only relevant criteria (as established by regulators, standard-
setting bodies, and other relevant third parties) for defining severity of,
evaluating, and reporting internal control deficiencies
14. The Five Components of
Internal Control
Control
Environment
Risk
Assessment
Control
Activities
Information
&
Communication
Monitoring
Components of Internal Control Remain
Unchanged from COSO’s 1992 Framework
15. Update articulates principles of effective
internal control (continued)
Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
16. Update articulates principles of effective
internal control (continued)
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the identification
and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity
and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the
achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the
system of internal control.
17. Update articulates principles of effective
internal control (continued)
Control Activities
10. The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to
support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into place.
18. Update articulates principles of effective
internal control (continued)
Information & Communication
13. The organization obtains or generates and uses relevant, quality information to
support the functioning of other components of internal control.
14. The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of other
components of internal control.
15. The organization communicates with external parties regarding matters affecting the
functioning of other components of internal control.
19. Update articulates principles of effective
internal control (continued)
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present and
functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely
manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
20. Points of Focus
The Framework describes points of focus that are important
characteristics of the principles
– Some points of focus may not relevant, and others may be
identified based on specific circumstances
– The points of focus may facilitate designing, implementing, and
conducting internal control and assessing its effectiveness
There is no requirement to separately assess whether points of
focus are in place
21. Transition Timing
May 2013 – Paul Beswick, SEC Chief Accountant:
– SEC staff plans to monitor the transition for issuers using the 1992 framework to
evaluate whether and if any staff or Commission actions become necessary or
appropriate at some point in the future. However, at this time, I’ll simply refer
users of the COSO framework to the statements COSO has made about their
new framework and their thoughts about transition”
September 2013 – Center for Audit Quality, SEC Regulations
Committee meeting highlights:
– [SEC Staff] indicated that the longer issuers continue to use the 1992 framework,
the more likely they are to receive questions from the staff about whether the
issuer’s use of the 1992 framework satisfies the SEC’s requirement to use a
suitable, recognized framework
22. Draft Disclosure
A key part of your disclosure will be to identify which version of
the COSO Framework you have used: COSO 1992 or COSO 2013.
23. Possible Impact
Does your organization apply and interpret the narrative included in
the 1992 Framework in the same manner as the COSO Board?
Does your system of internal control cover all 17 principles?
Does your SOX program include the documentation and evaluation
of all 5 components, or only of Control Activities?
Does your risk assessment give enough consideration to fraud risk?
Do your controls extend to processes that have been outsourced?
Have you documented and evaluated your Board’s oversight of the
system of internal controls?
How will you use the framework – for SOX only, or also for other
reporting, operating, or compliance objectives?
24. Recap
The framework hasn’t really changed much at all
– Same definition of internal control / 5 components
– Still follow SEC guidance in determining severity of deficiencies
– Areas of emphasis:
• Considering fraud in the risk assessment
• Controls over outsourced processes
• Role of Board in oversight of the system of internal controls
All relevant principles must be present and functioning (Points of
Focus are not required).
Are all of the principles covered in your SOX 404 program?
– Do you have the gaps in control, documentation, or monitoring?
– Your evaluation of the system of IC at the end of the year will need to address all
relevant principles.
25. Polling Question 2
What is required under COSO 2013 for Internal Control to be
deemed “effective”?
All 17 Principles have to be Present and Functioning
The 5 core components of internal control have to operate together
The 87 Points of Focus have to map to your Entity-Level Controls
All of the above
Just the first two points above
27. Dow’s COSO 2013 Transition: Project Planning
Dow will transition to COSO 2013 during 2014
Focused on Internal Control over External Financial Reporting
Project managed by the Internal Control Compliance Group
Broad awareness and communication
– Key functions engaged (Finance, IT, HR, etc.)
– Coordinated with Internal Audit
Audit Committee oversight
External auditor engagement
Consideration of ICEFR “hot topics”
28. Polling Question 3
Which of the following most closely describes your company’s approach
to mapping for COSO 2013?
We are mapping our existing controls to COSO 2013’s 17 Principles, but not
to the 87 points of focus.
We are mapping our existing controls to COSO 2013’s 17 Principles AND all
87 points of focus, because of strong pressure from our auditors to do so.
We are mapping our existing controls to COSO’s 17 principles and most or
all of COSO’s 87 points of focus voluntarily because we found it helpful to
do so.
We are mapping our existing controls to COSO’s 17 principles and most or
all of COSO’s 87 points of focus voluntarily, because we believe it will
reduce the work and cost of our external auditor engaging in the same
activity by enabling them to review our having done that exercise.
Don’t know
30. Mapping Analysis Background
Internal Control is not a new concept
COSO’s 5 core components are not “new”
Sarbanes-Oxley Section 404 is not “new”
Judgment is still required in designing, implementing, and assessing
internal control
Transition from COSO 1992 to COSO 2013 considered by many, as
a practical matter, a “mapping” exercise
31. Gap Analysis
“Mapping” or Alternative Method of Gap Analysis Will Vary
Degree of documentation and effort will vary, company by company
based on …
– Current state of internal control
– Degree to which current controls have kept up with change
– Quality and quantity of existing documentation
– Size and complexity of the business
32. Mapping Analysis: Raytheon’s Approach
We started with the COSO Excel templates available when
Framework purchased
We modified the COSO standard templates to map our key controls
to the points of focus for each of the 17 principles
– Explanations for each assignment were documented to serve as a record of why
the control met the point of focus
The mapping exercise identified the level of coverage for the points
of focus within each principle and allowed us to:
– Assess if all points of focus were covered
– Assess strength/weakness of coverage
33. Mapping Analysis: Lessons we Learned
Took longer than expected to complete
COSO material was helpful throughout the process
Focused on the impact to Internal Control Over Financial Reporting
to ensure completion in 2014
Project timeline was helpful to ensure communication with
stakeholders, including internal and external auditors
Required documentation enhancements in selected areas
34. Dow’s COSO 2013 Transition:
Controls Mapping & Gap Assessment
Performed a robust gap assessment
– Mapped existing controls to Points of Focus and Principles
Will not result in a significant change to Dow’s SOX compliance
process or controls
– Expanded documentation of specific attributes of certain controls
– Will need to obtain specific evidence of operating effectiveness
– Enhanced controls in a few areas
35. Polling Question 4
How confident are you that Chief Executive Officers and the Boards
of Directors that oversee them are up to speed about the changes to
the COSO internal control framework and how it plays into the CEOs
and CFOs Sarbanes-Oxley assertions for calendar-year-end
companies beginning this year-end?
Very confident
Confident
Not very confident
36. Working with the Auditors
Management’s Perspective
Since 2004, our SOX programs have evolved and improved. Most of
us have robust systems of controls and have developed thorough
and efficient programs for monitoring our controls and evaluating
effectiveness.
Our auditors have audited our controls and have given their opinions
year after year.
COSO 2013 is not a major change to the 1992 Framework.
So, the transition project should not be a major effort.
We shouldn’t be starting over on SOX, with a blank sheet of paper
and a top-to-bottom documentation exercise.
37. Working with the Auditors
Auditors Perspective
Since 2004/2007, audits of internal controls have been based on AS2/AS5,
and have been influenced by PCAOB inspections.
COSO 2013’s 17 principles and 60 or so Points of Focus are new elements
in the internal controls audit.
The PCAOB alert issued in November included several areas in the audit of
internal controls that auditors are going to focus on this year, in addition to
COSO (e.g.; management review controls).
The PCAOB will be looking for documentation on all of the above, so the
Auditors will be cascading these requirements on their clients.
The firms have developed templates for collecting the documentation; the
comprehensive nature of these templates can potentially generate more
work than the minor tweaks to the framework might suggest would be
necessary.
38. Suggestions:
We have engaged with our auditors early and often, sharing our
plans and early assessments, and seeking their feedback. Our
project plan includes reviews with them at each step along the way:
– Preliminary Assessment
– Project Plan Review
– Mapping Exercise
– Documentation / Remediation
– Testing and Evaluation
We have segregated the COSO project from work related to other
PCAOB-highlighted topics.
We have tried wherever possible to use our auditors templates, in
the interest of overall efficiency, but we have discussed the need to
limit the amount of detail we are trying to collect in these forms.
39. Benefits
The COSO board firmly believes that the principles in the
COSO framework can help companies be more successful.
40. Risk Assessment
One of the most significant updates to COSO’s framework, from
management’s perspective, is Principle 8, which requires
Management to perform a Fraud Risk Assessment.
41. Dow’s COSO 2013 Transition:
Consideration of Fraud Risk
Internal Control Compliance Group conducts formal ICFR fraud risk
assessment annually
Input from a multiple groups across the organization
Identify & document fraud schemes specific to ICFR
Consider what groups could commit the fraud and how
Identify controls in place to detect and mitigate each fraud risk
Consideration of fraud risks at Outsourced Service Providers
Audit Committee oversight
Fraud awareness training and communication
Ongoing monitoring activities
42. Polling Question 5
Who leads your COSO Project Planning Team at your company?
Internal Audit
Sarbanes-Oxley Group in Corp. Compliance Dept.
Sarbanes-Oxley Group in Corporate Controllers
Internal Control/Financial Control Group in Corporate Compliance
Internal Control/Financial Control Group in Corporate Controllers
Finance/Corporate Controllers Dept – Other
Other
43. ABOUT BLACKLINE
Global headquarters in Los Angeles with regional main offices in
London and Sydney
More than 850 clients (many in the Fortune 500/Global 1000)
Over 100,000 users worldwide in 100+ countries
First to market and offer software to automate the entire financial
close process
BlackLine Certified Implementation Professionals all around the
world
46. About COSO
For more information about COSO, go to www.coso.org
When ordering the COSO Internal Control Framework, FEI
members use Discount Code FEIIC
Visit www.financialexecutives.org/coso
47. About FEI / FERF
For more information about COSO, internal controls, Governance Risk and
Compliance and topics of interest to senior-level financial executives, audit
committee members, and academics, visit Financial Executives International
(FEI), Financial Executives Research Foundation (FERF) and FEI Daily.
www.financialexecutives.org
www.ferf.org
daily.financialexecutives.org
www.financialexecutives.org/coso
48. 48
Join FEI before August 31 and pay $399.
Join online and enter discount code
COSO714 during check-out.
www.financialexecutives.org/join
Questions? Contact FEI’s Member Services Dept.
973.765.1000 | 877.359.10710 | membership@financialexecutives.org
Become FEI’s Newest Member!