The policyIQ Team was joined by Senior Practice Director of RGP’s Governance Risk & Compliance (GRC) practice, Les Sussman, to discuss how the updated COSO framework will impact companies and, specifically, policyIQ clients or prospects. Mr. Sussman recaptured the highlights from a webinar that he co-presented with RGP’s Global Managing Director of the Finance & Accounting practice, Shauna Watson. Their session, “Effective Transition to the 2013 COSO Framework and SOX Compliance”, drew more than a thousand registrants and received great reviews for addressing considerations that have not been discussed in other COSO-related sessions.
With a diverse audience of current policyIQ users and many participants who are not currently using policyIQ, we took time to introduce some highlights of policyIQ. We went on to demonstrate how easily and quickly we amended our policyIQ configuration to accommodate the updated 2013 COSO Internal Control – Integrated Framework.
RGP recommends that companies employ both a top down and a bottom up approach to mapping Principles and Controls to one another. We discussed this and how policyIQ reports can be applied to make quick work of mapping, gap analysis, control rationalization and reporting to the Audit Committee and External Auditors.
Reach out to us with any questions: sbuehrle@rgp.com or support@policyIQ.com.
policyIQ for COSO 2013 Internal Control - Integrated Framework
1. COSO 2013 Internal Control-Integrated Framework,
Efficiently Transition Using policyIQ
March 6, 2014
2. Objectives
By the end of the session, you will
Be aware of key changes in updated COSO Framework
Have more information about how to plan your
transition project
Understand what policyIQ is and how to navigate
See that you can easily configure policyIQ to capture
COSO Principles
Recognize how you can use reports for analysis and
final reporting
2
3. COSO Updates Framework, May 14, 2013
The New Framework
3
Internal Control –
Integrated Framework
Framework and Appendices
4. The New Framework
Expands the financial reporting category of objectives to
include other forms of reporting (internal and non-
financial)
Explicitly formalizes principles introduced in original
framework
Provides approaches and examples illustrating how
principles are applied in financials
Supersedes 1992 Framework on December 15, 2014
4
5. 2013 COSO Framework
5
The updated framework formalizes 17 principles
that were introduced and embedded in the original
framework. Companies choosing to follow the COSO
Framework will need to demonstrate that all 17
Principles are present and functioning in their
Internal Control Framework.
6. 10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Control
Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
Control
Environment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
Risk
Assessment
13. Uses relevant information
14. Communicates internally
15. Communicates externally
Information &
Communication
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Monitoring
Activities
2013 COSO Framework
6
7. Transition Strategy
7
Project ownership
it is important that someone takes responsibility for dates and deliverables
Project communication
include all parties touched by the change in communications
Resource constraints
assess the time and people that you have, reach out to RGP or others for support
Coordination with external auditors
touch base with auditors early and often to ensure that you are on the same page
Top down versus bottom up
RGP recommends doing both
8. Project Approach and TimelineActivities
Phase 1 - Plan
• Establish project
ownership /
management
• Develop detailed
approach and timeline
• Identify resources and
assign responsibility
• Communicate plan and
train
• Consult with auditors
P4
1/1/2014 – 3/31/2014
Q1 – Year-end close,
financial audits,
Year-end write-up
4/1/2014 – 6/30/2014
Q2 Testing for 1st half of
the year
7/1/2014 – 9/30/2014
Q3 – Testing 2nd
part of the year
10/1/2014 – 12/31/2014
Q4 – Year-end & Remediation
Testing
3/31/2014 6/30/2014 9/30/2014 12/31/2014Today
P3P2P1
Phase 2 - Map
• Update risk assessment
• Start mapping from top
down
• Link principles to
controls
• Consider points of
focus
• Coordinate with other
service providers
Phase 3 - Assess
• Identify deficiencies
• Evaluate deficiencies
• Determine controls
requiring remediation
• Consider eliminating
orphan controls
Phase 4 - Implement
• Design new controls
• Train control owners
• Schedule testing
8
11. Contract
Procedure
Policy
Test
Control
Risk Fields:
Text
Dropdown
Multi-Select
Date
Number
Currency
Restrict:
Creators
Approvers
Page
Procedure
Template
name
date
text
11
Introduction policyIQ
Create Pages for your Risks,
COSO Principles, Narratives,
Controls, and so on from
Templates that drive consistency
and sound information
governance practices
15. Introduction to policyIQ
15
Remember SOX in Year 1 or 2 and manually managing Risk/Control matrices in Excel?
You might be comforted knowing that policyIQ plays well with Excel—as in this example
above of a matrix (Detail Link Report) exported to Excel.
16. Introduction to policyIQ
16
Remember that
the root object
in policyIQ is
a page…
…with the
ability to link
pages to one
another.
Pages are
created from
Templates with
the fields that
you want.
You can define who should have read,
write and approve access to all content
and can index Pages into one or multiple
Folders.
17. Introduction to policyIQ
17
Getting around is very easy—using familiar actions to drill down
into Folders, select items in the table on the right and choose the
appropriate action from the toolbar above. We do these things
everyday while working with documents on our hard drive or in
shared network folders.
18. Introduction to policyIQ
18
To configure (retrofit) policyIQ for the new COSO
framework, we recommend adding a Folder structure
called “COSO” to which you can add subfolders for each
of the COSO Components. This is where you will file or
index your pages for each of your COSO Principles.
19. Introduction to policyIQ
19
To create those Principle Pages, you must first create a Page Template. Similar to the navigation
elsewhere in policyIQ, drill down into the appropriate Page Template Category and then choose
the appropriate action (Add Template for Pages) from the toolbar. Follow similar navigation to
highlight the Principle template on the left and add one Short Text field to capture the more
detailed description of each Principle.
20. Introduction to policyIQ
20
Populating policyIQ with your Principles, Points of Focus (and Risks, Controls, Tests, etc.
if you are new to policyIQ) is as simple as arranging the information in Excel for Import.
21. Introduction to policyIQ
21
The result of the import is:
your pages have been
created, appropriate security
rights have been assigned,
pages are indexed into the
appropriate folders and you
can even link pages to one
another.
23. Mapping Process – Top-down Approach
23
Without policyIQ, you could use COSO’s Illustrative Tools to help you manage your top-down
methodology of mapping your Principles to Points of Focus and then to relevant Controls.
24. Mapping Process – Top-down Approach
24
With policyIQ, you could use the tool and linking capability to manage your top-down
methodology of mapping your Principles to Points of Focus and then to relevant Controls.
25. You could also use
policyIQ to review all
of your controls and
map them to relevant
Principles or Points
of Focus. This process
will set the stage for
using policyIQ to
thoroughly (and
quickly) review and
rationalize the
reduction of controls
and, therefore, testing
(and related costs).
Mapping Process – Bottom-up Approach
25
26. policyIQ Reports – To Identify Gaps
26
With a simple report, it is
apparent when gaps exist.
27. policyIQ Reports – Control Rationalization
27
Reports also allow
you to easily see
where some Principles
might be more than
adequately controlled
and when it makes
sense to remove
Controls from the SOX
framework (noting
they are “out of
scope” for SOX).
28. policyIQ Reports – To Summarize
28
Focus only on necessary information in Results
You may also use policyIQ Reports to
summarize information—selecting only the
pertinent information—to share with the Audit
Committee, External Auditors, and so on.
29. Start the transition process as soon as possible
Use the opportunity to streamline key controls and
reduce costs
Leverage technology to promote effectiveness and
efficiency
Mapping process
Control Rationalization – Gaps and Redundancies
Reporting to the Audit Committee and External Auditors
Summary
29
30. Contact Information
LESTER SUSSMAN
Senior Practice Director, GRC
Lester.Sussman@rgp.com
STEPHENIE BUEHRLE
Product Director, policyIQ
Stephenie.Buehrle@rgp.com
POLICYIQ INFORMATION
Information@policyIQ.com
30
Reach out to us with
any questions about
the framework,
methodology for
transitioning, project
management, project
support or policyIQ!