2009 COSO Guidance & Impact
1
Agenda
Overview of COSO
Purpose of the Monitoring
Guidance
How COSO’s 2009
Monitoring Guidance
Impacts Smaller Co.
2
Quick Overview of COSO
COSO was formed in 1985
Introduced a Framework for internal controls in 1992
COSO is comprised b...
COSO Guidance - Timeline
1987Fraud
report
1987 - 1997 Fraud
report on public
companies – Issued
1999
1997–2007Fraud
report...
How to get COSO Materials
Free download to executive summaries (e.g.
introduction or overview documents) of their
guidanc...
2009 COSO Monitoring Guidance
Introduction
Free Download
Intended for CFO, CEO, BOD
and AC members
Vol. 1 Guidance Overvie...
2009 COSO Monitoring Guidance
Vol.II Application
Discusses How guidance Impacts
And Links to 1992 and 2006 COSO
Guidance m...
Vol. #1 - Overview
• Four Sections
1. Purpose of Guidance
2. Nature & Purpose of Monitoring
3. A Model for Monitoring
4. S...
Purpose of the Guidance
Two Primary Objectives:
1. To help improve the effectiveness & efficiency of their
internal contr...
Application of Guidance
Designed to meet all three control
objectives of COSO Framework
Due to SOX compliance Guidance
h...
Guidance Does Not:
Change COSO framework or its 2006 guidance
Dictate risks or controls that organization must
consider
...
Nature and Purpose of Monitoring
COSO Framework states that “monitoring ensures
that internal controls continues to opera...
Linking the 2 Principles to 2006 COSO guidance
Principle #19: Ongoing
& Separate
Evaluations
Principle #20:
Reporting Defi...
Establishing a Model for Monitoring
Effective approach to
monitoring involves:
1. Establishing a
Foundation
2. Designing ...
Establishing a Foundation
A tone at the top that stresses
the importance of monitoring
Effective organizational structur...
Design & Execute
Prioritize Risks: Evaluate controls in areas of
meaningful risk
ID Controls: select appropriate control...
Assessing and Reporting
Results
Prioritize findings
Provide support at the
appropriate organization level
for conclusion...
Vol. II – Application Overview
18
Vol. II – Application
“Quick Tip”
Concept and it’s
application in
Grey area
Tips on How to Read
Vol.II: Grey areas are
onl...
Application of
“Tone at the Top”
Management’s tone influences the way employees conduct and react
to monitoring.
Example...
Application of “Organizational Structure”
 Role of Management & the BOD
 Senior Management evaluates the day-to-day cont...
Application of “Organizational Structure” (continued)
22
 Characteristics of Evaluators
 Self-review: evaluation of one’...
Monitoring Changes
COSO offers a high-level overview of an internal
control change continuum as follows:
23
Change Continuum Evidence
24
Risk/Control
matrices
Narrative/Flowcharts ELC - Assessment
Change Continuum Evidence
25
Test Scripts with
supporting
documents
Sub-certifications
on Controls
Change Continuum Evidence
26
Policy &
Procedure for
changes
Change Mgmt
Form
Documentation
Authorization with
Changes (1)
...
Vol. II Application of Design & Execute
27
Source: Vol.2 Figure 7
COSO 2009 Monitoring
Guidance
Risk Assessment
28
•COSO’s monitoring guidance does not state
to create a separate risk assessment just for
monitoring
•Pr...
COSO’s Risk Assessment Examples
29
Revenue
Example without
score detail and
objective = Vol.2
Inventory
Example with
score...
30
ID Key Controls
31
• Key-Controls determination can occur at various levels within an
organization (e.g. supervisor of a p...
ID Persuasive Information
32
•Persuasive information is both suitable AND
sufficient in the circumstances and give the
eva...
ID Persuasive Information (Cont.)
Relevance of Information
Direct vs. Indirect Information
Information that directly con...
ID Persuasive Information (Cont.)
Reliability of Information
Reliable information: is accurate, verifiable and comes from...
ID Persuasive Information (Cont.)
Sufficient Information
Management is required to maintain sufficient
suitable informati...
SEC’s Guidance on Information
36
http://www.sec.gov/info/s
mallbus/404guide.pdf
Companies Should Consider New Sampling Guidance
37
•May 2008: AICPA issued new Sampling
guidelines to align better with th...
Implementing Monitoring
38
COSO Provides in
Vol.3 Example of
Implementing
Monitoring Processes
for Inventory, which
the te...
Assess & Report
Prioritize Findings by Risk
39
Risk Examples
provided by Vol.
2, have one
example of
each type of
Risk Rat...
Vol. 2 – Applying Concepts of Monitoring
Prioritized Risks
40
Extends the concept in
prior slide, in how to
prioritize mon...
IT Guidance to Help Prioritize Findings
41
2006 SOX IT Guidance
helps users to assess the
prioritization based upon
risks
...
Internal Reporting: protocol must be established.
Typically includes senior management and the board.
External Reporting...
COSO’s suggested documentation should include
evidence of:
Reporting items agrees to source scoping documents
Evidence ...
Impact to Smaller Public Companies
Linking Monitoring Principles (i.e. Principal #19 and
20) to actual business processes...
Practical Steps Using 2009 Guidance
Step 1: Entity-Level Control Assessment, use color coding offered by
2006 COSO Guidan...
Segregation of Duties (SOD)
2009 Due to economy less staff and more work
allocated to others.
Leveraging too smaller sta...
SOD Case Study
47
Q & A
My Contact info:
Sonia Luna email: sluna@sox-solutions.com
Phone: (323) 828-5862
Blog: www.sox-blog.com
Twitter: ...
Upcoming SlideShare
Loading in …5
×

Coso Monitoring - Templates

807 views

Published on

http://www.avivaspectrum.com/contacts
COSO 2009 Monitoring Templates free overview

Published in: Economy & Finance
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
807
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • How many of you have read COSO’s 2006 guidance? Any guesses of which principles these are?
  • COSO is leveraging a “Risked based” approach that higher risks weigh more in terms of evidence and work and lower has less work ID of controls, the more effective detective controls can at times eliminate preventive controls (this is dependent upon your work as a tester of such controls). Note page 32 - 34of Vol #2 shows rationale of selecting key controls v. non-key
  • Via “Walkthroughs” or “Samples”/Testing”
  • Enterprise Wide Risk matrix is an example of one retail chain of a larger organization. Use to help assign responsibilities of monitoring.
  • Coso Monitoring - Templates

    1. 1. 2009 COSO Guidance & Impact 1
    2. 2. Agenda Overview of COSO Purpose of the Monitoring Guidance How COSO’s 2009 Monitoring Guidance Impacts Smaller Co. 2
    3. 3. Quick Overview of COSO COSO was formed in 1985 Introduced a Framework for internal controls in 1992 COSO is comprised by five professional associations:  American Accounting Association  AICPA (American Institute of Certified Public Accountants)  FEI (Financial Executives International)  IIA (The Institute of Internal Auditors) and  IMA (Institute of Management Accountants) 3
    4. 4. COSO Guidance - Timeline 1987Fraud report 1987 - 1997 Fraud report on public companies – Issued 1999 1997–2007Fraud reportonpublic companies– ComingSoon (June2009) Monitoring Guidance Issued Feb. 2009 Guidancefor SmallerPublic Companies IssuedJune2006 Monitoring Guidance on Derivatives Issued 1996 ERM Framework Issued 2004 2010 1985 Framework Introduced in 1992 4
    5. 5. How to get COSO Materials Free download to executive summaries (e.g. introduction or overview documents) of their guidance materials located at http://www.coso.org/guidance.htm www.cpa2biz.com : site represents AICPA and COSO related products. Search terms such as Internal controls, or COSO etc. 5
    6. 6. 2009 COSO Monitoring Guidance Introduction Free Download Intended for CFO, CEO, BOD and AC members Vol. 1 Guidance Overview Intended for C-Level, BOD and AC Members, and Director of Internal Audit 6
    7. 7. 2009 COSO Monitoring Guidance Vol.II Application Discusses How guidance Impacts And Links to 1992 and 2006 COSO Guidance materials Audience: DIA, Internal Audit Staff etc. Vol. III Examples Provides templates to leverage Monitoring Guidance Theory Audience: DIA, Internal Audit Staff etc. 7
    8. 8. Vol. #1 - Overview • Four Sections 1. Purpose of Guidance 2. Nature & Purpose of Monitoring 3. A Model for Monitoring 4. Summary Considerations 8
    9. 9. Purpose of the Guidance Two Primary Objectives: 1. To help improve the effectiveness & efficiency of their internal control systems 2. To provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control process. 9
    10. 10. Application of Guidance Designed to meet all three control objectives of COSO Framework Due to SOX compliance Guidance has a primary focus on internal controls over financial reporting 10
    11. 11. Guidance Does Not: Change COSO framework or its 2006 guidance Dictate risks or controls that organization must consider Mandate the exact monitoring procedures that organizations must follow Increase the monitoring effort for organizations in areas where monitoring is already effective or Mandate a certain level or formality of monitoring documentation, including the use of certain terms 11
    12. 12. Nature and Purpose of Monitoring COSO Framework states that “monitoring ensures that internal controls continues to operate effectively” by leveraging two related principles: 1. Ongoing and/or separate evaluations enable management to determine whether the other components of internal control continue to function over time. 2. Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate. 12
    13. 13. Linking the 2 Principles to 2006 COSO guidance Principle #19: Ongoing & Separate Evaluations Principle #20: Reporting Deficiencies Source: 2006 COSO guidance, vol #3 13
    14. 14. Establishing a Model for Monitoring Effective approach to monitoring involves: 1. Establishing a Foundation 2. Designing & Executing Monitoring procedures 3. Assessing & Reporting 14
    15. 15. Establishing a Foundation A tone at the top that stresses the importance of monitoring Effective organizational structure that considers the roles of management and the board regarding monitoring, and places people with appropriate capabilities, objectivity, authority and resources in monitoring roles and Baseline understanding of internal control effectiveness 15
    16. 16. Design & Execute Prioritize Risks: Evaluate controls in areas of meaningful risk ID Controls: select appropriate controls for evaluation from across any or all of COSO’s 5 components ID information that will be persuasive in supporting conclusions about control effectiveness Implement monitoring procedures: evaluate that information through a mix of ongoing monitoring and separate evaluations 16
    17. 17. Assessing and Reporting Results Prioritize findings Provide support at the appropriate organization level for conclusions regarding the effectiveness of internal controls and Follow up on corrective action: Facilitate prompt corrective actions and documentation as necessary 17
    18. 18. Vol. II – Application Overview 18
    19. 19. Vol. II – Application “Quick Tip” Concept and it’s application in Grey area Tips on How to Read Vol.II: Grey areas are only suggestions. Application may vary Co. by Co. 19
    20. 20. Application of “Tone at the Top” Management’s tone influences the way employees conduct and react to monitoring. Examples of documenting the monitoring of “Tone at the Top” include: Communicating expectations to employees (via employee manual, performance evaluation, sign-off on risk/control matrices, or other SOX related documents). Taking action for control problems by documenting control failures and including remediation plan or compensating control for each gap. Documentation of follow-up procedures for any control failures identified (via ____________ or ______________) 20Action Item: Update Performance Evaluations
    21. 21. Application of “Organizational Structure”  Role of Management & the BOD  Senior Management evaluates the day-to-day control and monitoring activities (Evidenced in SOX or other related document sign-off)  BOD has an oversight role, in which they are responsible for  Understanding risks to organizational objectives  Controls that management has put in place to mitigate those risks  How management monitors to help ensure that the internal system continues to operate effectively  NOTE: Evidence should be documented in the BOD/AC minutes  Guidance offers four suggestions for the BOD to perform it’s oversight responsibilities (1) Inquiries & Observation of management, (2) Internal audit function (if present) (3) Hired resources or specialists when necessary and (4) external auditors. 21 Action Item: Principle #19 and #2 of COSO can leverage evidence of Monitoring Risks
    22. 22. Application of “Organizational Structure” (continued) 22  Characteristics of Evaluators  Self-review: evaluation of one’s own work  Benefit: usually affords the 1st opportunity to ID control deficiencies  Peer Review: evaluation of co-worker’s or peer’s work  Benefit: the individual is close to the control and maybe in the best position to ID and correct control deficiencies  Supervisory Review: evaluation of subordinate’s work  Benefit: same as above Peer Review  Impartial Review: often includes internal audit function, people from other departments or external parties  Benefit: Most objective concerning results and can place more reliance on the effectiveness of ICFR Source: Vol.2: Figure 5, pg13
    23. 23. Monitoring Changes COSO offers a high-level overview of an internal control change continuum as follows: 23
    24. 24. Change Continuum Evidence 24 Risk/Control matrices Narrative/Flowcharts ELC - Assessment
    25. 25. Change Continuum Evidence 25 Test Scripts with supporting documents Sub-certifications on Controls
    26. 26. Change Continuum Evidence 26 Policy & Procedure for changes Change Mgmt Form Documentation Authorization with Changes (1) (1) See Appendix B-Chg Mgmt Narrative Form
    27. 27. Vol. II Application of Design & Execute 27 Source: Vol.2 Figure 7 COSO 2009 Monitoring Guidance
    28. 28. Risk Assessment 28 •COSO’s monitoring guidance does not state to create a separate risk assessment just for monitoring •Prioritizing risks will allow management to decide on the type, timing and extent of monitoring of controls •Risk Factors to consider: 1. Nature of Operations 2. Changes in Operations 3. Environmental Factors 4. Susceptibility to Theft or Fraud
    29. 29. COSO’s Risk Assessment Examples 29 Revenue Example without score detail and objective = Vol.2 Inventory Example with score detail without objective = Vol.3
    30. 30. 30
    31. 31. ID Key Controls 31 • Key-Controls determination can occur at various levels within an organization (e.g. supervisor of a plant has different key monitoring controls than the CFO). • Key-Control Analysis can be facilitated by considering factors that increase the risk that the internal control system will fail to properly manage or mitigate a given risk, these factors are: 1. Complexity 2. Judgment 3. Manual vs. Automated 4. Known Control Failures 5. Competence/experience of personnel 6. Risk of management override 7. Likelihood of control failure detection
    32. 32. ID Persuasive Information 32 •Persuasive information is both suitable AND sufficient in the circumstances and give the evaluator reasonable, but not necessarily absolute, support for the conclusion regarding the continued effectiveness of the internal control system in a given risk area. •Suitable information MUST be relevant, reliable and timely. •Sufficiency is a measure of the quantity of information (i.e., whether the evaluator has enough suitable information)
    33. 33. ID Persuasive Information (Cont.) Relevance of Information Direct vs. Indirect Information Information that directly confirms the operations of the control is more relevant than indirect Direct: substantiates the operation of controls and obtained by: 1. Observing controls in operation 2. Reperformance or 3. Otherwise evaluating their operation directly and can be useful in both ongoing monitoring and separate evaluations Indirect: is all other information that may indicate a change or failure in the operation of controls such as: 1. Operating statistics 2. Key risk indicators 3. Key performance indicators and 4. Comparative industry metrics 33
    34. 34. ID Persuasive Information (Cont.) Reliability of Information Reliable information: is accurate, verifiable and comes from an objective source.  Accurate information: represents the degree to which information can reasonably be expected to be free from error and/or to communicate results that reflect reality.  Verifiable: represents information that can be established, confirmed or substantiated as true.  Objectivity: is the degree to which the information source is unbiased when evaluated 34
    35. 35. ID Persuasive Information (Cont.) Sufficient Information Management is required to maintain sufficient suitable information to support its conclusion on the effectiveness of internal controls. SEC has provided smaller public companies with a general guideline dependent upon risks to determine the sufficient level of support. 35
    36. 36. SEC’s Guidance on Information 36 http://www.sec.gov/info/s mallbus/404guide.pdf
    37. 37. Companies Should Consider New Sampling Guidance 37 •May 2008: AICPA issued new Sampling guidelines to align better with their risk based auditing standards (i.e. SAS 101 to SAS 112). •Management should consider multi- location issues as documented in this new guidance as PCAOB and SEC do not provide best practices on how to make sample selections on a risk-based approach for multi-locations.
    38. 38. Implementing Monitoring 38 COSO Provides in Vol.3 Example of Implementing Monitoring Processes for Inventory, which the template can be applied to any business cycle, including IT. Can add columns for 1)Evidence to Collect 2)Qty of Evidence (is it all stores and all months, if so what periods)
    39. 39. Assess & Report Prioritize Findings by Risk 39 Risk Examples provided by Vol. 2, have one example of each type of Risk Rating Type (by Significance and Likelihood)
    40. 40. Vol. 2 – Applying Concepts of Monitoring Prioritized Risks 40 Extends the concept in prior slide, in how to prioritize monitoring efforts by rating as well (i.e. High, Med. Low)
    41. 41. IT Guidance to Help Prioritize Findings 41 2006 SOX IT Guidance helps users to assess the prioritization based upon risks Site: www.isaca.org
    42. 42. Internal Reporting: protocol must be established. Typically includes senior management and the board. External Reporting: a properly designed & executed monitoring program helps support external certifications or assertions because it provides persuasive information that internal controls operated effectively at a point in time or during a particular period. 42 Reporting Results
    43. 43. COSO’s suggested documentation should include evidence of: Reporting items agrees to source scoping documents Evidence collected support that the control has been adequately corrected/remediated Management approval of corrective action and related evidence 43 Follow-up Corrective Action
    44. 44. Impact to Smaller Public Companies Linking Monitoring Principles (i.e. Principal #19 and 20) to actual business processes (i.e. Financial Statement Close Process, Inventory etc.) will reduce the number of key controls required to assess for SOX Providing more detailed monitoring reports substantiates management’s evidence of reviewing key controls Guidance provides management more information on how to leverage key controls for more than one type of risk 44
    45. 45. Practical Steps Using 2009 Guidance Step 1: Entity-Level Control Assessment, use color coding offered by 2006 COSO Guidance Step2: Risk Assessment exercise should include IT to prevent any miscommunication of prioritizing risks for the organization Step 3: Evaluate Monitoring guidance issued 2009 by COSO, especially considering three top templates from the guidance: 1. Quarterly and Annual Management Representations (vol.3 – Appendix B) 2. Enterprise Wide Risk Matrix (vol.3 – Appendix C) 3. Prioritize Risk and Controls (vol.2 – pg. 51 to pg. 55) 45
    46. 46. Segregation of Duties (SOD) 2009 Due to economy less staff and more work allocated to others. Leveraging too smaller staff size may cause a lack of SOD. 2009 & 2006 COSO Guidance have stated compensating controls are the critical factor to avoid a material weakness. 46
    47. 47. SOD Case Study 47
    48. 48. Q & A My Contact info: Sonia Luna email: sluna@sox-solutions.com Phone: (323) 828-5862 Blog: www.sox-blog.com Twitter: http://twitter.com/Sox_Solutions 48

    ×