Coso Monitoring Training Final


Published on

2009 COSO guidance overview set of slides. At the end I have contact information but that is now outdated. You can reach me at if you have questions.

1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Coso Monitoring Training Final

  1. 1. 2009 COSO Guidance & Impact 1
  2. 2. AgendaHow COSO’s 2009 Monitoring Guidance Impacts Smaller Co.Leveraging 2009 Guidance to Cut CostsPractical SOX Compliance StepsDealing with External AuditorsKey Remediation and Reporting Issues 2
  3. 3. Quick Overview of COSO COSO was formed in 1985 Introduced a Framework for internal controls in 1992 COSO is comprised by five professional associations: American Accounting Association AICPA (American Institute of Certified Public Accountants) FEI (Financial Executives International) IIA (The Institute of Internal Auditors) and IMA (Institute of Management Accountants) 3
  4. 4. The Face of COSO Mr. Treadway Committee of Sponsoring Organizations of Treadway Commission (aka COSO)Charles C. Cox (far left); Bevis Longstreth (second from left); John S. R. Shad (second fromright); James C. Treadway, Jr. (far right) Source: 4
  5. 5. COSO Guidance - Timeline 1987 - 1997 Fraud Monitoring Monitoring report on public Guidance on ERM Framework Guidance u9 a1 d8 r7 F companies – Issued Issued 2004 Derivatives Issued r tp re o 1999 Issued 1996 Feb. 2009 20101985 oaG fciu red n d7–1 a 29 u07 rF Framework lprr iboe np cuto Introduced ua ib l c rS Pm l e sac –no im ep in 1992 iaC sno ep m iC ngo Sm on 2us 0nu Je 6ed I 9e( J 2u )0n 5
  6. 6. How to get COSO MaterialsFree download to executive summaries (e.g. introduction or overview documents) of their guidance materials located at : site represents AICPA and COSO related products. Search terms such as Internal controls, or COSO etc. 6
  7. 7. 2009 COSO Monitoring Guidance Introduction Free Download Intended for CFO, CEO, BOD and AC members Vol. 1 Guidance Overview Intended for C-Level, BOD and AC Members, and Director of Internal Audit 7
  8. 8. 2009 COSO Monitoring Guidance Vol.II Application Discusses How guidance Impacts And Links to 1992 and 2006 COSO Guidance materials Audience: DIA, Internal Audit Staff etc. Vol. III Examples Provides templates to leverage Monitoring Guidance Theory Audience: DIA, Internal Audit Staff etc. 8
  9. 9. Vol. #1 - Overview• Four Sections1. Purpose of Guidance2. Nature & Purpose of Monitoring3. A Model for Monitoring4. Summary Considerations 9
  10. 10. The Purpose of the GuidanceTwo Primary Objectives: 1. To help improve the effectiveness & efficiency of their internal control systems 2. To provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control process. 10
  11. 11. Application of GuidanceDesigned to meet all three control objectives of COSO FrameworkDue to SOX compliance Guidance has a primary focus on internal controls over financial reporting 11
  12. 12. Guidance Does Not:Change to COSO framework or its 2006 guidanceDictate risks or controls that organization must considerMandate the exact monitoring procedures that organizations must followIncrease the monitoring effort for organizations in areas where monitoring is already effective orMandate a certain level or formality of monitoring documentation, including the use of certain terms 12
  13. 13. Nature and Purpose of MonitoringCOSO Framework states that “monitoring ensures that internal controls continues to operate effectively” by leveraging two related principles: 1. Ongoing and/or separate evaluations enable management to determine whether the other components of internal control continue to function over time. 2. Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate. 13
  14. 14. Linking the 2 Principles to 2006 COSO guidance Principle #19: Ongoing & Separate Evaluations Principle #20: Reporting Deficiencies Source: 2006 COSO guidance, vol #3 14
  15. 15. Establishing a Model for MonitoringEffective approach to monitoring involves: 1. Establishing a Foundation 2. Designing & Executing Monitoring procedures 3. Assessing & Reporting 15
  16. 16. Establishing a FoundationA tone at the top that stresses the importance of monitoringEffective organizational structure that considers the roles of management and the board in regard to monitoring, and places people with appropriate capabilities, objectivity, authority and resources in monitoring roles andBaseline understanding of internal control effectiveness 16
  17. 17. Design & ExecutePrioritize Risks: Evaluate controls in areas of meaningful riskID Controls: select appropriate controls for evaluation from across any or all of COSO’s 5 componentsID information that will be persuasive in supporting conclusions about control effectivenessImplement monitoring procedures: evaluate that information through a mix of ongoing monitoring and separate evaluations 17
  18. 18. Assessing and Reporting ResultsPrioritize findingsProvide support at the appropriate organization level for conclusions regarding the effectiveness of internal controls andFollow up on corrective action: Facilitate prompt corrective actions and documentation as necessary 18
  19. 19. Assessing and Reporting Results * Prioritize & Communicate ResultsID and Prioritizing potential control deficiencies allows organizations to determine 1. The levels to which the potential deficiencies should be reported and 2. Corrective action, if any, that should be takenFactors influencing prioritization include: 1. Likelihood that deficiency will materially affect the achievement of organizational objective 2. Effectiveness of compensating controls and 3. Aggregating effect of multiple deficiencies 19
  20. 20. Assessing and Reporting Results *ReportingInternally: Usually ELC (entity-level controls) are reported to senior management and the boardExternally: 1. Each Co. will have different requirements as to the depth of reporting requirements (e.g. private co. vs. publicly traded). 2. Management should evaluate third parties which may require reporting documents (e.g. external auditors, regulators etc.). 20
  21. 21. Other Considerations in ReportingMonitoring Controls Outsourced to Others 1. For SOX SAS 70 reports and their evaluations may be sufficient 2. Management must evaluate both financial and operational outsourced providers 21
  22. 22. Vol. II – Application Overview 22
  23. 23. Vol. II – Application “Quick Tip” Concept and it’s application in Grey areaTips on How to ReadVol.II: Grey areas areonly suggestions.Application may varyCo. by Co. 23
  24. 24. Application of “Tone at the Top” Management’s tone influences the way employees conduct and react to monitoring. Examples of documenting the monitoring of “Tone at the Top” include:  Communicating expectations to employees (via employee manual, performance evaluation, sign-off on risk/control matrices, or other SOX related documents).  Taking action for control problems by documenting control failures and including remediation plan or compensating control for each gap.  Documentation of follow-up procedures for any control failures identified (via ____________ or ______________) Action Item: Update Performance Evaluations 24
  25. 25. Application of “Organizational Structure” Role of Management & the BOD  Senior Management evaluates the day-to-day control and monitoring activities (Evidenced in SOX or other related document sign-off)  BOD has an oversight role, in which they are responsible for  Understanding risks to organizational objectives  Controls that management has put in place to mitigate those risks  How management monitors to help ensure that the internal system continues to operate effectively  NOTE: Evidence should be documented in the BOD/AC minutes  Guidance offers four suggestions for the BOD to perform it’s oversight responsibilities (1) Inquiries & Observation of management, (2) Internal audit function (if present) (3) Hired resources or specialists when necessary and (4) external auditors. Characteristics of Evaluators Action Item: Principle #19 and #2 of COSO can leverage evidence of Monitoring Risks 25
  26. 26. Application of “Organizational Structure” (continued) Characteristics of Evaluators  Self-review: evaluation of one’s own work  Benefit: usually affords the 1st opportunity to ID control deficiencies  Peer Review: evaluation of co-worker’s or peer’s work  Benefit: the individual is close to the control and maybe in the best position to ID and correct control deficiencies  Supervisory Review: evaluation of subordinate’s work  Benefit: same as above Peer Review  Impartial Review: often includes internal audit function, people from other departments or external parties  Benefit: Most objective concerning results and can place more reliance on the effectiveness of ICFR Source: Vol.2: Figure 5, pg13 26
  27. 27. Baseline Understanding of Internal Control Effectiveness COSO provides three primary reasons internal control systems fail due to: 1. Not designed and implemented properly 2. Designed & Implemented properly BUT environment changes and control system DOESN’T change accordingly 3. Designed & Implemented properly BUT operation changes rendering the control as ineffective to mitigate control risks  Based upon the three primary reasons controls fail, COSO suggests a baseline allows management to have a starting point to address changes (i.e. process or control variances) in “real- time” 27
  28. 28. Monitoring ChangesCOSO offers a high-level overview of an internal control change continuum as follows: 28
  29. 29. Change Continuum Definitions Control Baseline — Monitoring starts with a supported understanding of the internal control system’s design and of whether controls have been implemented to accomplish the organization’s internal control objectives. As management gains experience with monitoring, its baseline understanding will expand based on the results of monitoring. Baseline is the starting point and a new control baseline established over time through monitoring. Change Identification — The risk assessment component of internal control identifies changes in processes or risks and verifies that the design of underlying controls remains effective. Monitoring, through the use of ongoing and separate evaluations, should consider the risk assessment component’s ability to identify and address those changes . Change Management — When changes in the operation of controls have occurred, or when needed changes in control design are identified, monitoring verifies that the internal control system manages the changes and establishes a new control baseline for the modified controls. Control Revalidation/Update — When ongoing monitoring procedures use persuasive information, they can routinely revalidate the conclusion that controls are effective, thus maintaining a continuous control baseline. When ongoing monitoring uses less-persuasive information, or when the level of risk warrants, monitoring periodically revalidates control operation through separate evaluations using appropriately persuasive information. 29
  30. 30. Change Continuum Evidence Risk/Control Narrative/Flowcharts ELC - Assessment matrices 30
  31. 31. Change Continuum Evidence Test Scripts with Sub-certifications supporting on Controls documents 31
  32. 32. Change Continuum Evidence Policy & Change Mgmt Documentation Procedure for Form Authorization with changes Changes (1)(1) See Appendix B-Chg Mgmt Narrative Form 32
  33. 33. Vol. II Application of Design & Execute Source: Vol.2 Figure 7 COSO 2009 Monitoring Guidance 33
  34. 34. Risk Assessment•COSO’s monitoring guidance does not stateto create a separate risk assessment just formonitoring•Prioritizing risks will allow management todecide on the type, timing and extent ofmonitoring of controls•Risk Factors to consider: 1. Nature of Operations 2. Changes in Operations 3. Environmental Factors 4. Susceptibility to Theft or Fraud 34
  35. 35. COSO’s Risk Assessment Examples Revenue Example without score detail and objective = Vol.2 Inventory Example with score detail without objective = Vol.3 35
  36. 36. 36
  37. 37. ID Key Controls• Key-Controls determination can occur at various levels within an organization (e.g. supervisor of a plant has different key monitoring controls than the CFO.• Key-Control Analysis can be facilitated by considering factors that increase the risk that the internal control system will fail to properly manage or mitigate a given risk, these factors are: 1. Complexity 2. Judgment 3. Manual vs. Automated 4. Known Control Failures 5. Competence/experience of personnel 6. Risk of management override 7. Likelihood of control failure detection 37
  38. 38. ID Persuasive Information•Persuasive information is both suitable ANDsufficient in the circumstances and give theevaluator reasonable, but not necessarilyabsolute, support for the conclusion regardingthe continued effectiveness of the internalcontrol system in a given risk area.•Suitable information MUST be relevant,reliable and timely.•Sufficiency is a measure of the quantity ofinformation (i.e., whether the evaluator hasenough suitable information) 38
  39. 39. ID Persuasive Information (Cont.) Relevance of Information Direct vs. Indirect Information Information that directly confirms the operations of the control is more relevant than indirect Direct: substantiates the operation of controls and obtained by: 1. Observing controls in operation 2. Reperformance or 3. Otherwise evaluating their operation directly and can be useful in both ongoing monitoring and separate evaluations Indirect: is all other information that may indicate a change or failure in the operation of controls such as: 1. Operating statistics 2. Key risk indicators 3. Key performance indicators and 4. Comparative industry metrics 39
  40. 40. ID Persuasive Information (Cont.) Reliability of Information Reliable information: is accurate, verifiable and comes from an objective source.  Accurate information: represents the degree to which information can reasonably be expected to be free from error and/or to communicate results that reflect reality.  Verifiable: represents information that can be established, confirmed or substantiated as true.  Objectivity: is the degree to which the information source is unbiased when evaluated 40
  41. 41. ID Persuasive Information (Cont.) Sufficient Information Management is required to maintain sufficient suitable information to support its conclusion on the effectiveness of internal controls. SEC has provided smaller public companies with a general guideline dependent upon risks to determine the sufficient level of support. 41
  42. 42. SEC’s Guidance on Information mallbus/404guide.pdf 42
  43. 43. AICPA new sampling rulesBetter understanding of how much is enough in Multi-Locations •May 2008: AICPA issued new Sampling guidelines to align better with their risk based auditing standards (i.e. SAS 101 to SAS 112). •Management should consider multi-location issues as documented in this new guidance as PCAOB and SEC do not provide best practices on how to make sample selections on a risk-based approach for multi-locations. 43
  44. 44. Implementing Monitoring COSO Provides in Vol.3 Example of Implementing Monitoring Processes for Inventory, which the template can be applied to any business cycle, including IT.Can add columns for1)Evidence to Collect2)Qty of Evidence (is it all storesand all months, if so whatperiods) 44
  45. 45. Assess & Report Prioritize Findings by RiskRisk Examplesprovided by Vol.2, have oneexample ofeach type ofRisk RatingType (bySignificanceand Likelihood) 45
  46. 46. Vol. 2 – Applying Concepts of Monitoring Prioritized RisksExtends the concept inprior slide, in how toprioritize monitoringefforts by rating as well(i.e. High, Med. Low) 46
  47. 47. IT Guidance to Help Prioritize Findings 2006 SOX IT Guidance helps users to assess the prioritization based upon risks Site: 47
  48. 48. Reporting ResultsInternal Reporting: protocol must be established. Typically includes senior management and the board.External Reporting: a properly designed & executed monitoring program helps support external certifications or assertions because it provides persuasive information that internal control operated effectively at a point in time or during a particular period. 48
  49. 49. Follow-up Corrective ActionCOSO’s suggested documentation should include evidence of: Reporting items agrees to source scoping documents Evidence collected support that the control has been adequately corrected/remediated Management approval of corrective action and related evidence 49
  50. 50. Leveraging 2009 GuidanceLinking Monitoring Principles (i.e. Principal #19 and 20) to actual business processes (i.e. Financial Statement Close Process, Inventory etc.) will reduce the number of key controls required to assess for SOXProviding more detailed monitoring reports substantiates management’s evidence of reviewing key controlsGuidance provides management more information on how to leverage key controls for more than one type of risk 50
  51. 51. Practical Steps Using 2009 Guidance Step 1: Entity-Level Control Assessment, use color coding offered by 2006 COSO Guidance Step2: Risk Assessment exercise should include IT to prevent any miscommunication of prioritizing risks for the organization Step 3: Evaluate Monitoring guidance issued 2009 by COSO, especially considering three top templates from the guidance: 1. Quarterly and Annual Management Representations (vol.3 – Appendix B) 2. Enterprise Wide Risk Matrix (vol.3 – Appendix C) 3. Prioritize Risk and Controls (vol.2 – pg. 51 to pg. 55) 51
  52. 52. Segregation of Duties (SOD)2009 Due to economy less staff and more work allocated to others.Leveraging too smaller staff size may cause a lack of SOD.2009 & 2006 COSO Guidance have stated compensating controls are the critical factor to avoid a material weakness. 52
  53. 53. SOD Case Study 53
  54. 54. Dealing with External AuditorsEarly discussions about the guidance and where you plan to leverage the guidance Planning & Scoping: leverage guidance to lower number key controls on entity-level assessment Risk assessment process: may require technical memo to provide to sox files and distributed to external auditors how guidance has revised and prioritized resources for sox assessment Key Control ID: inform external auditors on where they may be able to leverage more monitoring controls 54
  55. 55. Key Remediation and Reporting IssuesMaterial weaknesses IT General Controls: primarily related to change management. Financial Close Process: primarily related to high risk areas dealing with accounting transactions, which are complex and/or involve significant judgment  Tax issues  Valuation  Going Concern related issues (intangibles etc.) 55
  56. 56. Q&A My Contact info: Sonia Luna: Office: (213) 250-5700 x206 Cell: (323) 828-5862 700 S. Flower St. #1100, Los Angeles, CA 90017 Email: Blog: www.sox-blog.comTwitter: 56