Questions from Our Webinar COSO 2013: Implications for IT Controls Introduction On January 15, 2014, Protiviti hosted a webinar to address the many questions and comments raised in the market in response to the release of COSO’s Internal Control – Integrated Framework (2013 edition). During the webcast, our audience of more than 1,400 executives and professionals submitted numerous questions – far more than we had time to address. Therefore, we are pleased to offer this supplement that provides detailed responses to many of the questions submitted.

For additional information, we invite you to download a complimentary copy of our resource guide, The Updated COSO Internal Control Framework: Frequently Asked Questions (Second Edition). Many of the questions below include references to relevant FAQs contained in the guide, and in some of our guides to the Sarbanes-Oxley Act. You also are welcome to contact our COSO experts directly:

David Brand Jim DeLoach Managing Director Managing Director +1.312.476.6401 +1.713.314.4981 david.brand@protiviti.com jim.deloach@protiviti.com Barbi Goldstein Keith Kawashima Managing Director Managing Director +1.212.603.8351 +1.408.808.3222 barbi.goldstein@protiviti.com keith.kawashima@protiviti.com

Protiviti 2

Questions from the Audience 1. Who owns the mapping conversion process?

Management has options in terms of who assumes primary responsibility for the mapping exercise. It depends on the breadth of the application of the framework. To illustrate, if the framework historically was applied to internal control over financial reporting primarily (often in conjunction with complying with Section 404 of Sarbanes-Oxley), the group responsible for evaluating such controls might direct the mapping process. Groups could include the Sarbanes-Oxley project management office (PMO) or the finance organization. If the framework has been applied to operations or other areas of compliance and reporting, then those responsible for their respective areas might conduct the mapping. In many organizations, internal audit might own the process, or play a significant role, in either reviewing the final product or performing the mapping directly, as internal audit can contribute a unique perspective on internal controls.

2. If we historically had a clean Sarbanes-Oxley certification, but now find through mapping and testing that there are gaps in the presence and functioning of the COSO 2013 principles, how does the organization handle these deficiencies? What are the implications of a deficiency in control design or operation around these entity-level type controls with respect to the new framework for a Sarbanes-Oxley filer? Can the organization now fail to comply with Sarbanes-Oxley Section 404 requirements if it is weak on a COSO principle?

The premise for this question is that the organization has completed the mapping exercise and is satisfied it has considered all relevant entity-level and process-level controls currently in place. If gaps (deficiencies) identified during the mapping of internal controls are “true” gaps, the organization will need to evaluate the severity of the deficiencies. It is important to note that not every deficiency will result in a conclusion that an entity does not have an effective system of internal control. For instance, when evaluating the severity of the deficiency, an entity-level control gap may be deemed a deficiency or significant deficiency rather than a material weakness from a Sarbanes-Oxley standpoint, as its impact on the achievement of the financial reporting objective is not as direct as a deficiency around a specific process-level control might be. However, over time, such significant deficiencies will need to be addressed and remediated.

If deficient entity-level controls result in a determination that the corresponding principles are not present and functioning, and that determination results in the single component not being present and functioning, then the organization could have a material weakness for Sarbanes-Oxley. This is not very likely for entity-level controls given that management ordinarily looks for compensating controls in the case of failure of primary or key controls.

See Protiviti COSO FAQ Guide: Question 9.

Protiviti 3

3. How does the new COSO framework align to COBIT 5?

Below is a graphic that illustrates the relationship between the two frameworks:

Protiviti 4

4. How do you deal with IT providers that are not SSAE 16 compliant? What steps can

be taken (beyond SOCs) to ensure the validity of data from outsourced IT systems? What if you receive an SOC 2 report on a third-party provider? What impact does the cloud have on internal controls?

The updated framework states that management is still responsible for internal controls over outsourced applications. Obtaining an SSAE 16 Service Organization Control (SOC) 1 report can assist management in its efforts to get comfort about the controls around the processing of the organization’s data. Management should be reviewing SSAE 16 SOC 1 reports annually to ensure the third party’s control environment is adequate. Obtaining and reviewing these reports at least annually enables management to ensure that coverage is provided for each fiscal year.

Protiviti 5

In addition, management needs to review the user control considerations noted by the SSAE 16 and identify the controls the organization has in place that meet those considerations. Document the review performed by management, including how the organization is addressing each user control consideration, any relevant findings noted in the SSAE 16 report, and the assessment of the risk from the company’s perspective, including any mitigating controls.

Anytime management considers contracting with a new third-party service provider, it should review a compliance report as part of that evaluation and use it as input on whether it selects that vendor. SOC 2 type 2 reports may be appropriate for management to use in its assessment. A similar evaluation would need to be completed to assess whether the report addresses the appropriate controls.

If an SOC report does not exist for an in-scope outsourced system, management will need to find other means to obtain assurance around the controls over that system. This could include identifying controls management is responsible for that provide assurance that the processing at the outsourcer was accurate, or conducting tests at the provider to test the controls on which management relies.

See Protiviti Guide to the Sarbanes Oxley Act: IT Risks and Controls

5. Do the 17 principles and 77 points of focus apply to IT controls as well as general controls? I would like to see specific examples mapping IT controls to the 17 principles and relevant points of focus.

: Question 17.

Below are a few examples of mapping IT to principles and points of focus:

Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Point of Focus Connection to IT

Defines, Assigns, and Limits Authorities and Responsibilities Use appropriate processes and technology to assign responsibility and segregate duties … Technology is leveraged as appropriate to facilitate the definition and limitation of roles and responsibilities within the workflow of business processes.

• Application and infrastructure access is administered based on users’ roles and responsibilities.

• Application access may be facilitated through integration with the network, or with identity management systems.

Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Point of Focus Connection to IT

Evaluates a Mix of Control Activity Types Control activities … include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls.

• IT systems support manual system-dependent controls and automated controls. Automated application controls as part of data input and processing can prevent errors; and monitoring and reconciliation controls can detect errors.

Addresses Segregation of Duties Management segregates incompatible duties …

• Application and infrastructure access is administered based on users’ roles and responsibilities.

• Application access may be facilitated through integration with the network, or with identity management systems.

Protiviti 6

In mapping IT to the principles and points of focus, organizations may find that work around IT general controls (ITGC) could increase for existing Sarbanes-Oxley filers due to the potential increase in the scope of systems that support entity-level type controls. There are areas that may require documentation and testing that were not previously included under the scope of the Sarbanes-Oxley program.

6. Will COSO 2013 expand the range of systems in scope for Sarbanes-Oxley this year?

It is possible that, on an organization-by-organization basis, the systems in scope could expand. As companies map their controls to the 17 principles and relevant points of focus, they may identify that there are additional data sources and reports that will come into scope in addressing these principles. These may come from other systems outside of those currently in scope for Sarbanes-Oxley. Each company will need to analyze and internalize this information through assessing whether there are alternative controls that can be relied upon with respect to these particular data sources and reports.

In addition, the Public Accounting Oversight Board (PCAOB) inspection reports may pull additional areas into scope related to review controls. Reports used in review controls may pull additional systems into scope. The range of systems in scope is an evolving area.

7. How are interface files and programs addressed in Sarbanes-Oxley?

See Protiviti Guide to the Sarbanes-Oxley Act: IT Risks and Controls

8. Should all IT-dependent manual controls be mapped to Principle 13?

: Question 46.

A top-down risk-based approach should guide the mapping process. Existing Sarbanes-Oxley filers most likely already have key controls around ITGC documented and tested. Additionally, there has been an increased focus on Information Produced by Entity (IPE) or Electronic Audit Evidence (EAE) by the public accounting firms as a result of the PCAOB inspection reports. We expect there to be continued focus on how management verifies the accuracy of IPE/EAE used in key manual controls.

See Protiviti COSO FAQ Guide: Question 17.

9. Do all reports used in key controls for Sarbanes-Oxley need to be tested annually or is rotating testing allowed?

The PCAOB inspection reports have highlighted gaps in external audit firms’ testing of reports used in key controls. This is an area that is continuing to develop, with varying views on the required frequency of testing of these reports (also known as baselining). Our survey of the 1,486 attendees of the January 15, 2014 webinar indicated that:

• 19 percent test all key reports annually

• 12 percent test key reports on a rotational basis

• 22 percent baseline test some but not all reports

• 15 percent test only new reports and rely on ITGC in subsequent years

• 33 percent do not baseline test reports

As audit firms continue to address the PCAOB’s findings, expect to see their expectations evolve on this topic and plan to adjust accordingly.

Protiviti 7

10. How does COSO relate to other frameworks such as ISO 27000, GTAG and GAIT?

In general, COSO provides principles-based guidance that does not include prescriptive guidance on the nature of the specific controls management needs to implement. Frameworks such as ISO 27000, GTAG, COBIT and ITGI provide detailed guidance on how to address technology specifically from a risk assessment and control activities perspective.

Global Technology Audit Guides (GTAGs) are available from The Institute of Internal Auditors (IIA). GTAGs address issues related to information technology management, control, and security. They can be used in conjunction with the COSO framework to analyze IT risks and controls.

The IIA also publishes the Guide to the Assessment of IT Risk (GAIT), which is a series of practice guides outlining the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within ITGC. GAIT is useful when scoping ITGC. The IIA defines GAIT-R as the methodology for identifying all key controls critical to achieving business goals and objectives. GAIT-R identifies the critical aspects of IT that are essential to the management and mitigation of organizational risk, generically described as business risk. It is focused on identifying the key controls that are in place to manage or mitigate risk.

Regarding ISO 27000, see Guide to the Sarbanes-Oxley Act: IT Risks and Controls: Question 9.

For further guidance on how to approach the Sarbanes-Oxley 404 internal controls certification process, see our Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements − Frequently Asked Questions Regarding Section 404 at http://www.protiviti.com/en-US/Pages/SOX-404-FAQs.aspx and our Guide to the Sarbanes Oxley Act: IT Risks and Controls at http://www.protiviti.com/en-US/Pages/Guide-to-the-Sarbanes-Oxley-Act.aspx.

© 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

About Our Financial Controls and Sarbanes-Oxley Compliance Practice Protiviti’s Financial Controls and Sarbanes-Oxley compliance professionals help companies establish effective internal control over financial reporting. Whether your organization is just getting started with compliance or has complied for years, we can help apply a top-down, risk-based approach, in accordance with the U.S. Securities and Exchange Commission’s interpretive guidance, to implement a cost-effective compliance process. We help rationalize the critical risks, identify the key controls, develop a credible body of evidence supporting controls design and operating effectiveness, drive accountability for compliance throughout the organization, and coordinate the optimization of the attestation process under Auditing Standard No. 5.

Our experience, gained by working with hundreds of companies, gives us the knowledge to help organizations think longer term, make the right choices and create value as sustainability improves. Our flexible, comprehensive approach is driven by a customized road map that addresses each client’s immediate priorities, planned improvements, longer-term strategic improvements and designated timetable.

Our specific services include:

• Sarbanes-Oxley compliance project planning and management

• Documentation, evaluation, testing and remediation of risks and controls

• Compliance cost reduction by rationalizing risks and controls and implementing risk-based testing

• Improvement of internal controls and the quality of key upstream business processes affecting financial reporting

• Governance portal implementation and support