Embed Size (px)
Citation preview
COSO’s Updated InternalControl IntegratedFramework
A conversation with the Dallas Chapterof the IIAof the IIA
September 5, 2013
Agenda
• COSO – What is that again?
• Why did COSO decide an update was needed to the Internal Control-Integrated Framework?
• What changed?
• Transition and recommended actions
PwC
• Transition and recommended actions
Disclaimer:
The contents of this document are purely for educational and awareness purposes of the audience,and do not represent or imply PwC’s views on the COSO IC Framework updates nor PwC’s auditmethodology related to areas impacted by the COSO IC Framework updates.
1
What is COSO?Internal Control-Integrated Framework
In 1992, COSO published the original IC Framework, which allowed themanagement of an organization to:
• establish,• monitor,• evaluate, and• report on internal control.
PwC
• report on internal control.
The original IC Framework has gained widespread acceptance and useworldwide.
In 2013, COSO published the updated IC Framework to ease use and application,
• considering changes in business and operating environments,• articulating principles and clarifying requirements for effective internal
control, and• encouraging users to apply internal control to additional objectives.
2
What is COSO?The Internal Control-Integrated Framework
1992 COSO IC Cube2013 COSO IC Cube
PwC
Components
EntityStructure
3
What is COSO?
Internal Control
PwC
1992 2006 2009 2013
2004 2010
4
Enterprise Risk Management and Other
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?Why a fresh look at controls will benefit your company
In more recent years, internal control failures combined with the bursting of
“In the twenty years since the inception of the original framework, business andoperating environments have changed dramatically, becoming increasingly complex,technologically driven, and global. At the same time, stakeholders are more engaged,
seeking greater transparency and accountability for the integrity of systems of internalcontrol that support business decisions and governance of the organization”
PwC
In more recent years, internal control failures combined with the bursting offinancial asset bubbles and the meltdown in macro-economic conditions havetaught hard lessons about blind spots and hidden risks. In addition, 67 % ofcompanies have undergone a major business transformation in response tomarket shifts since mid-2011.*
As businesses evolve and introduce new risks, an effective system(s) of internalcontrol adapts to both planned and unforeseen changes and events. Effectiveinternal control can help uncover and mitigate risk that interfere with achievingimportant business objectives.* Source – PwC, Risk in review – Global risk in the transformation age, 2013.
5
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?A fresh look at controls will provide benefits, especially if yourcompany is going through...
Changes in business environment introduceor elevate risk
• Major change – New business models,markets, products, partners
Changes inside the business introduce orelevate risk
• Major change – New leadership, growth,restructurings
• Greater complexity in your operating
PwC
• Ongoing regulatory oversight andscrutiny. If you’re complying with moreregional or global requirements, there may belittle room for error.
• New and evolving expectations for non-financial reporting – Stakeholders andregulators seek greater transparency andconfidence in your reporting
• Business failures and brand-damagingevents. Businesses in many industries need tore-build trust with customers and stakeholders.
• Greater complexity in your operatingmodel and structure – Taking on newservice providers or partners can create risksthat may be far removed from the business
• Expanding reliance on technology –New uses of existing technology and newinvestments may impact risks for internaland external interactions
6
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?Example #1: Dealing with ongoing regulatory oversight andscrutiny
Rapid, pervasive changes in the global business environment introduce new risksand elevate expectations to protect shareholders and key stakeholders.
As a response, recently enacted legislation, laws and regulations have promptedbusiness leaders to re-assess existing system(s) of internal control across their
PwC
business leaders to re-assess existing system(s) of internal control across theirorganizations to determine whether risk is mitigated to an acceptable level.
Does your organization apply internal control to supportachievement of non-financial reporting, operations, and compliance
objectives?
Increased Regulatory Requirements
Sarbanes-Oxley/J-SOX
Dodd-Frank Act FCPAConsumerProtection Act
Basel II
7
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?Example #2: Dealing with business failures and brand damagingevents
History repeats itself...Internal control failures at companies like Enron,WorldCom, Adelphia, Parmalat, Lehman Brothers and others led to:
• Increased expectations for application of internal control beyond financialreporting requirements
PwC
reporting requirements
Learn from the past….Take a fresh look at existing controls in relation to therisks of achieving specific objectives.
• What breakdowns have you experienced with existing controls? Why didn’tyou anticipate them?
• What issues could have been prevented if you had more effective controls attheroot cause?
8
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?Update is responsive to input provided by stakeholders and users
Do stakeholders and users fully understand the requirements of effectiveinternal control?
Information &Communication
Risk Assessment
PwC
0% 20% 40% 60% 80% 100%
Control Activities
Monitoring
Control Environment
Difficult to interpretSomewhat difficult to interpretModerately easy to interpretGenerally easy to interpretEasy to interpret
Source - COSO’s survey of users and stakeholders, worldwide – January to September 2011
9
Stakeholders and users impacted the updates toInternal Control-Integrated Framework
COSOBoard of Directors
PwC: Author& Project Leader
PwC
COSO Advisory Council
• AICPA• AAA• FEI• IIA• IMA• Public accounting firms• Regulatory observers (SEC, GAO,
FDIC, PCAOB)• Others (IFAC, ISACA, others)
Stakeholders
• Over 700 stakeholders in Frameworkresponded to global survey during 2011
• Over 200 stakeholders publicallycommented on proposed updates toFramework during first quarter of 2012
• Over 50 stakeholders publicallycommented on proposed updates infourth quarter of 2012
10
What Is Not changing?Update is responsive to input provided by stakeholders and users,continued
What Is Not fundamentally changing...
• Core definition of internal control
• Three categories of objectives and five components of internal control
PwC
• Each of the five components of internal control are required for effectiveinternal control
• Important role of judgment in designing, implementing and conductinginternal control, and in assessing its effectiveness
11
What Is changing – Component chapters considercurrent business environmentControl Environment
Area Key Updates
Governance -Management’sphilosophy andoperating style
Combine into five principles the discussions relating to integrity and ethicalvalues, commitment to competence, board of directors or audit committee,management’s philosophy and operating style, organizational structure,assignment of authority and responsibility, and human resource policies andpractices
Linkages Explains linkages between the various components of internal control to
PwC 12
Linkagesbetweenvariouscomponents ofinternal control
Explains linkages between the various components of internal control todemonstrate the foundational aspects of the control environment for a soundsystem of internal control
Governance -OrganizationalStructure
Expanding the discussion of governance roles in an organization, recognizingdifferences in structures, requirements, and challenges across differentjurisdictions, sectors, and types of entities
Integrity andethicalvalues
Clarifies the expectations of integrity and ethical values to reflect lessonslearned and developments in ethics and compliance. E.g. code of conduct, theattestation process, whistle-blower processes, investigation and resolution, andtraining and reinforcement both internally and with third parties
What Is changing – Component chapters considercurrent business environmentControl Environment (Continued)
Area Key Updates
Linking riskandperformance
Expands the notion of risk oversight and strengthening the linkages betweenrisk and performance to help allocate resources to support internal control inthe achievement of the entity’s objectives
PwC 13
Organizationalcomplexities
Emphasizes the need to consider internal control across the complexities inorganizational structure resulting from different business models and the useof outsourced service providers, business partners, and other external partners
Roles andresponsibilitiesalignment
Aligns roles and responsibilities discussed in organizational structure with theinformation presented in Appendix B, Roles and Responsibilities, so that majorroles are used consistently within the Framework.
What Is changing – Component chapters considercurrent business environmentRisk Assessment
Area Key Updates
Risk Assessmentprocesses
Clarifies that risk assessment includes processes for risk identification, riskanalysis, and risk response
Risk Severity Expands the discussion on the risk severity beyond impact and likelihood toinclude velocity and persistence
PwC14
Risk tolerances Incorporates risk tolerances (set as a precondition to internal control andpertaining to the level of acceptable variation in performance and therelative importance of objectives) into the assessment of acceptable risklevels
Impact ofinternal andexternal factors
Expands the discussion on management needing to understand significantchanges in its internal and external factors and how those might impact theoverall system of internal control
Fraud risk Considers fraud risk relating to material omission or misstatement ofreporting, inadequate safeguarding of assets, and corruption as part of therisk assessment process
What Is changing – Component chapters considercurrent business environmentControl ActivitiesArea Key Updates
Evolution of technology Broadens the discussion to reflect the evolution in technology since 1992
Automated controlactivities vs. generalcontrols overtechnology
Expands the discussion of the relationship between automated controlactivities and general controls over technology to reinforce the linkagesto business processes, with the details on automated control activitiesand general controls over technology separated into discrete sections toclarify the distinction between the two
PwC15
clarify the distinction between the two
Control techniques Expands the discussion that control activities constitute a range ofcontrol techniques while providing a more detailed description of thesetypes and techniques, and a way to categorize them; making distincttransaction-level controls from controls at other levels of theorganization; and discussing in more detail information-processingobjectives
General technologycontrols
Updates the discussion on general technology controls to focus more onthe universal concepts of what needs to be controlled
Policies andprocedures v.s.controls activities
Clarifies that control activities are actions established by policies andprocedures rather than being the policies and procedures themselves
What Is changing – Component chapters considercurrent business environmentInformation & Communication
Area Key Updates
Information quality Emphasizes the discussion of importance of quality of information
External Reportinginformation
Expands the discussion of the expectations for verifying to a source andfor retention when information is used to support reporting objectivesto external parties
Information protection Expands the discussion on the impact of regulatory requirements on
PwC16
Information protectionand reliability
Expands the discussion on the impact of regulatory requirements onreliability and protection of information
Information volumesand sources
Expands the discussion on the volume and sources of information inlight of increased complexity of business processes, greater interactionwith external parties, and technology advances
Impact of technology Reflects the impact of technology and other communicationmechanisms on the speed, means, and quality of the flow of information
Communication withthird parties
Adds content on the information and communication needs betweenthe entity and third parties, emphasizing the importance of consideringhow processes may occur outside the entity and how the entity needs toobtain information from parties that operate outside its legal andoperational boundaries
What Is changing – Component chapters considercurrent business environmentMonitoring Activities
Area Key Updates
Monitoringactivitiesterminology
Refines the terminology, where the two main categories of monitoringactivities are now referred to as “ongoing evaluations” and “separateevaluations”
PwC17
Establishingevaluations
Adds the need for a baseline understanding in establishing and evaluatingongoing and separate evaluations
Technology andServiceProviders use
Expands discussion of the use of technology and external service providers
OriginalFramework
COSO’s Internal Control–Integrated Framework (1992 Edition)
Enhancementsto increase
Reflect changes in
business and operatingExpand operations and
Articulate principles to
facilitate development of
Update expected to ease use and application ofinternal control
PwC
to increaseease of use
UpdatedFramework COSO’s Internal Control–Integrated Framework: 2013
business and operating
environments
UpdatesContext
reporting objectives
BroadensApplication
facilitate development of
effective internal control
ClarifiesRequirements
18
Changes in environments...Drove updates to the ICFramework...
Expectations for governance oversight
Globalization of markets andoperations
Changes and greater complexity in the
Update considers changes in business andoperating environments
PwC
Changes and greater complexity in thebusiness
Demands and complexities in laws,rules, regulations, and standards
Expectations for competencies andaccountabilities
Use of, and reliance on, evolvingtechnologies
Expectations relating to preventing anddetecting fraud
Updated COSO Cube
19
Update encourages users to consider newapplications of internal control
For instance, organizations may choose to apply the IC Framework to achieveimportant reporting objectives, beyond external financial reportingrequirements
Financial/Non-Financial
External Financial ReportingObjectives May Relate to:
External Non-FinancialReporting Objectives May
• Used to meet externalstakeholder and regulatory
Characteristics
PwC
Inte
rnal/E
xte
rnal
Objectives May Relate to:• Annual Financial Statements• Interim Financial Statements• Earnings Releases
Reporting Objectives MayRelate to:• Internal Control Reports• Sustainability Reports• Supply Chain/Custody
of Assets
Internal Financial ReportingObjectives May Relate to:• Divisional Financial Reports• Customer Profitability Analysis• Bank Covenant Calculations
Internal Non-FinancialReporting Objectives MayRelate to:• Staff/Asset Utilization• Customer Satisfaction
Measures• Health and Safety Measures
stakeholder and regulatoryrequirements
• Prepared in accordance withexternal standards
• May be required byregulators, contracts,agreements
• Used in managing thebusiness and decisionmaking
• Established by managementand board
20
Update articulates principles of effective internalcontrol
ControlEnvironment
1. Demonstrates commitment to integrity and ethicalvalues
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
PwC
Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Information &Communication
13. Uses relevant information
14. Communicates internally
15. Communicates externally
MonitoringActivities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Update articulates principles as importantcharacteristics of the components of internalcontrol
• Principles are suitable and presumedrelevant for all entities
• Principles can support achievementof a single, multiple, or overlappingobjectives
5Components
PwC
• When principles are present andfunctioning, objectives are specifiedwith sufficient clarity to assess riskand deploy controls to mitigate riskto acceptable level
• Applying principles provides a basisfor checking what’s covered andwhat’s missing across the business—including dispersed and outsourcedoperations
Points of focus
Controls
17 Principles
22
Update describes ‘points of focus’ as importantcharacteristics of principles. For instance...
Control Environment1. The organization demonstrates a commitment to
integrity and ethical values.`
PwC 23
Points of Focus:• Sets the Tone at the Top• Establishes Standards of Conduct• Evaluates Adherence to Standards of Conduct• Addresses Deviations in a Timely Manner
• The points of focus may not be suitable or relevant, and othercharacteristics of the principles may be in place
• The points of focus may facilitate designing, implementing, andconducting internal control
• There is no requirement to separately assess whether points of focus arein place
Update describes how controls effect principles,for instance...
1. The organization demonstrates a commitment to integrityand ethical values.
Control Environment
Internal Audit
Component
Principle
PwC24
Human Resourcesreview employees’confirmations toassess whetherstandards of conductare understood andadhered to by staffacross the entity
ControlEnvironment
Management0btains and reviewsdata andinformationunderlying potentialdeviations capturedin whistleblowerhot-line to assessquality ofinformation
Information &Communication
Internal Auditseparatelyevaluates ControlEnvironment,consideringemployeebehaviors andwhistleblowerhotline results andreports thereon
MonitoringActivities
Controlsembedded incomponentseffect thisprinciple
Update articulates requirements for effectivesystem(s) of internal control
“An effective system of internal control…requires that:
• “Each of the five components of internal control and relevant principles ispresent and functioning
• The five components are operating together in an integrated manner”
PwC
“Management can demonstrate that components operate together when:
• Components are present and functioning
• Internal control deficiencies aggregated across components do not result inthe determination that one or more major deficiencies exist”
25
Update requires use of relevant criteria forassessing severity of internal control deficiencies
• For objectives established through laws, regulations, and standards, use onlythe criteria set out by the regulator or standard-setting body (e.g., SECdefines material weakness and significant deficiency)
• For other objectives, the updated IC Framework sets out criteria with twolevels of severity
PwC
• If a component or relevant principle is not present and functioning or thecomponents are not operating together in an integrated manner, a majordeficiency exists
• A system of internal control is not effective whenever a “major deficiency” (ormaterial weakness) exists based on the use of the appropriate criteria
26
Update requires use of applicable criteria forassessing severity of internal control deficiencies
Identify
• Identify internal control deficiencies using the IC Framework
• Consider whether an external standard exists relevant to the category of
PwC
SelectCriteria
• Consider whether an external standard exists relevant to the category ofobjectives/sub-objectives being assessed - e.g., SEC definitions of materialweakness and significant deficiency for external financial reporting
• Determine whether to use the classification criteria set out in the updatedIC Framework or the other external standard
Assessseverity
• Assess severity using the applicable classification criteria selected above,but not both
• Conclude on severity and report as necessary
COSO provided guidance for transitioning systemof internal control to updated IC Framework
• COSO encourages thoughtful consideration of the updated Framework thentransition applications and related documentation as soon as feasible
• COSO decided to supersede the original IC Framework at the endof the transition period (i.e., December 15, 2014)
- External financial reporting objectives - SEC registrants should beprepared to issue certifications on ICFR based on the updated IC
PwC
prepared to issue certifications on ICFR based on the updated ICFramework beginning December 31, 2014
- Other suitable objectives - Board of directors and senior managementmay identify other applications to apply internal control
• COSO recommends users and stakeholders should monitor any regulatoryannouncements relating to the transition to the updated IC Framework
• For external reporting objectives COSO recommends disclosure of whetherthe original or updated IC Framework is used during the transition period
28
Transition & Recommended Actions
• Step #1 – Read COSO’s updated IC Framework (and illustrative documents)and communicate and educate the Board of Directors, C-Suite, operatingunit and functional managers
• Step #2 – Conduct a preliminary assessment of what is covered andmissing by mapping the principles to existing controls
• Step #3 – Complete a comprehensive assessment and take action
PwC
• Step #3 – Complete a comprehensive assessment and take actionto implement necessary changes in controls and related documentation
• Step #4 – Develop and execute transition plan timely ensuringnecessary changes are implemented in time to achieve your objective(s)
• Ongoing - Consider opportunities to (i) apply internal control to additionaloperational, reporting and compliance objectives, (ii) optimize the design ofcontrols to mitigate risk to acceptable level, and (iii) converge processes andcontrols within the five components that support multiple, overlappingobjectives
29
For instance, SOX 404 external financial reportingrequirement…
12/31/1405/18/13 Q3 Q1 Q2 Q3Q4
2014201420132013
Q2
PwC
• Educate and CommunicateStep 1
• ConductPreliminaryAssessment
Step 2
• Conduct Comprehensive Assessment• Develop Transition Plan and Take
ActionStep 3
• Execute Transition Plan (timely)Step 4
Consider necessary actions - Key stakeholders andusers, continued
Stakeholders andUsers
Key Actions
Internal Audit • Consider impacts to existing IA processes, programs, evaluations, andreports
• Discuss impact of the updated IC Framework on IA’s operations andplans with key stakeholders
• Proactively work with management to create and manage the
PwC
• Proactively work with management to create and manage thetransition plan(s) to the updated IC Framework
• Assist management with mapping of 17 principles and points of focusto existing controls
• Assist management in identifying and assessing “gaps” in design orrelated documentation
• Communicate any internal control deficiencies including majordeficiencies or material weaknesses and significant deficiencies,based on applicable classification criteria for the reporting objective
31
Consider necessary actions - Key stakeholders andusers
Stakeholders andUsers
Key Actions
Board of Directors &Audit Committee
• Gain a high level understanding of the updated Framework (e.g.,Executive Summary)
• Understand management ‘s assessment of the implications andopportunities, needed changes, and transition plan for applying theupdated IC Framework
PwC
updated IC Framework
• Understand management's assessment of any significant deficienciesand determination of necessary actions for applying the updated ICFramework
• Seek input from external auditors about management’s assessment andtransition plan and impact on the audit
Risk, Compliance &Other Policy SettingGroups(e.g., CRO, CCO)
• Perform an assessment of the impact on the entity’s policies, guidance,training, and analytic tools
• Work with management to communicate the impact on the organizationto the Board of directors and Audit Committee
32
Consider necessary actions - Key stakeholders andusers
Stakeholders andUsers
Key Actions
Senior Management(e.g., CFO, CorporateController, FunctionalVPs)
• Assess how the entity’s system of internal control applies the seventeenprinciples associated with its five components of internal control
• Where the entity has applied the original IC Framework, managementwill need to first identify and assess any implications of applying theupdated IC Framework to the entity’s current system of internal control
PwC
updated IC Framework to the entity’s current system of internal control
• Review transition plans (e.g., approach, actions, milestones, activities,resources, timeline) for targeted sub-units
• Discuss with the board of directors its plan to adopt the updated ICFramework
• Communicate with external auditors
Line Management(e.g., DivisionalControllers, FunctionalManagers)
• Map the 17 principles (using relevant points of focus) to existing controls
• Identify and assess any “gaps” in design or related documentation (byprinciple and location) with those responsible for internal control
• Develop remediation plans to address gaps in design or relateddocumentation for targeted sub-units
33
Working with the auditors
• Existing auditing standards relating to an annual audit of an entity’s financialstatements require:
– The external auditor to express an opinion on the effectiveness of a U.S.public company’s internal control over financial reporting (PCAOB AS 5)
– The external auditor to obtain an understanding of other entity’s internalcontrol, evaluate the design, and determine whether controls have beenimplemented. Testing operating effectiveness is the auditor’s discretion.
PwC
implemented. Testing operating effectiveness is the auditor’s discretion.(AICPA AU 315-c)
• Accordingly, the external auditor will need to understand how yourorganization demonstrates the principles are present and functioning andcomponents operate together.
• For US registrants, the external auditor will need to assess and gain comfortwith your updated system of internal control over financial reporting andupdated SOX compliance program prior to the transition date
• Auditing standard setting bodies (e.g., PCAOB, ASB) will need to considerwhether to update respective attestation standards and guidance
34
Publications Overview
• Executive Summary (10 pages)
• Provides a high-level overview and is intended for board of directors, chiefexecutive officer and other senior management.
• Framework (146 pages) and Appendices (46 pages)
• Sets out the updated framework.
• Assists management, board of directors, external stakeholders, and others
PwC
• Assists management, board of directors, external stakeholders, and othersin their respective duties regarding the entity’s system of internal control.
• The Appendices provide additional reference material, including a glossaryof key terminology and a discussion of roles and responsibilities.
• Illustrative Tools & Templates
• Provides tools that may be useful in applying the updated framework.
• Internal Controls Over Financial Reporting Compendium
• Includes relevant approaches and examples of how organizations can applythe principles set forth in the updated framework as it relates to externalreporting.
35
Getting COSO’s publications
The updated framework and related Illustrative documents are available in 3layouts
1. E-book – This layout is ideally suited for those wanting access in electronicformat for tablet use. An e-book reader from the AICPA is required to viewthis layout. Printing is restricted in this layout.
- Purchase through www.cpa2biz.com
PwC
- Purchase through www.cpa2biz.com
2. Paper-bound – This layout is ideally suited for those wanting a hard copy.
- Purchase through www.cpa2biz.com
3. PDF – This layout is ideally suited for organizations interested in licensingmultiple copies.
- Contact the AICPA at [email protected]
36
Thank you!!!
© 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network.Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
The contents of this document are purely for educational and awareness purposes of the audience, and do not represent or imply PwC’s views on theCOSO IC Framework updates nor PwC’s audit methodology related to areas impacted by the COSO IC Framework updates.
37
PwC contacts
Geoffrey Woodbury, Director
214-754-5480
Nicole Rodriguez, Manager
214-754-7284
