Upload
wwwavivaspectrumcom
View
5.880
Download
2
Embed Size (px)
DESCRIPTION
2009 COSO guidance overview set of slides. At the end I have contact information but that is now outdated. You can reach me at [email protected] if you have questions.
Citation preview
2009 COSO Guidance & Impact
1
AgendaHow COSO’s 2009
Monitoring Guidance Impacts Smaller Co.
Leveraging 2009 Guidance to Cut Costs
Practical SOX Compliance Steps
Dealing with External Auditors
Key Remediation and Reporting Issues
2
Quick Overview of COSOCOSO was formed in 1985 Introduced a Framework for internal controls in 1992COSO is comprised by five professional associations: American Accounting Association AICPA (American Institute of Certified Public Accountants) FEI (Financial Executives International) IIA (The Institute of Internal Auditors) and IMA (Institute of Management Accountants)
3
The Face of COSO
Source: www.sechistorical.org
Charles C. Cox (far left); Bevis Longstreth (second from left); John S. R. Shad (second from right); James C. Treadway, Jr. (far right)
Mr. Treadway
Committee of Sponsoring Organizations of Treadway Commission (aka COSO)
4
COSO Guidance - Timeline
1987
Fraud
report
1987 - 1997 Fraud report
on public companies – Issued 1999
1997 – 2007
Fraud report
on public
companies –
Coming Soon
(June 2009)
Monitoring Guidance
Issued Feb. 2009
Guidance for
Smaller Public
Companies
Issued June
2006
Monitoring
Guidance on
Derivatives
Issued 1996
ERM FrameworkIssued 2004
20101985
Framework
Introduced in 1992
5
How to get COSO MaterialsFree download to executive summaries
(e.g. introduction or overview documents) of their guidance materials located at http://www.coso.org/guidance.htm
www.cpa2biz.com : site represents AICPA and COSO related products. Search terms such as Internal controls, or COSO etc.
6
2009 COSO Monitoring GuidanceIntroduction
Free DownloadIntended for CFO, CEO, BOD and AC members
Vol. 1 Guidance Overview
Intended for C-Level, BOD and AC Members, and Director of Internal
Audit
7
2009 COSO Monitoring GuidanceVol.II Application
Discusses How guidance ImpactsAnd Links to 1992 and 2006 COSO
Guidance materialsAudience: DIA, Internal Audit Staff
etc.
Vol. III ExamplesProvides templates to leverage Monitoring
Guidance TheoryAudience: DIA, Internal
Audit Staff etc.
8
Vol. #1 - Overview• Four Sections 1.Purpose of Guidance2.Nature & Purpose of
Monitoring3.A Model for Monitoring4.Summary Considerations
9
The Purpose of the GuidanceTwo Primary Objectives:
1. To help improve the effectiveness & efficiency of their internal control systems
2. To provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control process.
10
Application of GuidanceDesigned to meet all three
control objectives of COSO Framework
Due to SOX compliance Guidance has a primary focus on internal controls over financial reporting
11
Guidance Does Not: Change to COSO framework or its 2006 guidanceDictate risks or controls that organization must
considerMandate the exact monitoring procedures that
organizations must followIncrease the monitoring effort for organizations in
areas where monitoring is already effective orMandate a certain level or formality of monitoring
documentation, including the use of certain terms
12
Nature and Purpose of MonitoringCOSO Framework states that “monitoring
ensures that internal controls continues to operate effectively” by leveraging two related principles:1. Ongoing and/or separate evaluations enable
management to determine whether the other components of internal control continue to function over time.
2. Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.
13
Linking the 2 Principles to 2006 COSO guidance
Principle #19: Ongoing & Separate Evaluations
Principle #20: Reporting Deficiencies
Source: 2006 COSO guidance, vol #3
14
Establishing a Model for Monitoring
Effective approach to monitoring involves:1. Establishing a
Foundation 2. Designing &
Executing Monitoring procedures
3. Assessing & Reporting
15
Establishing a Foundation
A tone at the top that stressesthe importance of monitoring
Effective organizational structure that considers the roles of management and the board in regard to monitoring, and places people with appropriate capabilities, objectivity, authority and resources in monitoring roles and
Baseline understanding of internal control effectiveness
16
Design & ExecutePrioritize Risks: Evaluate controls in areas of
meaningful riskID Controls: select appropriate controls for
evaluation from across any or all of COSO’s 5 components
ID information that will be persuasive in supporting conclusions about control effectiveness
Implement monitoring procedures: evaluate that information through a mix of ongoing monitoring and separate evaluations
17
Assessing and Reporting Results
Prioritize findingsProvide support at the
appropriate organization level for conclusions regarding the effectiveness of internal controls and
Follow up on corrective action: Facilitate prompt corrective actions and documentation as necessary
18
Assessing and Reporting Results* Prioritize & Communicate Results
ID and Prioritizing potential control deficiencies allows organizations to determine1. The levels to which the potential deficiencies
should be reported and2. Corrective action, if any, that should be taken
Factors influencing prioritization include:1. Likelihood that deficiency will materially affect
the achievement of organizational objective2. Effectiveness of compensating controls and3. Aggregating effect of multiple deficiencies
19
Assessing and Reporting Results *Reporting
Internally: Usually ELC (entity-level controls) are reported to senior management and the board
Externally: 1. Each Co. will have different requirements as
to the depth of reporting requirements (e.g. private co. vs. publicly traded).
2. Management should evaluate third parties which may require reporting documents (e.g. external auditors, regulators etc.).
20
Other Considerations in Reporting
Monitoring Controls Outsourced to Others1. For SOX SAS 70 reports and their evaluations
may be sufficient2. Management must evaluate both financial and
operational outsourced providers
21
Vol. II – Application Overview
22
Vol. II – Application“Quick Tip”
Concept and it’s application in Grey area
Tips on How to Read Vol.II: Grey areas are only suggestions. Application may vary Co. by Co.
23
Application of “Tone at the Top”
Management’s tone influences the way employees conduct and react to monitoring.
Examples of documenting the monitoring of “Tone at the Top” include:Communicating expectations to employees (via
employee manual, performance evaluation, sign-off on risk/control matrices, or other SOX related documents).
Taking action for control problems by documenting control failures and including remediation plan or compensating control for each gap.
Documentation of follow-up procedures for any control failures identified (via ____________ or ______________)
24Action Item: Update Performance Evaluations
Application of “Organizational Structure” Role of Management & the BOD
Senior Management evaluates the day-to-day control and monitoring activities (Evidenced in SOX or other related document sign-off)
BOD has an oversight role, in which they are responsible for Understanding risks to organizational objectives Controls that management has put in place to mitigate those risks How management monitors to help ensure that the internal system
continues to operate effectively NOTE: Evidence should be documented in the BOD/AC minutes Guidance offers four suggestions for the BOD to perform it’s
oversight responsibilities (1) Inquiries & Observation of management, (2) Internal audit function (if present) (3) Hired resources or specialists when necessary and (4) external auditors.
Characteristics of Evaluators
25Action Item: Principle #19 and #2 of COSO can leverage evidence of Monitoring Risks
Application of “Organizational Structure” (continued)
26
Characteristics of Evaluators Self-review: evaluation of one’s own work
Benefit: usually affords the 1st opportunity to ID control deficiencies
Peer Review: evaluation of co-worker’s or peer’s work Benefit: the individual is close to the control and maybe in the
best position to ID and correct control deficiencies Supervisory Review: evaluation of subordinate’s work
Benefit: same as above Peer Review Impartial Review: often includes internal audit function, people from
other departments or external parties Benefit: Most objective concerning results and can place more
reliance on the effectiveness of ICFR
Source: Vol.2: Figure 5, pg13
Baseline Understanding of Internal Control Effectiveness
COSO provides three primary reasons internal control systems fail due to:1. Not designed and implemented properly2. Designed & Implemented properly BUT environment
changes and control system DOESN’T change accordingly
3. Designed & Implemented properly BUT operation changes rendering the control as ineffective to mitigate control risks
Based upon the three primary reasons controls fail, COSO suggests a baseline allows management to have a starting point to address changes (i.e. process or control variances) in “real-time”
27
Monitoring Changes
COSO offers a high-level overview of an internal control change continuum as follows:
28
Change Continuum Definitions Control Baseline — Monitoring starts with a supported understanding of the
internal control system’s design and of whether controls have been implemented to accomplish the organization’s internal control objectives. As management gains experience with monitoring, its baseline understanding will expand based on the results of monitoring. Baseline is the starting point and a new control baseline established over time through monitoring.
Change Identification — The risk assessment component of internal control identifies changes in processes or risks and verifies that the design of underlying controls remains effective. Monitoring, through the use of ongoing and separate evaluations, should consider the risk assessment component’s ability to identify and address those changes .
Change Management — When changes in the operation of controls have occurred, or when needed changes in control design are identified, monitoring verifies that the internal control system manages the changes and establishes a new control baseline for the modified controls.
Control Revalidation/Update — When ongoing monitoring procedures use persuasive information, they can routinely revalidate the conclusion that controls are effective, thus maintaining a continuous control baseline. When ongoing monitoring uses less-persuasive information, or when the level of risk warrants, monitoring periodically revalidates control operation through separate evaluations using appropriately persuasive information.
29
Change Continuum Evidence
30
Risk/Control matrices
Narrative/Flowcharts ELC - Assessment
Change Continuum Evidence
31
Test Scripts with supporting documents
Sub-certifications on Controls
Change Continuum Evidence
32
Policy & Procedure for changes
Change Mgmt Form
Documentation Authorization with Changes (1)
(1) See Appendix B-Chg Mgmt Narrative Form
Vol. II Application of Design & Execute
33
Source: Vol.2 Figure 7 COSO 2009 Monitoring Guidance
Risk Assessment
34
•COSO’s monitoring guidance does not state to create a separate risk assessment just for monitoring•Prioritizing risks will allow management to decide on the type, timing and extent of monitoring of controls•Risk Factors to consider:
1. Nature of Operations2. Changes in Operations3. Environmental Factors4. Susceptibility to Theft or Fraud
COSO’s Risk Assessment Examples
35
Revenue Example without score detail and objective = Vol.2
Inventory Example with score detail without objective = Vol.3
36
ID Key Controls
37
• Key-Controls determination can occur at various levels within an organization (e.g. supervisor of a plant has different key monitoring controls than the CFO.
• Key-Control Analysis can be facilitated by considering factors that increase the risk that the internal control system will fail to properly manage or mitigate a given risk, these factors are:1. Complexity2. Judgment3. Manual vs. Automated4. Known Control Failures5. Competence/experience of personnel6. Risk of management override7. Likelihood of control failure detection
ID Persuasive Information
38
•Persuasive information is both suitable AND sufficient in the circumstances and give the evaluator reasonable, but not necessarily absolute, support for the conclusion regarding the continued effectiveness of the internal control system in a given risk area.•Suitable information MUST be relevant, reliable and timely.•Sufficiency is a measure of the quantity of information (i.e., whether the evaluator has enough suitable information)
ID Persuasive Information (Cont.)Relevance of Information
Direct vs. Indirect Information Information that directly confirms the operations of the control
is more relevant than indirectDirect: substantiates the operation of controls and obtained by:
1. Observing controls in operation2. Reperformance or 3. Otherwise evaluating their operation directly and can be
useful in both ongoing monitoring and separate evaluationsIndirect: is all other information that may indicate a change or
failure in the operation of controls such as:1. Operating statistics2. Key risk indicators3. Key performance indicators and4. Comparative industry metrics
39
ID Persuasive Information (Cont.)Reliability of Information
Reliable information: is accurate, verifiable and comes from an objective source. Accurate information: represents the degree to which
information can reasonably be expected to be free from error and/or to communicate results that reflect reality.
Verifiable: represents information that can be established, confirmed or substantiated as true.
Objectivity: is the degree to which the information source is unbiased when evaluated
40
ID Persuasive Information (Cont.)Sufficient Information
Management is required to maintain sufficient suitable information to support its conclusion on the effectiveness of internal controls.
SEC has provided smaller public companies with a general guideline dependent upon risks to determine the sufficient level of support.
41
SEC’s Guidance on Information
42
http://www.sec.gov/info/smallbus/404guide.pdf
AICPA new sampling rulesBetter understanding of how much is enough in Multi-Locations
43
•May 2008: AICPA issued new Sampling guidelines to align better with their risk based auditing standards (i.e. SAS 101 to SAS 112).•Management should consider multi-location issues as documented in this new guidance as PCAOB and SEC do not provide best practices on how to make sample selections on a risk-based approach for multi-locations.
Implementing Monitoring
44
COSO Provides in Vol.3 Example of Implementing Monitoring Processes for Inventory, which the template can be applied to any business cycle, including IT.
Can add columns for 1)Evidence to Collect2)Qty of Evidence (is it all stores and all months, if so what periods)
Assess & ReportPrioritize Findings by Risk
45
Risk Examples provided by Vol. 2, have one example of each type of Risk Rating Type (by Significance and Likelihood)
Vol. 2 – Applying Concepts of Monitoring Prioritized Risks
46
Extends the concept in prior slide, in how to prioritize monitoring efforts by rating as well (i.e. High, Med. Low)
IT Guidance to Help Prioritize Findings
47
2006 SOX IT Guidance helps users to assess the prioritization based upon risks
Site: www.isaca.org
Internal Reporting: protocol must be established. Typically includes senior management and the board.
External Reporting: a properly designed & executed monitoring program helps support external certifications or assertions because it provides persuasive information that internal control operated effectively at a point in time or during a particular period.
48
Reporting Results
COSO’s suggested documentation should include evidence of:Reporting items agrees to source scoping
documentsEvidence collected support that the control has
been adequately corrected/remediatedManagement approval of corrective action and
related evidence
49
Follow-up CorrectiveAction
Leveraging 2009 GuidanceLinking Monitoring Principles (i.e. Principal
#19 and 20) to actual business processes (i.e. Financial Statement Close Process, Inventory etc.) will reduce the number of key controls required to assess for SOX
Providing more detailed monitoring reports substantiates management’s evidence of reviewing key controls
Guidance provides management more information on how to leverage key controls for more than one type of risk
50
Practical Steps Using 2009 GuidanceStep 1: Entity-Level Control Assessment, use color coding
offered by 2006 COSO GuidanceStep2: Risk Assessment exercise should include IT to
prevent any miscommunication of prioritizing risks for the organization
Step 3: Evaluate Monitoring guidance issued 2009 by COSO, especially considering three top templates from the guidance:1. Quarterly and Annual Management Representations
(vol.3 – Appendix B)2. Enterprise Wide Risk Matrix (vol.3 – Appendix C)3. Prioritize Risk and Controls (vol.2 – pg. 51 to pg. 55)
51
Segregation of Duties (SOD)2009 Due to economy less staff and more
work allocated to others.Leveraging too smaller staff size may cause a
lack of SOD.2009 & 2006 COSO Guidance have stated
compensating controls are the critical factor to avoid a material weakness.
52
SOD Case Study
53
Dealing with External AuditorsEarly discussions about the guidance and
where you plan to leverage the guidancePlanning & Scoping: leverage guidance to lower
number key controls on entity-level assessmentRisk assessment process: may require technical
memo to provide to sox files and distributed to external auditors how guidance has revised and prioritized resources for sox assessment
Key Control ID: inform external auditors on where they may be able to leverage more monitoring controls
54
Key Remediation and Reporting IssuesMaterial weaknesses
IT General Controls: primarily related to change management.
Financial Close Process: primarily related to high risk areas dealing with accounting transactions, which are complex and/or involve significant judgment Tax issues Valuation Going Concern related issues (intangibles etc.)
55
Q & AMy Contact info:
Sonia Luna:Office: (213) 250-5700 x206
Cell: (323) 828-5862700 S. Flower St. #1100, Los Angeles, CA 90017
Email: [email protected]: www.sox-blog.com
Twitter: http://twitter.com/Sox_Solutions
56