IIA Los Angeles Luncheon Third Party Assessments

COSO's NEW 2013 Framework & Third

Party Analysis

Compliance Made Simple ©

Agenda

Why it changed?

What’s Actually Changing?

Areas of the new framework impacting third party vendors



Key influences to create updated framework

Social media and it’s impact to business processes, relationships and growth strategies were not foreseen factors.Fact: 92% of all companies use social media tools to recruit according to 2012 Jobvite Social Recruitment survey

93%


Cloud Computing - Adoption

(a) 2013 third annual Future of Cloud Computing Survey

Cloud adoption continued to rise in 2013, with 75% percent of those surveyed reporting the use of some sort of cloud platform – up from 67% percent last year!(a)


How We See Framework Changes?

1992COSO

“Good”

ERM2004

Small COSO2006

“Better”

2013 COSO

“BEST”

20 Principles(76

Attributes)

?? Principles(??

Attributes)


How We See Framework Changes?

1992COSO

“Good”

ERM2004

Small COSO2006

“Better”

2013 COSO

“BEST”

20 Principles(76

Attributes)

17 Principles

(87 Attributes)


Grouping “Better to BEST”


Grouping from “Better to BEST” (Cont.)



What’s been provided by COSO?

•Executive Summary — high-level overview

•Framework and Appendices — The New Framework seventeen principles & illustrates many approaches

•Illustrative Tools for Assessing a System of Internal Control (Tools) — The Tools provide illustrative templates.

•Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples — This publication is for SOX

http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/PRDOVR~PC-990025/PC-990025.jsp?cm_vc=PDPZ1

http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf


COSO Monitoring Guidance

Vol#3 = Better job in providing how to evaluate third party providers and ties to the new 2013 COSO Framework.

http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990021/PC-990021.jsp


Implementation- what does COSO say?

O COSO’s press release March 20, 2013:“it will continue to make available the original framework during the transition period extending to December 15, 2014, after which time COSO will consider it as having been superseded.”

“continued use of the original framework during the transition period (May 14, 2013 to December 15, 2014) is appropriate. During that period, the Board believes that application of its Internal Control-Integrated Framework that involves external reporting should clearly disclose whether the original or 2013 version was utilized.”

Source: www.coso.org

http://www.coso.org/


Implementation - what does SEC say?

O SEC’s remarks at the 32nd Annual SEC and Financial Reporting Institute Conference, by Paul Beswick, Chief Accountant, Office of the Chief Accountant, U.S. Securities and Exchange Commission

“SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. However, at this time, I’ll simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition.”

Source- www.SEC.gov

http://www.sec.gov/


Polling Question?

Who’s implementing the new framework in 2014?



What “holds” a principle UP!

Prin

cipl

e“Points of Focus”


Looking at Third Party Service Providers and New COSO

Example for Vol #3 “Illustrative Tools for Assessing Effectiveness of a System of Internal Control”

Company Background:1. Private Company2. $200 Million in Annual Revenue in

Western US3. Board is comprised of family members

and number of business professionals with significant experience.

4. Internal Audit Dir. with over 15 yrs. exp.



CE – Quick Review (Principle #3)Principle 3: Establishes Structure, Authority, and Responsibility

—Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.Point of Focus = 3


Points of Focus – Quick ReviewConsiders All Structures of the Entity—Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.Establishes Reporting Lines—Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity.Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization:

– Board of Directors — Retains authority over significant decisions and reviews management’s assignments and limitations of authorities and responsibilities

– Senior Management—Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities

– Management—Guides and facilitates the execution of senior management directives within the entity and its subunits

– Personnel—Understands the entity’s standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives

– Outsourced Service Providers—Adheres to management’s definition of the scope of authority and responsibility for all non-employees engaged


Fast Forward: What did they

find?

Page 76: “CE 3-1: Management has defined and the board of directors has signed off on the company’s structures, reporting lines and authorities and responsibilities. However the business model has since evolved to encompass business partners, outsourced service providers, and new product lines that new or different oversight and control structures are needed. Internal control weaknesses relating to this new dimension of the business could therefore be missed and cause the company to fall short of meeting its internal financial reporting objectives.


So how bad is this? (Polling)

MWSD - Mod

CD - Low


Answer – Vol. #3O Page 76 - “This IC deficiency is

important, but does not rise to the level of a major deficiency. Currently the business structure changes affect a relatively small portion of the entity”


What would be helpful?

http://www.coso.org/documents/Board-Risk-Oversight-Survey-COSO-Protiviti_000.pdf


IT Assessments

COSO wants more “benchmarking” based on it’s cloud computing 2012 Guidance – (PAGE #8 to 16 for Expert Auditor to read)

Control Env. – Pr #3 (attribute 1 & 3) (page 34 of ICEFR

Compendium)

Control Act. (page 85 – 86 of ICEFER Compendium)

http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf


Cloud Computing and COSO Framework


Despite the security concerns, only 29% of organizations report conducting a heavy review of their cloud service provider’s security policies, procedures and capabilities.

Source: CompTIA’s IT Industry Outlook 2012 Survey


Example of Risk Assessment and Third Parties

O RA 9 -1: Some Operations Personnel do not possess the necessary skills to identify the risks associated with the new technology.

SO HOW BAD IS THIS?


Answer (page 96 vol 3)O CD – Compensating control was

linked to Management’s annual risk assessment process.


New CLOUD BOD & C-Level responsibilities by COSO

Impact AICPA Audit Committee ToolKit

(Tool #19 “Enterprise Risk Management: A Tool for Strategic Oversight”)


Third Party Control Language

Good v. Bad Control LanguageOlder Language

(“Bad”)Updated Control

(“Better”)

Quarterly, the CFO reviews the valuation analysis provided by ABC firm in which the CFO determines if there is an impairment on Goodwill and signs and dates the “Valuation Report” verifying his review process.

Quarterly, CFO provides the ABC Firm the quarter-ended “unadjusted Trial Balance” which typically does not contain tax provision amounts and the forecasted revenue line items by geographical location and product line and submitted via email to ABC Partner and Senior Manager. Questions to confirm understanding of the assumptions of the forecasted revenue items are submitted via email and corrections/adjustments to the forecast are done by the CFO and resubmitted to ABC Firm. ABC firm prepared the valuation report and assists management in determining if adjustments are required to Goodwill. Both the valuation report and adjustments if needed (e.g. J/E) are sign and dated by the CFO.


So what happens in testing?

BEFOREReview initials – DONE! #1 - Initials

#2 – Key reports Review

(completeness/accuracy)

#3 – Analysis (recomputed assumptions,

interviews 3rd party, &/or validate

summary)

Laye

red t

est

ingAFTERP

ub

lic Com

pan

y


Third Party Control Language

Good v. Bad Control LanguageOlder Language

(“Bad”)Updated Control

(“Better”)Annually, the CFO reviews SOC reports provided by the payroll service provider and reviews the report for an adverse opinion, if none, then he creates a memo documenting his steps to analyze the conclusion and end-user responsibilities to ensure the organization has met those requirements.

Annually, CFO reviews the SOC “type 1, 2 etc.) reports from ADP and creates a memo documenting his review procedures which includes, a) Opinion/Conclusion review b) End-user Assessment c) Failures in the report and what management has determined is their risk response to such failures.


COSO Health Check – On Your Own

Free Tool Evaluation of 87 Attributes go to www.AvivaSpectrum.com/Blog

Included:1) Introduction2) Overall Assessment3) Components (167 rows

data)4) Principles w/Attr. (386

rows of data)5) Deficiencies

http://www.avivaspectrum.com/Blog

http://www.cpa2biz.com/COSOEvaltools


Quick Glance





1. Must abide by internal PnP/Memo2. IT – Different that Financial controls3. Evaluation tools based on

standards (IIA such as GAIT or other publications and state source)

Join COSO 2013 LinkedIn Group for FREE templates, advise and learn from others implementing this new framework.

Implementation Resources


COSO 2013 Implementationhttp://www.linkedin.com/groups/2013-COSO-Implementation-4888186/about

http://www.linkedin.com/groups/2013-COSO-Implementation-4888186/about





Contact Information

Sonia Luna, President, CEOSonia.Luna@AvivaSpectrum

.com

700 S. Flower Street #1100Los Angeles, CA 90017P: (213) 250-5700


http://www.linkedin.com/in/sonialuna/

Economy & Finance

IIA Los Angeles Luncheon Third Party Assessments