Upload
icaew
View
112
Download
1
Tags:
Embed Size (px)
Citation preview
BUILDING TRUST IN <IR>: APPLYING THE COSO FRAMEWORK & UNDERSTANDING KEY RELATED ISSUES
IMA 2015 ANNUAL CONFERENCELOS ANGELES, CAJUNE 23, 2015
BRAD MONTERIO, COLCOMGROUP, INC.LIV WATSON, WORKIVA, INC.
AGENDA
CONTEXT WHAT WE WANT WHAT WE HAVE HOW WE GOT HERE: COSO &
RELATED DRIVERS/ISSUES PATHWAY TO THE SOLUTION
CONTEXT
A process founded on integrated thinking that results in a periodic integrated report by an organization about value creation over time and related communications regarding aspects of value creation.
An integrated report is a concise communication about how an organization’s strategy, governance, performance and prospects, in the context of its external environment, lead to the creation of value in the short, medium and long term.
Integrated Thinking is the active consideration by an organization
of the relationships between its operating/functional units and the capitals it uses or affects. It leads
to integrated decision-making and actions that consider the
creation of value over the short, medium and long-term.
INTEGRATED REPORTING
INTEGRATED REPORT
INTEGRATED THINKING
"Data must be accurate, reliable and timely for meaningful, trustworthy reporting. Equally robust internal controls and monitoring are essential for both financial and non-financial information in order for integrated thinking to be effective and integrated reporting to be trusted.”
Liv Watson and Brad Monterio
WHAT WE WANT
WHAT WE WANT
TRUSTRELIABLE INFORMATIONMEANINGFUL PICTURE
WHAT BUILDS TRUST?
Transparency Data with lineage Having access to information Timely information Complete/comprehensive information Relevant information Valid/Accurate data Accurate/Quality information Authentic information Robust internal controls Independent assurance
WHAT WE HAVE
WHAT WE HAVE
WHAT WE HAVEWHAT WE HAVE:CRISIS OF TRUST
• Inaccurate, incomplete information• Poor audit quality (PCAOB)• Unclear oversight authority• Patchwork quilt of frameworks and
standards without clear leader• Data definition problems • Lack of good data governance• Inconsistent information, formats,
disclosures• Lack of data connectivity and
lineage• Unclear materiality standard• Lack of non-financial controls• Inadequate monitoring
REALITY TODAY
Differing views and perspectives – no complete picture
Inconsistent approaches Lack of agreement Inaccurate
HOW WE GOT HERE: COSO & RELATED DRIVERS/ISSUES
THE NEED FOR MATERIAL
INFORMATION
COSO & MATERIALITY.
The materiality determination process for the purpose of preparing and presenting an integrated report involves:
Identifying relevant matters based on their ability to affect value creation
Evaluating the importance of relevant matters in terms of their known or potential effect on value creation
Prioritizing the matters based on their relative importance Determining the information to disclose about material
matters
COSO's Internal Controls are put in place based on the materiality (impact) of a risk on the organization and the perceived likelihood (probability) that the risk would be realized if nothing was done.
FINANCIAL INFORMATION NON FINANCIAL INFORMATION
Long history in corporate reporting Established, uniform reporting
standards Established oversight bodies Established quality control Established internal controls and
monitoring (e.g., COSO) Well understood systems and
processes – highly automated Heavily structured Mature assurance standard Solid, broad market acceptance and
credibility - trusted
Short history in corporate reporting Lack of uniform reporting standards Lack of clear oversight responsibility –
patchwork of competing frameworks Lack of strong quality control Internal controls and monitoring not
well understood (e.g., No COSO yet) Mix of systems and processes to
gather/store information – not highly automated; many manual processes
Immature assurance standard Not often not assured Narrow market acceptance – not well
trusted
LOWER RISKHIGHER RISK
Evidence Management
COSO OVERVIEW
Source: www.coso.org/governance.htm
COSO ERM
“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
Barclays PLC Annual Report 2014 (PDF - 4.92MB)Barclays Bank PLC Annual Report 2014 (PDF - 4.53MB)Barclays PLC Strategic Report 2014 (PDF - 2.27MB)Barclays PLC Pillar 3 Disclosures 2014 (PDF - 1.31MB)Barclays PLC Pillar 3 Disclosures - Terms and Conditions of Capital Resources 2014 (PDF - 0.4MB)Barclays PLC Form 20-F 2014 (PDF - 7.28MB)Barclays PLC Citizenship Data Supplement 2014 (PDF - 1.63MB)Glossary (PDF - 0.17MB)
Volume Data
COSO Component & Principle (example)
Objectives Example of Measures and Controls
Component: Control Environment Principle 1: Demonstrates commitment to integrity and ethical values
Demonstrate ethical values of the organization by ensuring the integrity of the integrated reporting process, the report(s) and the culture of integrated thinking and incorporating into the company ‘story.’
Develop, nurture and maintain an ethical, collaborative culture of integrated thinking by consistent actions and commitment to these values at all levels of the organization.
Integrate non-financial key performance indicators (KPIs) exemplifying ethical values and integrity into internal and external reporting.
All persons at all levels must be held accountable for deviations from these core expectations in order for these to become a part of the organizational integrated-thinking culture.
• Written and communicated organization’s commitment towards collaborative, integrated thinking and <IR> and their importance in value creation.
• Define and communicate the ethical/integrity expectations of all employees via a Code of Conduct, Employee Handbook, policies and procedures.
• Integrate non-financial key performance indicators (KPIs) exemplifying ethical values and integrity into internal and external reporting.
• Include narrative and illustrative examples about ethical commitment of employees in the integrated report.
.
COSO Component &
Principle (example)
Objectives Example of Measures and Controls
Component: Risk Assessment
Principle 6: Specifies suitable objectives.
Set ‘tone at the top’ - board of directors’ and/or executive management sets both financial and non-financial objectives to link strategy to business model and value creation.
Specify clearly defined non-financial objectives in order to facilitate identification of material risks.
Define reporting boundary, identify risks, opportunities and outcomes attributable to or associated with stakeholders that impact the ability of the organization to create value. Define the concept of the reporting boundary based on principles of risk and materiality.
• Documentation and Identification of material, non-financial issues - good and bad - that is supported by a robust materiality assessment(e.g., through a materiality matrix) that measures impact on strategy and business objectives.
• Definition of concise, material non-financial objectives that are actionable and have measurable targets and timelines.
• Documented materiality assessment process
• Documented materiality assessment results using a comprehensive set of non-financial measures (both negative and positive) along the entire value chain that analyzes impact on business objectives.
• Engagement of and communication mechanism with external stakeholders in the process to identify issues and potential risks.
COSO Component & Principle (example)
Objectives Example of Measures and Controls
Component: Control Activities
Principle 10: Selects and develops control and monitoring activities
Define control and monitoring activities that help to mitigate risks related to non-financial and financial reporting around processes, systems, and data.
Ensure reliability, accuracy and utility of non-financial and financial information through robust internal control and monitoring systems, effective stakeholder engagement feedback mechanisms, internal audit or similar functions, and independent/external assurance.
• Documented data governance policies, controls and monitoring activities for non-financial and financial information covering data creation, access, collection, transfer and consolidation processes for <IR>.
• Assumptions and information sources are documented and managed with defined controls and monitoring processes to reduce risk of material misstatement to acceptable level.
• Data governance polices communicated to all employees.
• Processes around non-financial and financial information segregated to mitigate risk of errors
COSO Component & Principle Objectives Example of Measures and
Controls
Component: Information and Communication
Principle 13: Uses relevant information
Establish connectivity between financial and non-financial information to meet internal control and monitoring requirements and enhance overall reliability/quality of the integrated report for providers of capital and other stakeholders.
Define the level of internal controls required to ensure delivery of relevant, comparable information to providers of capital and other stakeholders.
Include and define financial and non-financial information material to providers of capital and other stakeholders.
Produce an integrated report that is logically structured, well presented, written in clear, understandable and jargon-free language, and includes effective navigation devices, such as clearly delineated (i.e., linked) sections and cross-referencing.
• Documentation of strategy, business model and flow of capitals throughout as inputs/outputs and linked to value creation story.
• Description of stakeholder engagement mechanisms and processes along with summary of feedback to determine material information.
• Established communication mechanisms to share relevant, comparable disclosures with stakeholders (internal and external) in usable, reliable formats and on a timely basis.
• Non-financial and financial KPIs are reported and reviewed on a regular basis in accordance with a defined materiality assessment process.
COSO Component & Principle Objectives Example of Measures and Controls
Component: Monitoring Activities
Principle 16: Conducts ongoing and/or separate evaluations
Non-financial/financial reporting and controlling processes are monitored on a regular basis to identify improvement opportunities.
Financial and non-financial reporting and controlling processes align with generally accepted external market best practices, frameworks and/or standards (e.g., US GAAP, IFRS, <IR>, COSO).
The integrated Report is independently verified and assured by an external third party.
• Controls and monitoring around integrated reporting regularly reviewed and assessed for effectiveness and updating.
• Continuous monitoring and analysis of the external environment in the context of the organization’s mission/vision identifies risks and opportunities relevant to its strategy, capitals, business model, impacts and ability to create value.
• Independent assurance (i.e., from external auditors) provided for financial and non-financial information in the integrated report according to generally accepted assurance standards.
ASSURANCE & <IR>
Integrated assurance role can be achieved via different types of engagements such as:
Assurance on the "Due Process" of an integrated report
A focus on governance, risk management and control processes supporting the main objectives of integrated thinking and reporting
Independent assurance on the reliability of the facts and figures included in the report
The existence of an integrated thinking culture within the organization
ASSURANCE & <IR>
ASSURANCE & <IR>
ASSURANCE & <IR>
In the 2012 inspection year (reported in the 2013 inspection report) 849 separate audits performed by the Big 4 that were inspected by the PCAOB, over 300 were found to have deficiencies.
Compliance Week 2014 Audit Committee Report
"...Overall, 39% of audits inspected in the latest evaluations of the Big Four firms were found to have deficiencies, compared with 37% the previous year"
WSJ, October 23, 2014
Of the specific issues noted by the PCAOB in their inspections of one of the Big 4 firms. Deficiencies related to internal controls (ICFR) were the most commonly cited issue issue over the last 3 years.
Compliance Week 2014 Audit Committee Report
AUDIT QUALITY & <IR>
PATHWAY TO THE SOLUTION
ROLE OF MGT ACCOUNTANTS
YOUR ROLE AS A MGT. ACCOUNTANTContribute to the collaborative, Integrated
Thinking culture and “tone at the top” Establish guidance on shared rules facilitating consistency and comparability
Establish proper “governance structure” that defines the roles within your team
Establish a broad view of all the capitals needed and available for value creation
Anticipate internal/external reporting requirements and establish data governance
policy and collection processes Define and document internal control
functions across the enterprise
Establish polices and engagement strategies with providers of capital and other
stakeholders
Work with internal audit to clarify the expectations regarding internal audit actives
by establishing: (1) Functions that own and manage risk (2) Functions that
oversee risk, and (3) Functions that provide independent, integrated assurance
Establish and review controls (including continuous monitoring)
Establish benchmarks against other organizations within/outside your industry
1
2
3
4
5
6
7
8
9
10
Few corporations are voluntarily going to disclose the actual facts about their environmental and social impacts when they can selectively 'dress up' generalized information and trends as indicators of Integrated Reporting “performance.”
The most valuable and significant non-financial information is under their control - they will want to hold it under 'lock and key' until legally required to disclose it.
SOME CHALLENGES YOU MAY ENCOUNTER…
Brad MonterioManaging Director
Brad MonterioManaging Director, Colcomgroup, Inc.Board Member, [email protected]
Liv WatsonDirector, Strategic Customer InitiativesFounder of [email protected]