COSO changes coming in 2014 – Integrated Framework Internal Control

COSO changes coming in 2014
An overview of COSO’s 2013 update to the
Internal Control – Integrated Framework
January 7, 2014
www.eidebai lly.com
Agenda
•
Overview of updated 2013 COSO Internal
Controls – Integrated Framework
•
Principles & Points of Focus supporting the Five
Components
•
Transitioning to the 2013 Framework
•
Other Considerations
www.eidebai lly.com
Overview of COSO IC-IF
Internal Control - Integrated Framework (ICIF)
Originally released in 1992
Updated in May 2013, including three companion documents
Authored by PwC under direction of COSO Board
Committee Of Sponsoring Organizations of the Treadway
Commission
www.eidebai lly.com
COSO 2013 update
Updated Internal Control – Integrated
Framework issued on May 14, 2013
Companion documents include:
•
Internal Control – Integrated
Framework Executive Summary
•
Illustrative Tools for Assessing
Effectiveness of a System of Internal
Controls
•
Internal Control over External
Financial Reporting: A Compendium
of Approaches and Examples
Transition Date: December 15, 2014
www.eidebai lly.com
2013 update: What’s new?
•
Expands operations and reporting
objectives
•
Codification of 17 principles
supporting the five components
•
Points of Focus to help identify and
evaluate 17 principles
•
Addresses increased relevance and
dependence on IT
•
Expands operations and reporting
objectives
•
Increased guidance on fraud risk
assessment and responses
•
Updated for changes in business and
operating environments
www.eidebai lly.com
2013 update: What’s the same?
•
Core definition of internal controls
•
Objectives: Operations, Reporting
& Compliance
•
Five components of internal
controls:
•
•
•
•
•
•
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Role judgment plays in design,
implementation, operation and
assessment of internal controls
www.eidebai lly.com
17 Codified Principles
Control
Environm ent
Risk Assessm ent
Control Activities
Inform a tion &
Com m unica tion
M onitoring
1.Demonstrates commitment to integrity & ethical values
2.Exercises oversight responsibility
3.Establishes structure, authority and responsibility
4.Demonstrates commitment to competence
5.Enforces accountability
6.Specifies suitable objectives
7.Identifies and analyzes risk
8.Assesses fraud risk
9.Identifies and analyzes significant change
10.Selects and develops control activities
11.Selects and develops general controls over technology
12.Deploys through policies and procedures
13.Uses relevant information
14.Communicates internally
15.Communicates Externally
16.Conducts ongoing and or separate evaluations
17.Evaluates and communicates deficiencies
www.eidebai lly.com
Internal Control Objectives
Operations: “relate to the achievement of an entity’s basic mission and vision
operational . . . financial performance, productivity . . . and includes safeguarding
of assets against loss” (‘92 framework “effectiveness and efficiency of the entity's
operations, including performance and profitability goals and safeguarding
resources against loss”)
Reporting: “pertains to the preparation of reports for use by organizations and
stakeholders and may relate to financial and non-financial reporting . . . External
reporting objectives are driven primarily by regulations and/or standards established
by regulators and standard-setting bodies . . .” (‘92 framework was know as
Financial Reporting objective “preparation of reliable published financial
statements, including prevention of fraudulent public financial reporting”)
Compliance: “conduct activities, and often take specific actions, in accordance with
applicable laws and regulations . . . understanding which laws, rules and regulations
apply across the entity (‘92 framework “pertains to adherence to laws and
regulations to which the entity is subject”)
www.eidebai lly.com
Principles & Points of Focus: Control
Environment
“The control environment is the set of standards, processes, and structures that provide the basis for
carrying out internal control across the organization. The board of directors and senior management
establish the tone at the top regarding the importance of internal control including expected standards of
conduct. . . The control environment comprises the integrity and ethical values of the organization . . .
enabling the board of directors to carry out its oversight responsibilities . . . structure and assignment of
authority and responsibility . . . attracting, developing, and retaining competent individuals . . . rigor
around performance measures, incentives, and rewards to drive accountability for performance. The
resulting control environment has a pervasive impact on the overall system of internal control.”
1. Organization demonstrates a commitment to integrity and ethical values
Tone at the Top
Establishes Standards of Conduct
Evaluates adherence to Standards of Conduct
Addresses deviations in a timely manner.
2. The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control
- Establishes oversight responsibilities
- Applies relevant expertise
- Operates independently
- Provides oversight for the system of internal control
www.eidebai lly.com
Principles & Points of Focus: Control
Environment Continued
3. Management establishes, with Board oversight, structures,
reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives
Considers all structures of the entity
Establishes reporting lines
Defines, assigns and limits authorities and responsibilities
4. The organization demonstrates a commitment to attract, develop, and
retain competent individuals in alignment with objectives
Establishes policies and practices
Evaluates competence and addresses shortcomings
Attracts, develops and retains individuals
Plans and prepares for succession
5. The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives
Enforces accountability through structures, authorities, and responsibilities
Establishes performance measures, incentives and rewards
Evaluates performance measures
www.eidebai lly.com
Principles & Points of Focus: Risk Assessment
“Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to
achieving the entity’s objectives, forming a basis for determining how risks should be managed.
Management considers possible changes in the external environment and within its own business
model that may impede its ability to achieve its objectives.”
6. The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives
Operations Objective:
- Reflects Management’s Choices
- Considers Tolerances for Risk
- Includes Operations and Financial Performance Goals
- Forms a Basis for Committing of Resources
Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of
five specific objectives:
Operations Objectives
External Financial Reporting Objectives
External Non-Financial Reporting Objectives
Internal Reporting Objectives
Compliance Objectives
www.eidebai lly.com
Principles & Points of Focus: Risk Assessment
“Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to
achieving the entity’s objectives, forming a basis for determining how risks should be managed.
Management considers possible changes in the external environment and within its own business
model that may impede its ability to achieve its objectives.”
6. The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives
External Financial Reporting Objective:
- Complies with applicable accounting standards
- Considers Materiality
- Reflects entity activities
Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of
five specific objectives:
Operations Objectives
External Financial Reporting Objectives
External Non-Financial Reporting Objectives
Internal Reporting Objectives
Compliance Objectives
www.eidebai lly.com
Principles & Points of Focus: Risk Assessment
Continued
7. The organization identifies risks to the achievement of its objectives across the
entity and analyzes risks as a basis for determining how the risks should be
managed
- Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels
- Analyzes Internal and External Factors
- Involves Appropriate Levels of Management
- Estimates Significance of Risks Identified
- Determines How to Respond to Risks
8. The organization considers the potential for fraud in assessing risks to the
achievement of objectives
Considers Various Types of Fraud
Assesses Incentive and Pressures
Assesses Opportunities
Assesses Attitudes and Rationalizations
9. The organization identifies and assesses changes that could significantly impact
the system of internal control
Assesses Changes in the External Environment
Assesses Changes in the Business Model
Assesses Changes in Leadership
www.eidebai lly.com
Principles & Points of Focus: Control Activities
“Control activities are the actions established through policies and procedures that help ensure that
management’s directives to mitigate risks to the achievement of objectives are carried out. Control
activities are performed at all levels of the entity, at various stages within business processes, and
over the technology environment. They may . . . encompass a range . . . of activities . . . Where
segregation of duties is not practical, management selects and develops alternative control
activities.”
10. The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels
Integrates with Risk Assessment
Considers Entity-Specific Factors
Determines Relevant Business Processes
Evaluates a Mix of Control Activity Types
Considers at What Level Activities Are Applied
Addresses Segregation of Duties
www.eidebai lly.com
Principles & Points of Focus: Control Activities
Continued
11. The organization selects and develops general control activities over technology
to support the achievement of objectives
Determines Dependency between the Use of Technology in Business Processes and
Technology General Controls
Establishes Relevant Technology Infrastructure Control Activities
Establishes Relevant Security Management Process Control Activities
Establishes Relevant Technology Acquisition, Development, and Maintenance Process
Control Activities
12. The organization deploys control activities through policies that establish what
is expected and procedures that put policies into action
Establishes Policies and Procedures to Support Deployment of Management’s Directives
Establishes Responsibility and Accountability for Executing Policies and Procedures
Performs in a Timely Manner
Takes Corrective Action
Performs Using Competent Personnel
Reassesses Policies and Procedures
www.eidebai lly.com
Principles & Points of Focus: Information &
Communication
“Information is necessary for the entity to carry out internal control responsibilities to support the
achievement of its objectives. Management obtains or generates and uses relevant and quality
information from both internal and external sources to support the functioning of internal control.
Communication is the continual, iterative process of providing, sharing, and obtaining necessary
information. Internal communication is the means by which information is disseminated throughout
the organization, flowing up, down, and across the entity. It enables personnel to receive a clear
message from senior management that control responsibilities must be taken seriously. External
communication is twofold: it enables inbound communication of relevant external information and
provides information to external parties in response to requirements and expectations.
13. The organization obtains or generates and uses relevant, quality information to
support the functioning of internal control
Identifies Information Requirements
Captures Internal and External Sources of Data
Processes Relevant Data into Information
Maintains Quality throughout Processing
Considers Costs and Benefits
www.eidebai lly.com
Principles & Points of Focus: Information &
Communication Continued
14. The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of
internal control
Communicates Internal Control Information
Communicates with the Board of Directors
Provides Separate Communication Lines
Selects Relevant Method of Communication
15. The organization communicates with external parties regarding matters
affecting the functioning of internal control
- Communicates to External Parties
- Enables Inbound Communication
- Communicates with the Board of Directors
- Provides Separate Communication Lines
www.eidebai lly.com
Principles & Points of Focus: Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present
and functioning
Considers a Mix of Ongoing and Separate Evaluations
Considers Rate of Change
Establishes Baseline Understanding
Uses Knowledgeable Personnel
Integrates with Business Processes
Adjusts Scope and Frequency
Objectively Evaluates
17. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action,
including senior management and the board of directors, as appropriate
Assesses Results
Communicates Deficiencies
Monitors Corrective Actions
www.eidebai lly.com
Transition to 2013 Framework
•
Transition to the 2013 Framework, 1992 Framework to be
superseded on December 15, 2014
•
COSO issued transition document “The 2013 Framework &
SOX Compliance – One Approach to An Effective Transition”
by Steven McNally, CPA
•
SEC implications in transitioning to the 2013 Framework
•
Developing a transition plan, documentation & other
considerations
www.eidebai lly.com
COSO Guidance on Transition
The 2013 COSO Framework & SOX Compliance – One
Approach to An Effective Transition
By Stephen McNally, CPA
Develop Awareness, Expertise and Alignment
Timeless concepts, Expanded reporting, Codified principles,
Conduct Preliminary Impact Assessment
Evaluate existing system, leverage existing documentation, identify gaps
Facilitate Broad Awareness
Engage broader organization, educate & build awareness, leverage key stakeholders
Develop & Execute Transition Plan for SOX Compliance
Documentation & evaluation, testing, gap remediation, external review & testing
Drive Continuous Improvement
Tone at the top, culture & processes, improve reporting & communication
www.eidebai lly.com
SEC Reporting Implications
-
I understand that COSO intends to supersede their 1992 Framework . . .we expect
there will be questions about whether the SEC will provide management with any
transition or implementation. . . SEC staff plans to monitor the transition for issuers
using the 1992 framework to evaluate whether and if any staff or Commission
actions become necessary or appropriate at some point in the future. . . I’ll simply
refer users of the COSO framework to the statements COSO has made about their
new framework and their thoughts about transition.
Paul Beswick
Chief Accountant, SEC
-
SEC definition of internal control over financial reporting has NOT
changed.
-
Material weakness (SEC/PCAOB) vs major deficiency (COSO)
-
Disclosures: framework used for assessment and plan for transition
www.eidebai lly.com
SEC Reporting implications continued
Regulation 13a-15(f) defines internal controls over financial
reporting as:
“A process . . . To provide reasonable assurance regarding the
reliability of financial reporting and the preparation of financial
statements for external reporting purposes in accordance with
GAAP . . .”
Policies and procedures must:
-
Maintain records in reasonable detail that accurately and fairly reflect the transactions and
dispositions of the assets of the issuer
-
Ensure receipts and expenditures of the issuer are made only in accordance with authorizations of
management and directors, and
-
Provide reasonable assurance regarding prevention of timely detection of the unauthorized
acquisition, use or disposition of the issuers assets that could have a material effect on the financial
statements.
www.eidebai lly.com
Transition plan
-
High level assessment and implications of adopting 2013
Framework ASAP
-
Determine the impact at the Entity, Division, Operating and
Functional levels across the organization
-
Identify key stakeholders and decision makers associated with the
organization Internal Controls (specifically over Financial
Reporting)
-
Leverage existing processes, procedures and documentation
-
Develop a transition plan:
Responsibilities and expectations
- Timeline
- Reporting and communication
- Opportunities and benefits
-
www.eidebai lly.com
Documentation
Documentation of the organizations system of
internal controls
Provides evidentiary support regarding design and
operating effectiveness
- Allows for ongoing monitoring and communication
- Basis for managements assessment
- Support for third parties (Shareholders, Regulators,
External Auditors)
-
-
Responsibility and accountability
Training and consistency
www.eidebai lly.com
Other Considerations
•
Organizational objectives related to risk, operations, controls,
and reporting
•
Use of third-party service provides and SaaS
•
Size and scope of entity, subsidiaries, foreign operations
•
Judgment regarding internal controls, specifically over
External Financial reporting
•
Costs and benefits of internal controls
•
Limitations of internal controls
www.eidebai lly.com
Companion documents
-
Executive Summary
-
Illustrative Tools for Assessing Effectiveness of a
System of Internal Controls
-
-
Templates & scenarios
Do not modify existing framework
Internal Controls over External Financial Reporting: A
Compendium of Approaches and Examples
-
Examples of how principles apply to External Financial
Reporting
-
Illustrate design and implementation for any size
entity
Demonstrate how Points of Focus support principles
-
www.eidebai lly.com
References & Links
COSO references & links
The 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition
http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_531-13.pdf
Executive Summary, 2013 Internal Control – Integrated Framework
http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf
The complete updated 2013 IC-IF compendium is available through the AICPA, Ebook member price $216
http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990027/PC-990027.jsp
SEC references & links
Remarks at the 32nd Annual SEC and Financial Reporting Institute Conference
Paul Beswick, Chief Accountant, U.S. Securities and Exchange Commission
http://www.sec.gov/News/Speech/Detail/Speech/1365171575494
Jeff Lliteras, CPA
Consulting Services Manager
Eide Bailly LLP
877 W. Main Street, Suite 800
Boise, ID 83702
208.424.3528
jlliteras@eidebailly
www.eidebai lly.com