Coso 2013 - What You Need to Know!

Slide 1

2013: What YOU Need to Know

October 17, 2013 | 12:00 p.m. ET | 1 hour | 1 CPE credit

What YOUNeed to Know

2013:

CONTROL ENVIRONMENT

Slide 2

Principles and Points of Focus: The New Framework 2013: What YOU Need to Know

Housekeeping• If you experience technical difficulties, please use:

• use the “Ask a Question” Tab or • use the “Help” Tab or• call 1.866.490.5412 or• email [email protected]

• Experiencing difficulty hearing today's broadcast?Dial-in: (Toll Free) 877-445-9761 (Int’l) 201-689-8592Passcode: 421488

• Use the “Download Tab” below to download a handout of the today’s presentation.

• Use the “Ask a Question” Tab to ask questions at any time duringthe presentation. Questions will be addressed at the end of the presentation.

Slide 3


• Today’s webcast is worth one (1.0) CPE credit.

• To qualify for CPE, one must have registered via FEI’s website, as well as,meet both duration, poll requirements and complete an on-line survey evaluation.

• In accordance with the standards for the National Registry of CPE Sponsors, CPE credit will be granted based on a 50-minute hour.

• You must answer at least 3 polling questions (during the webcast) to qualify for CPE credit.

• Qualifying participants will have access to the NASBA required survey, in FEI’s CPE Center, within 2-3 business days and the online certificate for CPE credit is available immediately upon completion of this survey.

• Additional information will be provided in a follow-up email after today’s webcast.

CPE Credit

Slide 4


About the Speaker

Jim DeLoachManaging Director|

With over 35 years of experience and a member of the Protiviti’s Solutions Leadership Team, Jim DeLoach assists organizations in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner. His focus is on managing risk and integrating risk with strategy setting, business planning with performance management.

DeLoach was one of 25 recipients of the “Consultant of the Year” award from Consulting Magazine in 2011. In 2012 and again in 2013, he was named to the National Association of Corporate Directors’ Directorship 100 list, recognizing him as one of the 100 most influential people in the boardroom community. DeLoach has authored several books, including Enterprise-wide Risk Management: Strategies for linking risk and opportunity, which was published by Financial Times in June 2000 and was the first book written on the subject of enterprise risk management. Widely quoted in the press, he has published numerous articles and thought papers over the last 15 years covering various aspects of governance, managing business risk and effective internal controls. He has served on the COSO Advisory Board for 10 years contributing to the development of several frameworks and projects.

Slide 5


Why Focus on the Control Environment?

Key Changes in 2013 Framework – Control Environment

Key Principles

Interdependencies with Other Components

Implications to Sarbanes-Oxley Applications

Conclusion

Agenda

Slide 6


“The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.”

Where It All Starts

Slide 7


• Company history and ethical values

• Industry considerations

• Management's philosophy and operating style

• Competence of the entity's people at all levels and the standards, processes, and structures that guide them

• Effectiveness of board oversight

Internal and External Factors Influence It…

Slide 8


• Is the foundation for all other components of internal control

• Sets the tone of an organization

• May help an organization be more resilient when facing pressures

Why Focus on the Control Environment?

Slide 9


• It’s often where the problems start

• The core of any business is its people and the environment in which they operate

• Without an effective control environment, it’s game over

Importance of the Control Environment

Slide 10


(1) Pressure to meet unrealistic performance targets, particularly short-term results

(2) Unbalanced compensation structures that encourage excessive risk taking

(3) Passive boards that fail to exercise effective oversight

(4) Inadequate board communications

(5) Selective consideration of facts to fit management’s bias

(6) Lack of transparency into what matters

(7) Inability to manage conflicting objectives and metrics

(8) Board waiver of conflict of interests policy

(9) Poor escalation processes

(10) Management override of controls

The “Usual Suspects”: 10 Examples

Slide 11

The New Framework 2013: What YOU Need to Know

Polling Question 1

The control environment:

a. Consists of a set of standards, processes, and structures b. Is the foundation for carrying out internal control across the organizationc. Sets the tone for the organization’s internal controld. May help an organization be more resilient when facing external and internal

pressurese. All of the above

Slide 12


• Combines the SEVEN factors into FIVE underlying principles

• Provides in-depth account on what is involved in an effective control environment

• Explains interdependencies and linkages between components

• Covers implications of extended business models utilizing external parties

Key Changes in the 2013 Framework

Slide 13


• Expands on the concepts of governance in an organization

• Clarifies the expectations of integrity and ethical values to reflect lessons learned and new developments

Key Changes in the 2013 Framework

Slide 14


Commitment to integrity and ethical valuesCommitment to integrity and ethical values1

Independence board of directors exercising oversight of internal controlIndependence board of directors exercising oversight of internal control

2

Structures, reporting lines, and appropriate authorities and responsibilitiesStructures, reporting lines, and appropriate authorities and responsibilities

3

Commitment to attract, develop, and retain competent individualsCommitment to attract, develop, and retain competent individuals

4

Individuals held accountable for their internal control responsibilitiesIndividuals held accountable for their internal control responsibilities

5

Key Principles Under Control Environment

Slide 15


Sets the Tone at the Top

Establishes Standards of Conduct

Evaluates Adherence to Standards of Conduct

Addresses Deviations in a Timely Manner

Commitment to Integrity and Ethical Values

Points of

Focus

Slide 16


Sets the Tone at the Top

Evaluates Adherence to Standards of

Conduct

Establishes Standards of

Conduct

Addresses Deviations

in a Timely Manner

Using the Points of Focus as Guidance…

Slide 17


• Set the tone from the top for day-to-day actions and decision making across the organization

• Consider legal, ethical, and other expectations in the conduct of business and financial reporting to establish expected standards of conduct

• Train new and existing employees on the entity’s standards of conduct

Principle 1: Suggested Approaches

Slide 18


• Analyze issues and trends from hotlines and help lines made available within the organization that could indicate potential fraud occurrences

• Make explicit the consequences for deviations from standards of conduct at any level in the organization

• Establish, communicate and enforce standards of conduct throughout the organization


Slide 19


The senior management of a publicly traded company maintains and distributes the company’s code of business conduct and ethical standards to all employees and external parties acting on its’ behalf. It also provides for a supplier code of conduct to its vendors as part of its agreements, which provide for a basis of evaluation along with product/service delivery evaluation.

Source: COSO; Internal Control over External Financial Reporting: A Compendium of Approaches and Examples

Case in Point #1

Slide 20


A not-for-profit organization conducts scheduled audits to determine whether employees are receiving and understanding the board approved standards of conduct when they are first hired and as part of ongoing communications. This helps to determine if there are any instances of non-compliance and to use those findings to assess and correct any deficiencies in the organization’s new-hire orientation, communications, training, and employee review processes.


Case in Point #2

Slide 21


Establishes Oversight Responsibilities

Applies Relevant Expertise

Operates Independently

Provides Oversight

Independent Board Exercises Oversight

Points of

Focus

Slide 22


Polling Question 2

Under the 2013 New Framework, the control environment consists of 7 important principles.

a. Trueb. False

Slide 23


Polling Question 3

Under the 2013 New Framework, the points of focus provided for each principle are intended to provide helpful guidance but are not required to be evaluated separately.

a. Trueb. False

Slide 24


The audit committee of an electricity transmission and distribution company meets, at least annually, in executive session to discuss its assessment of the risks of management override of internal control, including motivations, opportunities, and rationalizations for management override and how those activities might be concealed. It also collects information whenever any concerns are expressed about ethics or possible management override of internal controls. The process of questioning continues until resolution is reached.


Case in Point

Slide 25


Considers All Structures of the Entity

Establishes Reporting Lines

Defines, Assigns, and Limits Authorities / Responsibilities

Appropriate Structures, Reporting Lines, Authorities and Accountabilities

Points of

Focus

Slide 26


Defines, Assigns, and Limits Authorities / Responsibilities:•Board of Directors•Senior Management•Management•Personnel•Outsourced Service Providers

Third Point of Focus

Points of

Focus

Slide 27


• Management periodically considers the impact on the control environment and the importance of effectively segregating duties, as part of reviewing the assignment of authorities and responsibilities

• Job descriptions outlining financial reporting responsibilities are maintained and are updated when necessary when circumstances change

• Management provides sufficient direction to ensure that the appropriate employees recognize their responsibility for internal control and the importance of applying appropriate diligence / business judgment when they carry out their assigned job responsibilities


Slide 28


The senior management at a games software developer, has recognized that the company’s recent significant growth is causing many of the roles and responsibilities of its management executives to be no longer relevant. In response, the senior managers have initiated a project to realign responsibilities among its leadership team. The goals are to adequately support financial reporting objectives, with clear lines of reporting supported by new written job descriptions.


Case in Point

Slide 29


Establishes Policies and PracticesEvaluates Competence and Addresses ShortcomingsAttracts, Develops and Retains Individuals

Plans and Prepares for Succession

Attract, Develop and Retain Competence

Points of

Focus

Slide 30


• Management identifies the required skills and experience necessary to support the entity’s objectives

• Training needs are identified / delivered to targeted personnel

• Senior management evaluates the sufficiency and competency of the personnel involved in recording and reporting financial information and in designing and developing financial reporting systems


Slide 31


• The Board of Directors identifies essential roles for functioning of the business and, for those roles, management defines succession plans

• Management sets expectations that personnel raise issues or questions relating to the application of defined standards

• Performance evaluation processes and incentives are established to promote expected standards of behavior consistent with entity objectives


Slide 32


The bylaws of the board of a metal products company specify the responsibility of the audit committee of the board for reviewing the principal roles and responsibilities of key financial reporting senior management. To this end, the audit committee chair meets annually with the company’s human resources director, chief audit executive, and legal counsel to review the roles, responsibilities, and performance of the various company managers. The review focuses on aligning respective managerial responsibilities with the company’s organization chart.


Case in Point

Slide 33


Enforces Accountability Through Structures, Authorities and Responsibilities

Establishes Performance Measures, Incentives, and Rewards

Evaluates Performance Measures, Incentives, Rewards for Ongoing Relevance

Considers Excessive Pressures

Evaluates Performance and Rewards or Disciplines Individuals

Hold Individuals Accountable

Points of

Focus

Slide 34


• Senior management defines performance measures / rewards aligned with ethical values and inclusive of financial and non-financial measures

• The board of directors and management periodically evaluate appropriateness of performance measures

• Management designs objective employee evaluation and compensation systems that periodically provide individual rewards or disciplinary action


Slide 35


• Communicating and reinforcing the accountability for responsible conduct of all personnel

• Policies that stress interactions with suppliers, customers, and other external parties reflect fair and honest dealings

• Anomalies in key performance indicators and internal analytical reviews of operational and financial information that could be a potential indicator of fraud or other misconduct are considered


Slide 36


A forest products company, structures its bonus plan to have 30% of the potential incentive award directly related to the demonstration of the company’s core values. Information items that the company values are specific comments on how management does or does not reflect values are captured through employee feedback.Source: COSO; Internal Control over External Financial Reporting: A Compendium of Approaches and Examples

Case in Point #1

Slide 37



A private company that researches, develops, produces, and markets medical scanning equipment, encourages its employees to identify and submit suggestions for improving internal control, including internal control over financial reporting. Employees are rewarded in the form of company awards and/or cash bonuses for ideas that are used.

Case in Point #2

Slide 38


• All components must operate together in an integrated manner

• Components are interdependent with a multitude of interrelationships and linkages among them

• Examples of components operating together: − The organization establishes expected standards of conduct

and sets performance incentives within the Control Environment that may impact the assessed level of fraud risk evaluated within Risk Assessment

− The communication of internal control deficiencies as part of Monitoring Activities requires a full understanding of the entity’s structures, reporting lines, authorities and responsibilities as set forth in the Control Environment

Interdependencies with Other Components

Slide 39


• For established companies, existing documentation must be converted to the principles-based approach− For the Control Environment, the 7 factors under the original

1992 version can be organized easily under the 5 principles

• A separate ICEFR compendium may be useful to companies complying with Sarbanes-Oxley− For newly public companies or IPO companies, the ICFRE

Compendium provides useful guidance for getting started

− For established companies, use the ICEFR Compendium selectively or in situations involving changes in conditions and processes

Implications to Sarbanes-Oxley Applications

Slide 40


Polling Question 4

To support a conclusion that internal control is effective, all components must be present and functioning and operate together.

a. Trueb. False

Slide 41


• The explicit listing of underlying principles increases the framework’s utility

• The control environment has a pervasive impact on the overall system of internal control

• A strong control environment positions organizations to respond and adapt to internal and external pressures

• Organizational culture supports and is influenced by the control environment

In Conclusion

Slide 42


Slide 43


Thank you for your participation!

In 2-3 business days, a follow-up emailwill provide instructions on accessing

your CPE credits.

Our series continues… COSO 2013 : What YOU Need to Know – Control Environment

Thursday, October 17 at 12:00 p.m. Eastern

Business

Coso 2013 - What You Need to Know!