Introduction to Coso 2013 - Corporate Compliance Seminars

Property of Corporate Compliance Seminarswww.compliance.seminars.com 1

David S. Marshall, MBA, CISA, CFE, CFS

Ph: 708-205-2366 / [email protected]

John C. Blackshire, Jr., CPA

Ph: 479-200-4373/ [email protected]

COSO 2013

Overview of the Framework

A Practical Implementation of the COSO Update for Management and Auditors

Corporate Compliance Seminars

http://www.compliance-seminars.com

Corporate Compliance Seminars provides educational seminars and consulting servicesto businesses of all sizes.

Our mission is to promote the awareness of internal controls, regulatory compliance,corporate governance, IT security, and fraud prevention and detection to improvebusiness profitability.

Each faculty member has over 20 years of work experience within the subject matter.

Corporate Compliance Seminars has been presentingpractical, informative and entertaining seminars since 2004.

We are a proud sponsor of NASBA.

Property of Corporate Compliance Seminarswww.compliance-seminars.com 2


Problems

• Foreign Corrupt Practices Act of 1977 - Violations

• Real Estate boon; inflation; high interest rates; Savings and Loan deregulation

• Business Failures: Penn Square Bank, Continental Bank; Crazy Eddie’s Electronics

• S & L Crisis: Over 700 failures - many from fraud; overvalued real estate; lack of internal controls; lending out far too much money than was prudent

Solutions

1985: National Commission on Fraudulent Financial Reporting

aka “Treadway Commission”

Mission: “To identify causal factors thatcan lead to fraudulent financial reporting.”

1999: Blue Ribbon Committee onImproving the Effectiveness ofCorporate Audit Committees

3Property of Corporate Compliance Seminars

www.compliance-seminars.com


1985 - Committee of Sponsoring Organizations (COSO)of the Treadway Commission was formed

“COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.”

The term internal control over financial reporting is defined as a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

• Pertain to the maintenance of records that in reasonable detail accurately and fairlyreflect the transactions and dispositions of the assets of the issuer;

• Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and

• Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.” (Rule 13a-15 (f) )

Property of Corporate Compliance Seminars

www.compliance.seminars.com 5

“A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding achievement of objectives in the following categories:

• Effectiveness and efficiency of operations,

• Reliability of financial reporting, and

• Compliance with applicable laws and regulations.”


www.compliance.seminars.com 6

Components of Internal Control

Definition of Internal Control

Layers of Internal Control

www.compliance-seminars.com 7

COSO - Board of Directors

COSO Advisory Council

AICPA, AAA, IIA, FEI, IMARegulatory Observers

Public Accounting FirmsOthers (IFAC, GAVI Alliance, ISACA)

PwC - Contracted Author

Stakeholders

Over 700 stakeholders and users were surveyed and others submitted

comments during the draft review period

Douglas F. PrawittAAA

Charles LandesAICPA

Marie N. HolleinFEI

Sandra RichtermeyerIMA

Richard F. Chambers, IIA

Robert B. Hirth, Jr.Chairman

Why update the “Internal Control – Integrated Framework”?

• Address significant changes to business environment and associated risks

• Codify criteria to us in development and assessment of systems of internal control

• Increase focus on operations, compliance and non-financial reporting objectives.


www.compliance.seminars.com

A changing business environment... Drives updates to the Framework...

Expectations for governance oversight

Globalization of markets and operations

Changes in business models

Demands and complexity of rules, regulations and standards

Expectations for competencies and accountabilities

Use and reliance on evolving technology

Expectations for preventing and detecting fraud

www.compliance-seminars.com 9

Why Change?

Benefits…

- Improve governance- Expand use beyond financial reporting- Improve quality of risk assessment- Strengthen anti-fraud efforts- Adapt controls to changing business needs- Greater applicability for various business models

What did not change... What changed...

1. Definition of internal control

2. Five components of internal control

3. The fundamental criteria used to assess effectiveness of systems of internal control

4. Use of judgment in evaluating the effectiveness of systems of internal control

1. Codification of principles with universal application for use in developing and evaluating the effectiveness of systems ofinternal control

2. Expanded financial reporting objective to address internal and external, financial and non-financial reporting objectives

3. Increased focus on operations, compliance and non-financial reporting objectives based on user input

“The experienced reader will find much familiar in the updated Framework, which builds on what has proven effective in the original version.”

Property of Corporate Compliance Seminarswww.compliance.seminars.com

COSO Update created “Principles of Control” (PoCs) and “Points of Focus” (PoFs)

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

6. Specifies relevant objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

13. Uses relevant information

14. Communicates internally

15. Communicates externally

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

• “Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that:

• Each component and each relevant principle is present and functioning

• The five components are operating together in an integrated manner”

• “Each principle is suitable to all entities…”

• “All principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e.g., governance, technology)”

• “Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies…”

• “A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives…”

PoF Statements from COSO

• “Points of focus may not be suitable or relevant, and others may be identified”

• “Points of focus may facilitate designing, implementing, and conducting internal control”

• “There is no requirement to separately assess whether points of focus are in place”

Control Environment Principle of Control 1:“The organization demonstrates a commitment to integrity and ethical values.”

Points of Focus:• Sets the Tone at the Top• Establishes Standards of Conduct• Evaluates Adherence to Standards of Conduct• Addresses Deviations in a Timely Manner

• “The Framework does not prescribe controls to be selected, developed, and deployed for effective internal control.”

• “An organization’s selection of controls to effect relevant principles and associated components is a function of management judgment based on factors unique to the entity.”

• “A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles.”

• “However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management’s assessment of whether components and relevant principles are present and functioning.”

10. No statement of the problems with COSO 1992

9. Management by Objectives (MBO) based

8. COSO is not ERM – financial statement risks

7. No Study of the utility of the COSO Framework

6. No integration of other disciplines

Property of Corporate Compliance Seminars15

5. It is not a dynamic framework nor organization

4. No study of “What Went Wrong Post-SOX”

3. Linear control representation

2. “Concept of Culture”

Property of Corporate Compliance Seminars16

1. Is COSO independent and objective?

• “Users are encouraged to transition applications and related documentation to the updated Framework as soon as feasible”

• Due date is December 15, 2014, when the New Framework will supersede the current one

• The transition period starts now

• During the transition period, external reports (issued by management to regulators-SEC) should disclose whether the original or updated version of the Framework was used

• “Adopting the updated Framework will vary by organization…”� Does your system of internal control need to address changes in operations – structure,

products, services?

� Should your system of internal control be updated to address all 17 Principles?

� Should your system of internal control be updated to address all 79 Points of Focus?


Five COSO Components: CE, RA, CA, I&C, MA

17 Principles Imbedded in the Components

Focus on the pervasive controls that set the overall tone of the organization and the key controls to prevent and detect material misstatements

The fundamental concepts associated with, and drawn directly from, the five components of the Framework

87 Points of Focus Imbedded in the Principles

Supporting each principle are “Points of Focus” to assist management in determining whether the associated principle is present and functioning


• Understand the COSO updated Framework andits impact on your organization

• Communicate the Update to your Compliance team,internal auditors, executives, Board/ AuditCommittee, and operations management

• Assess and apply changes in controls and supporting documentation, and map to five COSO Components and applicable Principles of Control and Points of Focus

• Implement by December 31, 2014 for external reporting

The principles-based approach provides flexibility in applyingthe Framework to multiple, overlapping objectives across the entity

• Easier to see what is covered and what is missing

• Focus on principles may reduce likelihood of consideringsomething that’s irrelevant

Understand the importance of specifying suitable objectives focuses onthose risks and controls most important to achieving these objectives

Focus on areas of risk that exceed acceptance levels or need to bemanaged across the entity may reduce efforts spent mitigating risksin areas of lesser significance

Coordinate efforts for identifying and assessing risks across multiple,overlapping objectives may reduce the number of discrete risksassessed and mitigated

Improved Controls = Less Risk = Achieving Organization Objectives

- This is an excerpt from our COSO Update seminars -

David S. Marshall, MBA, CISA, CFE, CFSCorporate Compliance Seminars/ Infotech Global708-205-2366/ [email protected]

John C. Blackshire, Jr., CPACorporate Compliance Seminars/ The AccountWare Group

479-200-4373/ [email protected]

www.compliance-seminars.com

