Embed Size (px)
Citation preview
COSO Framework 2013
& SOX Compliance
Roxanne L. Halverson, CISM, CGEIT
Atlanta ISACA Geek Week – August 19, 2013
2
What’s Happened
• On May 14, 2013, after a little more than 20 years the
Committee of Sponsoring Organizations of the
Treadway Commission (a/k/a as COSO) has revised its
widely used 1992 framework to update it for the
modern realities of how business is carried out two
decades later, especially with respect to how
technology is used in business.
• COSO specifically set its transition date and determined
it will no longer make its earlier version available after
December 15, 2014 to facilitate a transition.
3
Call to Action
Each publicly traded company subject to SOX
Section 404 compliance must gain senior
management’s alignment & support, assess
the impact of the Framework on existing SOX
compliance activities and then complete a
timely transition to the updated Framework no
later than December 15, 2014
4
Background
• Authored by PwC under the direction of COSO
• Widely adopted by organizations around the
world
• COSO developed the related illustrative
documents to provide tools to assist companies
in implementing or evaluating their system of
internal control & offer specific approaches &
examples as to how the Framework applies to
external financial reporting.
5
Drivers Behind COSO’s Refresh Project
• Result of a significant multi-year project
– 2 rounds of public exposure
• Lessons Learned from applying the original framework
– Included lengthy discussions of internal control concepts that are not institutional knowledge
– Concepts of internal control principles may have been embedded in the original Framework, the principles themselves were “hidden” within the details
– Practitioners have used the Framework primarily for internal control over financial reporting yet the Framework encompasses 3 major categories of objectives, including operations, overall reporting, and compliance objectives
• Objective was to keep “COSO” relevant & streamline the original Framework
– Clarify the requirement of effective internal control
– Update the context for applying internal control to many changes in business an operating environments
– Broaden its application by expanding the operations and reporting objectives
– Enhancing usability
6
Newly Release COSO Documents
Internal Control-Integrated Framework Executive
Summary
Provides a high-level overview of the 2013
Framework & is intended for the CEO & other
senior management, BODs and regulators
Internal Control-Integrated Framework &
Appendices
175 pages that defines the Framework in detail
Defines internal control, underlying principles &
direction for all levels of mgt.
Internal Control-Integrated Framework
Illustrated Tools for Assessing Effectiveness
of a System of Internal Control
Provides templates and scenarios to support mgt. in
applying the Framework, specifically in terms of
assessing effectiveness.
Internal Control over External Financial
Reporting: A Compendium of Approaches &
Examples
Provides practical approaches & examples illustrating
how the components & principles in the Framework
can be applied in preparing external financial
statements.
Intended to be used as a resource to research on
specific principles vs. being read cover to cover
7
Case for Transition
• COSO Board emphasized that the key concepts
and principles defined in the original Framework
remain fundamentally sound for designing,
implementing, & maintaining systems of internal
controls & assessing effectiveness
• Next slides review Fundamentals Retained
8
Fundamentals Retained
• Report’s general organization structure &
component chapter structure
• Formal definition of internal control “COSO Cube”
• 5 components that work together in an
integrated manner
– Control environment
– Risk Assessment
– Control Activities
– Information & communication
– Monitoring Activities
9
Fundamental remaining – page 2
• Emphasis that internal control is a process effected by people that can only provide reasonable vs. absolute assurance and has inherent limitations
• Internal control is geared toward achieving specified objectives
• Internal control can be applied at the entity level or any of an entity’s units
• Concepts relating to cost-benefit analysis – Mgt needs to use judgment but cost alone is not an acceptable reason
to avoid implementing internal controls
• Discussion of appropriate documentation
• Relationship between the management process & internal control
• Importance of management’s judgment in designing, implementing, and conducting internal control, and assessing its effectiveness
10
One Transition Approach
• Step 1: Develop Awareness, Expertise & Alignment
• Step 2: Conduct Preliminary Impact Assessment
• Step 3: Facilitate Broad Awareness, Training, and Comprehensive Assessment
• Step 4: Develop and Execute COSO Transition Plan for SOX Compliance
• Step 5: Drive Continuous Improvement
11
Step 1- Develop Awareness, Expertise &
Alignment
• Provide awareness to senior management so
gain their support
• Initial audience – COSO/SOX subject matter
experts in your company
• Obtain & review newly released publications
(listed on prior slide)
• In addition to those go to COSO website
(www.coso.org) which includes press releases
and “Frequently Asked Questions” document
12
Step 1 – Other resources
• Webinars
• Articles
• External auditor
• Networking & building connections with peers at similar companies can benefit you & your teams.
13
COSO Timeless Concepts
Updated “COSO Cube”
“Internal Controls is a process effected by an
entity’s board of directors, management, and other
personnel, designed to provide reasonable
assurance regarding the achievement of objectives
relating to operations, reporting, and compliance”
Still provides for 3 categories of objectives:
Operations
Reporting
Compliance
Still provides 5 integrated components
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Continues to allow a company to consider
internal controls from an entity, division, operating
unit or function like a shared service center/center
of excellence
14
Expanded Reporting Category
• Under objective categories, the reporting
category was expanded to include not only
external reporting but internal reporting and
nonfinancial reporting objectives
• Explicitly permits use in these other reporting
situations even though they aren’t directly
relevant from a SOX perspective
15
The most significant enhancement is the formulation of “17 Principles” of
internal control which serve as the criteria for determining whether an
entity’s internal control is “effective”
• 1992 Framework conceptually introduced
17 relevant principles associated with the 5
components of internal control
• They are essential in assessing that the 5
components are present & functioning
• These concepts are now explicitly
articulated in the 17 principles
• COSO Board believes each principle adds
value & is suitable to all entities presumed
relevant
• Document the rationalization if a principle
isn’t relevant
CONTROL ENVIRONMENT
1. Demonstrates commitment to integrity & ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority & responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
RISK ASSESSMENT
6. Specifies suitable objectives
7. Identifies and analyzes risk
8 Assess fraud risk
9. Identifies and analyzes significant change
CONTROL ACTIVITIES
10. Selects & develops control activities
11. Selects & develops general controls over technology
12. Deploys through policies & procedure
INFORMATION & COMMUNICATIONS
13. Uses relevant information
14. Communicates internally
15, Communicates externally
MONITORING
16. Conducts ongoing and/or separate evaluations
17. Evaluates & communicates deficiencies
16
Requirements of Effective Internal Control
• For management to conclude that its system of internal control is effective, all 5 components of internal control and all relevant principles must be present & functioning
• Being “present” implies a given component or principle exists within the design & implementation of an entity’s system of internal control
• “Functioning” implies the component or principle continues to exist in the operation & conduct of the internal control system
• Effective internal control also requires that all 5 components operate together in an integrated manner.
• Management can conclude they do if each component is present and functioning and the aggregation of internal control deficiencies across the components doesn’t result in one or more major deficiences
17
Internal Control Deficiencies
• A major deficiency exists if an internal control deficiency or combination thereof severely reduces the likelihood of an entity achieving it’s objectives
• If mgt. used it’s professional judgment to determine that a control objective isn’t being met because a relevant principle or associated component isn’t present & functioning or the 5 components aren’t operating together, the entity has a major deficiency
• While the 2013 Framework defines the terms “deficiency” & “major deficiency” mgt should use relevant criteria as established by standards-setting bodies, regulators and other relevant third parties for defining the severity of evaluating and reporting deficiencies
18
Points of Focus provided by 2013 Framework
• Describes to assist management in the design, implementation, and maintaining internal control & assessing whether the 17 principles are present & functioning
• Represent important characteristics of the respective principles defined in Framework or uniquely identified by management
• Enablers – not required – in order to have an effective system of internal control
19
Step 2: Conduct Preliminary Impact Assessment
• Once 2013 Framework is understood you need to assess how transitioning to it will impact your company’s current SOX program
• The most significant factor may be how well management implemented the original one
• Map your existing system of internal control against the update Framework
• This will help you determine the degree of work required to complete the transition
• Instead of mapping directly to the 5 components of internal control, first map to the 17 principles that underlie each of the 5 components
• Develop a list of gaps to remediate
20
Step 3: Facilitate Broad Awareness, Training,
and Comprehensive Assessment
• Step 1 & 2 targeted the company’s SOX compliance
subject matter experts or core SOX compliance team
• Step 3 – engaging the broader organization to build
awareness & to build awareness and to pressure-test
the preliminary impact assessment conducted in Step 2
• Depending on the nature & complexity of your
organization, SOX compliance efforts may occur
centrally, or there may be multiple layers of assessment
– Example each Business Unit or location may prepare it’s own
local assessment
21
Step 3 continued
• Either way, you should facilitate broad
awareness of COSO’s updated Framework &
the potential impact on your SOX compliance
program
• Discuss the impact of COSO’s 2013 Framework
on your SOX efforts with your company’s
external auditors.
– Provide stakeholders a brief update, via email or in
person, will be sufficient.
– In other cases, in-depth training & work sessions may
be needed
22
Step 3 continued
• Leverage key stakeholders, such as
process/controls owner or business unit SOX
leads, to pressure-test you preliminary impact
assessment, especially in a more decentralized
or highly complex environment
• Have those who are directly responsible for
implementing your company’s SOX controls
critique the preliminary mapping from Step 2 to
ensure analysis is complete & accurate
23
Step 4 – Develop & Execute COSO
Transition Plan for SOX Compliance
• Planning Phase – finalize your company’s updated SOX compliance: – Methodology & approach
– Define project governance & decision rights
– Develop a detailed project plan with key milestones
– Identify and assign resources, and complete other necessary planning activities
• Set realistic plans & expectations
• Regardless of current SOX compliance programs some effort in transition is required
24
Step 4 – Phase 1 Documentation & Evaluation
• You may need to update the format and or flow of your underlying documentation aligning it to the new mapping created during Step 2.
• All 5 components of internal control and all relevant principles must be present and functioning
• Underlying documentation must support management in making such a conclusion
• Phase entails evaluating the design of the underlying controls & enhancing the design as needed
25
Step 4 – Phase 2: Validation Testing & Gap
Remediation
• Once you’re satisfied that your company’s
controls around external financial reporting and
disclosure are effective in their design, you need
to perform SOX validation testing to ensure
these controls have been implemented and are
operating as expected.
• Remediate any action items or gaps if
deficiencies are identifed
26
Step 4: Phase 3 External Review & Testing
• Prepare for the external auditor needing/wanting
to assess & gain comfort with the updated SOX
compliance program and supporting
documentation.
27
Step 5: Drive Continuous Improvement
• Adequate vs. best-in-class system of internal
controls
• Stronger corporate governance should translate
into stronger business results & increased
shareholder value
28
Step 5 continued
• Once 2013 Framework transition is complete, challenge yourself to drive continuous improvement with these practices: – Ensure there is appropriate tone at the top
– Embed internal control responsibility into the fabric of your company’s culture, business processes & procedures
– Improve control reporting & communication
– Enhance your enterprise risk management capability
– Tooling & Automation
29
Call to Action
• Last reminder – Key Takeaway
• Those who currently use COSO’s 1992 Framework should complete their transition to the 2013 version no later than December 15, 2014 as the former version will be superseded
• While most companies expect few changes & a relatively smooth transition
you still need to work through it
• The onus is on “us” / those working in publicly traded companies subject to SOX Section 404 compliance to build awareness, assess the impact, complete timely transition
• The 5-step process is one approach that could support you and your team’s success
30
COSO – COBIT Mapping
32
Copyright @2013, The Committee of Sponsoring Organizations of the Treadway
Commission (COSO). 1234567890 PIP 198765432
Kathleen Hoffeilder, CFO. Com, May 21, 2013, New Guidelines Could Help Deter
Fraud
J. Stephen McNally, CPA, 2013. The 2013 COSO Framework & SOX Compliance,
Strategic Finance, June 2013
PwC Dataline, A Look At Current Financial Reporting Issues, No. 2013-09, dated
May 14, 2013.
Richard M. Steinberg, Compliance Week, July, 3013, Insights Into COSO’s Internal
Control Framework, pages 52-53.
Tammy Whitehouse, iCompli, So Far, SEC Hold Silent on New COSO Framework,
May 22, 2013
