SOX 2016 - PART I - COSO 2013

Communication Interpretation

SOX 2016

PART 1 – COSO 2013 2

Sources: Public Company Accounting Oversight Board, www.pcaobus.org, Securities and Exchange Commission, www.sec.gov, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org and American Institute of Certified Public Accountants, aicpa.org.

SOX 2016

PCAOB release No. 2015-003 provided a graph reflecting an increase of deficiencies in audits of ICFR, from 15% in 2010 to 39% in 2013. On 8.8.15, at the American Accounting Association Annual Meeting, the PCAOB stated that “…ICFR audit deficiencies continue to be the most frequent inspection findings…” and PCAOB Release No. 2015-007 observations included common Part I findings related to risk assessment deficiencies as follows:

“In a firm inspection report, a Part I Finding is an auditing deficiency identified by Inspections staff that is of

such significance that it appeared to the Inspections staff that a firm, at the time it issued its report, had not

obtained sufficient appropriate audit evidence to support (1) its opinion that the financial statements were

presented fairly, in all material respects, in accordance with the applicable financial reporting framework

and/or (2) its opinion about whether the issuer had maintained, in all material respects, effective internal

control over financial reporting (“ICFR”). In other words, in these audits, the auditor issued an opinion

without satisfying its fundamental obligation to obtain reasonable assurance about whether the financial

statements were free of material misstatement and/or the issuer maintained effective ICFR.”

PCAOB news releases (10.1.15) highlight three general areas of concern: ICFR, assessing and responding to risks of material misstatement and accounting estimates, including fair value measurements. Financial crisis and global economic factors include the high pace of mergers and acquisitions, higher–yielding investment returns in a low interest rate environment and industry effects from oil price fluctuations.

The underlying business question is one of judgment and cost:

• Has your management team provided value by implementing and maintaining transparent and comprehensive documentation and controls that auditors, regulators and other stakeholders can independently follow?

• Do you have an independent Internal Audit Department (“IAD”) with open lines of communication to management and the Audit Committee?

• Is there a transparent organizational structure to reflect financial reporting and the related control environment? • Is IAD or external audit independence limited by incentives to maintain relationships over objective reporting? • Does IAD provide value by providing transparent audit programs and workpapers and do they pose relevant

questions to external auditors, in order to provide efficient and effective audits. • Are internal and external auditors comfortable making probing inquiries to executive management?

The 2013 revision of the recommended COSO framework provides an opportunity to re-think improvements to existing control structure or to implement a more robust environment.



This document has three parts. It is not intended to be comprehensive of all risks and controls, but sufficient to provide an illumination and examples of internal control (“IC”).

Part I reflects an interpretation of controls for the COSO 2013 requirements incorporating the 17 principles within the five components of risk, applied to a personal experience.

Part II highlights audit responsibilities.

Part III observations and further examples of communication breakdown that public entities and auditors struggle with to identify and manage Internal Controls over Financial Reporting (“ICFR”).

Simplified, ICFR are the responsibility of management. External consultants or IAD’s manage the framework in order to independently report gaps, remediation and deficiencies for management certifications and as part of the Board and Audit Committee oversight and on behalf of stakeholders. External Auditors are responsible to assess the design and effectiveness of ICFR on behalf of stakeholders.

Comments and discussions are a welcome part of progress through open communication.

PART I – COSO 2013: 17 Principles within 5 COSO components

On 7.1.15, I cycled alone from Vancouver, BC to the Mexican border in 21 days. It’s not the first time, nor am I the first person to accomplish this endeavor. In the same vein, the 2013 COSO framework enhanced or clarified the 1992 framework in order to address the current and increasingly complex, global, technology-driven business environments. ICFR is not new and yet communication and documentation remains a challenge.

The same control can apply to more than one principle and component, which is more clearly represented within a matrix summarizing the framework. Please accept the caveat that this journey is a simplified metaphor in which to apply the COSO 2013 framework to corporate governance and ICFR.

Effective internal control applies all seventeen principles within the five components. You will see that an understanding of audit requirements is linked to a robust ICFR framework.



CONTROL ENVIRONMENT (1):

1. Commitment to integrity and ethical values.

Control 1.1 - Policies and procedures are documented with transparent controls addressing end-to-end processing of entity operations, in sufficient detail to be independently verified. This includes corporate governance (including implementation /modification of stock option plans, salary and bonus arrangements) as well as IT general and application controls. The CFO and CEO (or others responsible for quarterly and annual 302 and 404 certifications, respectively) sign off on policies and procedures and control matrices (and any modifications to reflect current operations) that clearly and comprehensively summarize ICFR.

Control 1.2 – Code of Conduct, Code of Ethics (including Whistleblower Policy, independent of management) is presented to all employees and contractors to read and sign before access is provided to entity records.

Control 1.3 – IAD has unrestricted read-only access to all IT applications and business unit /function servers, including financial statement chart of accounts.

2. Board independence and oversight over management development and execution of internal control.

Control 2.1 - Policies and procedures are documented with evidence of process owners and subsequent Board approval, and evidence of regular, dated, review for any modifications to reflect current operations.

Control 2.2 – IAD documents an annual internal audit plan, with evidence of Board approval.

Control 2.3 - Board reviews audit programs and audit reports with management response and maintains documented queries to and responses from management and IAD on the results.

Control 2.4 - Board member background and expertise is documented, including affiliations and relationships or transactions with the entity, and includes a sufficient number of independent members.

Control 2.5 – Audit Committee and Board members have sufficient independence that necessary and often probing questions are raised, as documented in meeting minutes and other documented correspondence that is retained.

Control 2.6 - The Audit Committee includes at least one financial expert and operates under a charter that outlines their duties and responsibilities and includes adequate resources and authority to discharge such responsibilities.



3. Management establishes structure, reporting lines and appropriate authorities and responsibilities in pursuing objectives.

Control 3.1 - Organizational charts are distributed and updated regularly to reflect current operations and clear reporting lines that assist with segregation of duties. Charts are reviewed on a regular basis with signature and date to evidence Board approval.

Control 3.2 - Authorization Matrix, comprehensive of entity operations, is documented and distributed with evidence of Board approval and reviewed on a regular basis.

4. Organization commitment to attract, develop and retain competent individuals.

Control 4.1 - Entity maintains an HR department or employs a firm that specializes in screening for professional designations and vouching of employment history. Standards and procedures are in place for hiring, training, motivating, evaluating, promoting, compensating, transferring and terminating personnel that are applicable to all functional areas. Key employees and related salary and bonus compensation are approved in Board meetings and evidenced in Board minutes.

Control 4.2 – Structured, documented independent reviews are made on a regular basis, including opportunities for upward performance appraisals and independent exit interviews.

5. Organization accountability for internal control responsibilities.

Control 5.1 - Entity obtains regular employee verification of their awareness and responsibility for internal controls with sufficient transparency for their responsibilities in-line with policies, procedures, organizational charts and authorization matrices.

Control 5.2 – IAD has unrestricted read-only access to all IT applications and business unit /function folders, including financial statement chart of accounts.

Control 5.3 – Identified deficiencies are remediated in a timely manner, and related documentation is updated and approval signatories are notified and evidence of their response obtained for such updates.

Control 5.4 – Transparent documentation and open lines of communication between internal and external auditors and management to address significant matters relating to internal control and accounting issues is documented in regular meeting minutes of Audit Committee and monthly updates.



RISK ASSESSMENT (2):

6. Objectives are transparent in order to identify and assess risks relating to each objective.

OPERATIONAL OBJECTIVE: Complete a solo bike journey in consecutive riding days, following Highways 1 and 101, from the Canadian border to the Mexican border.

Risk 1 – Road conditions, weather, wildlife, traffic and health are all significant risks that controls can mitigate, but not remove completely.

Stung in the throat and eye by bees and wasps - watch out for the Oregon coast!

Control 6.1.1 – Ensure phone /tablet has a full charge each morning, for emergencies and directions.

Control 6.1.2 – Maintain spare tubes, air pump, chain connector, patch kit, weapon, cleansing wipes, sunscreen and water bottles and account for inventory levels against a checklist each morning.

...until I encountered a growling cougar, I was a typical Canadian - no weapon

Control 6.1.3 – Assess distance and route for isolated areas to plan for daily nutrition and water stops. Use maps to plan for alternate bike routes when possible.

Control 6.1.4 – Road and weather conditions cannot be altered, but pace and riding schedule modifications to avoid lightning or extreme heat can keep you on track and maintain health.

That bee sting… got infected and antibiotics caused severe sunburn… imagine wearing

arm and leg warmers in last summer’s heat wave!

Risk 2 – Bike and gear condition and malfunction and lodging availability are controllable risks.

Control 6.2.1 – Gear is washed, accounted for and laid out each evening and repacked (and secured to the bike or water-proofed) each morning reviewing for low inventory levels or worn parts (i.e. spare tubes, worn cleats or nutrition) so purchases can be sourced and planned for, timely.

Control 6.2.2 – Bike is wiped down each night and tire pressure is checked each morning.

Control 6.2.3 – Plan and book accommodation the night before to preserve assets (bike and cyclist).

At a remote bike shop in Bend, OR I left my tire levers on the counter – no levers on a

Sunday when my tire went flat…



REPORTING OBJECTIVE: Document the journey to raise awareness and funding in three main disciplines (intentionally vague for proprietary ventures), including road share.

Risk 3 – Cyclist could take a ferry, accept a ride or take a bus when inclement weather, fatigue or timely completion issues arise, or could disappear without evidence of location or work product.

Control 6.3.1 – GARMIN GPS is turned on for the duration of the ride and heart rate monitor “HRM” is worn; distance, speed, cadence, heart rate and maps are uploaded to the web for independent review.

Control 6.3.2 – Original receipts are retained for all purchases (picture for credit card purchases).

Control 6.3.3 – Cyclist calls in/emails daily status updates and documents key components in daily journal.

COMPLIANCE OBJECTIVE: Comply with US GAAP for reporting and (road) rules and regulations in order to complete the journey, without the aid or assistance that impedes completion within the calendar month.

Risk 4 – Current GAAP and other regulatory reporting requirements are not being met.

Control 6.4.1 – Management maintains memberships, regularly attends professional development (CPE) and reads publications with respect to accounting pronouncements and industry developments.

Control 6.4.2 – see principle 6 - control 6.3.1.

Control 6.4.3 – Cyclist acknowledges road rules and regulations, by state and signs a disclaimer to acknowledge the personal safety risk and use of judgment required in highway and road conditions, and adherence to the use of safety lights, bells and reflectors and hand signals on the roads.

7. Risks are identified and assessed.

Control 7.1 - see principle 1 - control 1.1 and principle 2 - control 2.1.

8. Fraud is considered in assessing risks.

Control 8.1 - see principle 3 – controls 3.1 and 3.2.

Control 8.2 – On at least an annual basis, fraud risk discussions are documented.

9. Identification and assessment of changes that could significantly impact the system of internal control.

Control 9.1 - see principle 6 - control 6.4.1.



CONTROL ACTIVITIES (3):

10. Development of general control activities that contribute to the mitigation of risks.

Control 10.1 – Management maintains narrative documentation for all processes (could be incorporated with policies and procedures) that are in scope, based on the risk assessment. These processes are then summarized in an Excel matrix that clearly outlines risks and associated controls that mitigate risks. This matrix further identifies key controls relating to accurate and timely financial reporting, fraud controls and the link to COSO 2013 components and principles, financial statement assertions (“FSA”), control type (prevent, detect or compensating) and frequency and whether it is a manual or automated (IT) control.

11. Development of general IT controls.

Control 11.1 – Access to IT hardware, servers, routers and networking components are restricted to key personnel with access rights approved by the Board.

Control 11.2 – Access rights to accounting applications are based on business needs and restricted use or reports to monitor use are assigned and monitored by the super user with sign-off by the Board and Audit Committee on at least an annual basis.

Control 11.3 – User access (network server and remote access) is authenticated through unique username and password with automatic logout period and limited password attempts. Password change is required on a regular basis as driven by the super user. Users sign a confidentiality agreement on at least a quarterly basis to acknowledge their responsibility to protect their password and confidential nature of the critical and sensitive records they have access to modify and change.

12. Development of general control activities through policies and procedures.

Control 12.1 – see principle 1 - control 1.1.

Control 12.2 – Original documentation is obtained and maintained for all processes. Scanned or stored electronic data must be sufficiently clear and all process owners are responsible to ensure the transparency of records.

Control 12.3 – Documentation used for funds disbursements must clearly reflect a unique record with the business name and address and the date and list of goods and services and the total funds paid.

Control 12.4 – Disbursement records are defaced to reflect GL coding, authorization and business unit to apply payment, including full name and title for all employees and any non-employee the record applied to.



INFORMATION & COMMUNICATION (4):

13. Obtains or generates and uses relevant, quality information to support the functioning of IC.

Control 13.1 – Quarterly and annual closing checklists for 10-Q and 10-K reporting are completed and signed off by appropriate signatories reflecting attestation to analysis and approval of reports.

Control 13.2 – Audit Committee minutes reflect ratified and approved 10-Q and 10-K reports that were discussed with appropriate signatories with evidence of corrections and changes clearly documented and maintained.

Control 13.3 – Chart of Accounts and IT general and application controls and reports are monitored for modifications and operational effectiveness as part of the 10-Q and 10-K meetings.

14. Organization internally communicates objectives and responsibilities for IC.

Control 14.1 – see also, principle 5 – Entity obtains regular employee verification of their awareness and responsibility for internal controls with sufficient transparency for their responsibilities in-line with Policy, Procedures, Organization charts and Authorization matrices.

15. Organization communicates with external parties regarding matters affecting the functioning of IC.

Control 15.1 – 302 and 404 quarterly and annual certifications, respectively asserted by management and annual 404 certification opined by the independent auditor.

Control 15.2 – SOC 1 Type II (formerly SAS 70 Type II) report obtained from any service organizations. Note that SSAE 16 and SOC 1 are the same.

PART 1 – COSO 2013 10


MONITORING ACTIVITIES (5):

16. Organization selects, develops and performs ongoing and /or separate evaluations to ascertain the presence and functioning of ICFR.



Control 16.3 – Internal audit function adheres to professional standards, such as the Institute of Internal Auditors (“IIA”), as evidenced by transparent audit plans and programs that consider risk and are supported by sufficient audit evidence that can be independently verified.

Control 16.4 – IAD has authority to examine all aspects of the entity’s operations with results clearly reported to management and the Audit Committee. Refer also to principle 1 – control 1.3.

17. Organization evaluates and communicates IC deficiencies in a timely manner to those responsible for taking corrective action (senior management and Board, as appropriate).


Documents

SOX 2016 - PART I - COSO 2013