COSO changes coming in 2014
An overview of COSOs 2013 update to the Internal Control Integrated FrameworkCOSO changes coming in 2014January 7, 2014www.eidebailly.comwww.eidebailly.comwww.eidebailly.comwww.eidebailly.comAgendaOverview of updated 2013 COSO Internal Controls Integrated Framework
Principles & Points of Focus supporting the Five Components
Transitioning to the 2013 Framework
Other Considerations
www.eidebailly.comwww.eidebailly.comOverview of COSO IC-IFInternal Control - Integrated Framework (ICIF)
Originally released in 1992
Updated in May 2013, including three companion documents
Authored by PwC under direction of COSO Board
Committee Of Sponsoring Organizations of the Treadway Commission
www.eidebailly.comwww.eidebailly.comCOSO 2013 updateUpdated Internal Control Integrated Framework issued on May 14, 2013
Companion documents include:
Internal Control Integrated Framework Executive Summary
Illustrative Tools for Assessing Effectiveness of a System of Internal Controls
Internal Control over External Financial Reporting: A Compendium of Approaches and Examples
Transition Date: December 15, 2014
www.eidebailly.comwww.eidebailly.com2013 update: Whats new?Expands operations and reporting objectives
Codification of 17 principles supporting the five components
Points of Focus to help identify and evaluate 17 principles
Addresses increased relevance and dependence on IT
Expands operations and reporting objectives
Increased guidance on fraud risk assessment and responses
Updated for changes in business and operating environments
www.eidebailly.comwww.eidebailly.com2013 update: Whats the same?Core definition of internal controls
Objectives: Operations, Reporting & Compliance
Five components of internal controls: Control Environment Risk Assessment Control ActivitiesInformation & Communication Monitoring
Role judgment plays in design, implementation, operation and assessment of internal controls
www.eidebailly.comwww.eidebailly.com17 Codified Principles
www.eidebailly.comwww.eidebailly.comInternal Control ObjectivesOperations: relate to the achievement of an entitys basic mission and vision operational . . . financial performance, productivity . . . and includes safeguarding of assets against loss (92 framework effectiveness and efficiency of the entity's operations, including performance and profitability goals and safeguarding resources against loss)
Reporting: pertains to the preparation of reports for use by organizations and stakeholders and may relate to financial and non-financial reporting . . . External reporting objectives are driven primarily by regulations and/or standards established by regulators and standard-setting bodies . . . (92 framework was know as Financial Reporting objective preparation of reliable published financial statements, including prevention of fraudulent public financial reporting)
Compliance: conduct activities, and often take specific actions, in accordance with applicable laws and regulations . . . understanding which laws, rules and regulations apply across the entity (92 framework pertains to adherence to laws and regulations to which the entity is subject)www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Control EnvironmentThe control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. . . The control environment comprises the integrity and ethical values of the organization . . . enabling the board of directors to carry out its oversight responsibilities . . . structure and assignment of authority and responsibility . . . attracting, developing, and retaining competent individuals . . . rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.
1. Organization demonstrates a commitment to integrity and ethical valuesTone at the TopEstablishes Standards of ConductEvaluates adherence to Standards of ConductAddresses deviations in a timely manner.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal controlEstablishes oversight responsibilities Applies relevant expertise Operates independentlyProvides oversight for the system of internal control
www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Control Environment Continued3. Management establishes, with Board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectivesConsiders all structures of the entity Establishes reporting lines Defines, assigns and limits authorities and responsibilities
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectivesEstablishes policies and practices Evaluates competence and addresses shortcomings Attracts, develops and retains individuals Plans and prepares for succession
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectivesEnforces accountability through structures, authorities, and responsibilities Establishes performance measures, incentives and rewards Evaluates performance measures
www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Risk AssessmentRisk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entitys objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectivesOperations Objective:Reflects Managements ChoicesConsiders Tolerances for RiskIncludes Operations and Financial Performance GoalsForms a Basis for Committing of Resources
Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of five specific objectives: Operations ObjectivesExternal Financial Reporting Objectives External Non-Financial Reporting Objectives Internal Reporting Objectives Compliance Objectives www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Risk AssessmentRisk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entitys objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectivesExternal Financial Reporting Objective:Complies with applicable accounting standardsConsiders MaterialityReflects entity activities
Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of five specific objectives: Operations ObjectivesExternal Financial Reporting Objectives External Non-Financial Reporting Objectives Internal Reporting Objectives Compliance Objectives www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Risk Assessment Continued7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managedIncludes Entity, Subsidiary, Division, Operating Unit, and Functional LevelsAnalyzes Internal and External FactorsInvolves Appropriate Levels of ManagementEstimates Significance of Risks IdentifiedDetermines How to Respond to Risks
8. The organization considers the potential for fraud in assessing risks to the achievement of objectivesConsiders Various Types of FraudAssesses Incentive and PressuresAssesses OpportunitiesAssesses Attitudes and Rationalizations
9. The organization identifies and assesses changes that could significantly impact the system of internal controlAssesses Changes in the External EnvironmentAssesses Changes in the Business ModelAssesses Changes in Leadership
www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Control ActivitiesControl activities are the actions established through policies and procedures that help ensure that managements directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may . . . encompass a range . . . of activities . . . Where segregation of duties is not practical, management selects and develops alternative control activities.
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levelsIntegrates with Risk AssessmentConsiders Entity-Specific FactorsDetermines Relevant Business ProcessesEvaluates a Mix of Control Activity TypesConsiders at What Level Activities Are AppliedAddresses Segregation of Duties
www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Control Activities Continued11. The organization selects and develops general control activities over technology to support the achievement of objectivesDetermines Dependency between the Use of Technology in Business Processes and Technology General ControlsEstablishes Relevant Technology Infrastructure Control ActivitiesEstablishes Relevant Security Management Process Control ActivitiesEstablishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into actionEstablishes Policies and Procedures to Support Deployment of Managements DirectivesEstablishes Responsibility and Accountability for Executing Policies and ProceduresPerforms in a Timely MannerTakes Corrective ActionPerforms Using Competent PersonnelReassesses Policies and Procedureswww.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Information & CommunicationInformation is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control Identifies Information RequirementsCaptures Internal and External Sources of DataProcesses Relevant Data into InformationMaintains Quality throughout ProcessingConsiders Costs and Benefitswww.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Information & Communication Continued14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal controlCommunicates Internal Control InformationCommunicates with the Board of DirectorsProvides Separate Communication LinesSelects Relevant Method of Communication
15. The organization communicates with external parties regarding matters affecting the functioning of internal controlCommunicates to External PartiesEnables Inbound CommunicationCommunicates with the Board of DirectorsProvides Separate Communication Lines
www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Monitoring Activities16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioningConsiders a Mix of Ongoing and Separate EvaluationsConsiders Rate of ChangeEstablishes Baseline UnderstandingUses Knowledgeable PersonnelIntegrates with Business ProcessesAdjusts Scope and FrequencyObjectively Evaluates17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriateAssesses ResultsCommunicates DeficienciesMonitors Corrective Actionswww.eidebailly.comwww.eidebailly.comTransition to 2013 FrameworkTransition to the 2013 Framework, 1992 Framework to be superseded on December 15, 2014
COSO issued transition document The 2013 Framework & SOX Compliance One Approach to An Effective Transition by Steven McNally, CPA
SEC implications in transitioning to the 2013 Framework
Developing a transition plan, documentation & other considerationswww.eidebailly.comwww.eidebailly.comCOSO Guidanceon TransitionThe 2013 COSO Framework & SOX Compliance One Approach to An Effective TransitionBy Stephen McNally, CPA
Develop Awareness, Expertise and AlignmentTimeless concepts, Expanded reporting, Codified principles, Conduct Preliminary Impact AssessmentEvaluate existing system, leverage existing documentation, identify gapsFacilitate Broad AwarenessEngage broader organization, educate & build awareness, leverage key stakeholdersDevelop & Execute Transition Plan for SOX ComplianceDocumentation & evaluation, testing, gap remediation, external review & testingDrive Continuous ImprovementTone at the top, culture & processes, improve reporting & communicationwww.eidebailly.comwww.eidebailly.comSEC Reporting ImplicationsI understand that COSO intends to supersede their 1992 Framework . . .we expect there will be questions about whether the SEC will provide management with any transition or implementation. . . SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. . . Ill simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition. Paul BeswickChief Accountant, SEC
SEC definition of internal control over financial reporting has NOT changed.
Material weakness (SEC/PCAOB) vs major deficiency (COSO)
Disclosures: framework used for assessment and plan for transition
www.eidebailly.comwww.eidebailly.comSEC Reporting implications continuedRegulation 13a-15(f) defines internal controls over financial reporting as:
A process . . . To provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in accordance with GAAP . . .
Policies and procedures must:
Maintain records in reasonable detail that accurately and fairly reflect the transactions and dispositions of the assets of the issuer
Ensure receipts and expenditures of the issuer are made only in accordance with authorizations of management and directors, and
Provide reasonable assurance regarding prevention of timely detection of the unauthorized acquisition, use or disposition of the issuers assets that could have a material effect on the financial statements.
www.eidebailly.comwww.eidebailly.comTransition planHigh level assessment and implications of adopting 2013 Framework ASAP
Determine the impact at the Entity, Division, Operating and Functional levels across the organization
Identify key stakeholders and decision makers associated with the organization Internal Controls (specifically over Financial Reporting)
Leverage existing processes, procedures and documentation
Develop a transition plan: Responsibilities and expectationsTimelineReporting and communicationOpportunities and benefits
www.eidebailly.comwww.eidebailly.comDocumentationDocumentation of the organizations system of internal controlsProvides evidentiary support regarding design and operating effectivenessAllows for ongoing monitoring and communicationBasis for managements assessmentSupport for third parties (Shareholders, Regulators, External Auditors)
Responsibility and accountabilityTraining and consistency
www.eidebailly.comwww.eidebailly.comOther ConsiderationsOrganizational objectives related to risk, operations, controls, and reporting
Use of third-party service provides and SaaS
Size and scope of entity, subsidiaries, foreign operations
Judgment regarding internal controls, specifically over External Financial reporting
Costs and benefits of internal controls
Limitations of internal controls
www.eidebailly.comwww.eidebailly.comCompanion documentsExecutive Summary
Illustrative Tools for Assessing Effectiveness of a System of Internal ControlsTemplates & scenariosDo not modify existing framework
Internal Controls over External Financial Reporting: A Compendium of Approaches and ExamplesExamples of how principles apply to External Financial ReportingIllustrate design and implementation for any size entityDemonstrate how Points of Focus support principles www.eidebailly.comwww.eidebailly.comReferences & LinksCOSO references & linksThe 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf
Executive Summary, 2013 Internal Control Integrated Frameworkhttp://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdfThe complete updated 2013 IC-IF compendium is available through the AICPA, Ebook member price $216http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990027/PC-990027.jsp
SEC references & linksRemarks at the 32nd Annual SEC and Financial Reporting Institute ConferencePaul Beswick, Chief Accountant, U.S. Securities and Exchange Commissionhttp://www.sec.gov/News/Speech/Detail/Speech/1365171575494
Jeff Lliteras, CPAConsulting Services Manager Eide Bailly LLP877 W. Main Street, Suite 800Boise, ID 83702208.424.3528jlliteras@eidebailly
www.eidebailly.comwww.eidebailly.com