2013 COSO v ERM NEW FRAMEWORK Webinar SLIDES

2013 COSO v ERM

Compliance Made Simple ©

Agenda

Why Change Something that’s Working?

Overview of 2013 New Framework

COSO v ERM Framework

Practical “Real Life” Examples

Transition Plan


Join COSO Implementation LinkedIn Group for FREE templates, advise and learn from others implementing this new framework.

Implementation Resources


COSO 2013 Implementation

Hyperlink

http://www.linkedin.com/groups/2013-COSO-Implementation-4888186/about




Slide ShareLike & Follow - us

http://www.slideshare.net/soxppt


Why change?Social media and it’s impact to business processes, relationships and growth strategies were not foreseen factors.Fact: 92% of all companies use social media tools to recruit according to 2012 Jobvite Social Recruitment survey

93%

Reason #1: Social Media

Reason #2: Changes In IT Environment


2012 - The Business Perspective on Cloud Computing – A Literature Review of Research on Cloud Computing by Hoberg, Wollersheim, Krcmar


Reason #3: Globalization

Over 95% of the World’s

population lives outside of the US

(a)

(a) 2013 Internationalization of Intangibles Corrado & Hulten


What did we end up with?Holy Grail of Internal Control Frameworks

Vol/Name#

Pages

Exec Sum. Overview 10

Vol 2: Framework/App 186Vol 3: Tools/Effectiveness 146

Vol 4: SOX ICFR 159

Total pages 501

http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/PRDOVR~PC-990025/PC-990025.jsp?cm_vc=PDPZ1


How We See Framework Changes?

1992COSO

“Good”

ERM2004

Small COSO2006

“Better”

2013 COSO “BEST”

20 Principles(76

Attributes)

?? Principles(?? Points of

Focus)


How We See Framework Changes?

1992COSO

“Good”

ERM2004

Small COSO2006

“Better”

2013 COSO “BEST”

20 Principles(76

Attributes)

17 Principles

(86 Attributes)


Clarity of Attributes v POF During the comment period,

respondents were concerned that keeping Attributes as in the initial draft would create a “checklist mentality”

Thus in the Updated Framework they stated them as “Points of Focus” (“POF”)

POF are important characteristics of principles



How does this impact ERM? ERM still exists and can be used During comment period some

respondents requested that their be further integration of ERM concepts to the updated framework such as “Risk Appetite”

ERM and 2013 COSO are complimentary to each other and NEITHER is superseding the OTHER!


Governance

ERM

New 2013 COSO “IC”

Internal Controls is the “BASE” or FOUNDATION

ERM is much BROADER than just looking at effective Internal Controls (Strategy/Risk Assessment)

ERM is just PART of the OVERALL Governance Process in an organization

How does ERM and New COSO Visually LOOK?


COSO v ERM (Side by Side)

COSO v ERM


Objective Setting component of ERM Framework considers the process used by Mgmt & BOD for setting operations, reporting and compliance objectives.

IC = Objectives are a PRECONDITION to an effective system of controls

COSO v ERM


Strategic Objectives reflect Mgt’s choice of how the Entity will CREATE VALUE for its stakeholders

IC = Mgmt trying to meet these specific objectives.

COSO v ERM


ERM = Risk Assessment Expanded, but only INTRODUCES Risk Appetite and Risk Tolerance concepts

IC = Concept of Risk Tolerance is included as a precondition to IC but NOT part of IC.


Now let’s take a look at NEW COSO



New Framework and ERM DifferencesControl Environment

Common to BOTH Intro. New & Expanded in ERM

ERM Exclusive

Demonstrates commitment to integrity & ethical values

Exercises oversight responsibility

Establishes Risk Mgmt Philosophy

Est. structures, authority & responsibility

Est. risk culture

Demonstrates commitment to competency

Est. risk appetite

Enforces accountability


Control Environment Key Differences ERM has a whole chapter devoted to

“Entity’s Risk Management Philosophy” included in the section called “Internal Environment”.1. Provides Examples of how shared beliefs

and attitudes characterizing HOW an entity considers risks

2. How it reflects on these values and influences its culture and operating style


Risk AssessmentCommon to BOTH

Intro. New but expanded in ERM ERM Exclusive

Assesses Fraud risk

ID & analyzes risks/events Distinguishes risk & Opportunities

ID & Analyzes Significant Change

Develops Portfolio view


ERM Advantages – Risk Assessment process1. ERM = Risks are “Inherent” &

“Residual”2. ERM Addresses “Interrelated Risks”,

which are risks that include a “single event which may create MULTIPLE RISKS”

3. Potential events with positive impact represent opportunities, while those with negative impact represent risks


ERM – Advantage Real Life Examples – with Miley Cyrus

Strategy = Figure out your

lifeInternal

Environment = Dad Famous

Country singer

Miley Cyrus = Career Risk Assessment

Step 1: Internal Environment allows her to set objectives/goals for herself.

Achy breaky heart has:

1. Translated into 100 languages2. Only single to reach triple platinum

and #1 single in 1992 (Australia)


ERM and Miley Cyrus


Step 2: EVENT Identification= Disney (Pure Brand)


Step 3: Risk Assessment (Part 1 )= Music Career


Step 4: Risk Assessment “Risk Appetite” Ditch Good Girl Look to Riskier Looks & Music


Step 5: Risk Response = RISKIER LOOKS & VMA Actions


IC & ERM have 4 Risk response categories :

1. Avoid the Risk“Run Back to Disney Roots!”

ERM and Miley Cyrus



2.Reduce = Cut Down on Bad Girl Image (keep your clothes on!)

ERM and Miley Cyrus


ERM and Miley Cyrus

3.Share the Risk = Be weirder than Lady Gaga


4. Accept = Remember what happened to Britney or “Britney who?”

Get reactions like this!

ERM and Miley Cyrus


Miley’s “Risk Response” ChoicesLike IC & ERM Four Categories1. Avoid = Run Back to Disney Roots!2. Reduce = Stop the Bad Girl Image3. Share = Befriend “Lady Gaga”4. Accept = Remember what happened to Britney or “Britney

who?”

ERM ADVANTAGE: However if she decides to implement the ERM framework she would need to ALSO consider potential responses from these categories with intent of achieving a residual risk level aligned with her RISK Tolerances

ERM and Miley Cyrus


So what should she choose?

1. Avoid = Run Back to Disney Roots!2. Reduce = Stop the Bad Girl Image3. Share = Befriend “Lady Gaga”4. Accept = Remember what happened to

Britney or “Britney who?”

Polling Question

ERM Risk Assessment Solution


Time Machine

Get back to her good girl success patterns


ERM Risk Assessment Solution


Principle# Points of Focus

10 6

11 4

12 6


New Framework and ERM DifferencesControl Activities

Common to Both Intro. New but expanded in ERM

ERM Exclusive

Selects & develops control activities

NONE NONESelects & develops general controls over IT

Deploys through policies and procedures



13 5

14 4

15 5

New 2013 Audit

Layering Trends


New Framework and ERM DifferencesInformation & Communication

Common BOTHIntro. NEW but expanded in ERM

ERM Exclusive

Communicates Internally Uses relevant information (Pr.#13)

NONE

Communicates Externally

Vol#4 – 2013 COSO page 122 Example Data Validation


Created a higher bar

For Internal Control Testing

Why increase scrutiny of Data Validation?

3 Layered Testing

High Risk & Use of

Judgment?



16 7

17 3

New Framework and ERM DifferencesMonitoring


Common to BOTH

Intro. New & Expanded in ERM

ERM Exclusive

Conducts ongoing &/or separate evaluations

NONE NONE

Evaluates & Communicates deficiencies

NONE NONE

The NEW 2013 IC Framework presents a more current view of monitoring a using a baseline & monitoring external service providers!


COSO Health Check – On Your Own

Free Tool Evaluation of 86 Attributes go to www.AvivaSpectrum.com/Blog

Included:1) Introduction2) Overall Assessment3) Components (167 rows

data)4) Principles w/Attr. (386

rows of data)5) Deficiencies

http://www.avivaspectrum.com/Blog

http://www.cpa2biz.com/COSOEvaltools

COSO’s Transition guidance


Compliance Control Analysis

http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf


Step 1 – Awareness & Education!

CCA Transition Plan

Group Document Delivery Date Next Steps

Board of Directors

Executive Summary

FY 2013 3rd Quarter Meeting

Agreement on Transition plan

C-Level Executive Summary

FY 2013 3rd Quarter Meeting

Internal Transition meeting Dec. 13, 2013

SOX Director • All Four COSO Materials

• COSO Cloud Based Guidance

• Monitoring guidance Vol #3

Nov. 4th Draft Transition plan for Dec. 13th meeting (Dec. 6th)

Step 2 – Preliminary Impact Assessment

Map your existing system of internal control against the updated COSO Framework.


CCA Transition Plan

Area Assessment File name

Items/Controls Covered

New 2013 Impact

# of Approaches (Vol. 4)

Est. Eval. Lead Time

Due Date

Impact inventory listing due

ELC 2013-ELC Assessment.xls

45 5 PR & 17 POF

25 Unique Examples

2 weeks Nov. 1st Nov. 8th

These are NOT ControlsEstimate 2-3 Controls per

approach


Step 3: BOD & External AuditorsEach business unit or location may prepare its own local level assessment.

CCA Transition Plan

Corporate Office

Fin

IT

Division 1

Fin

IT

Operating Unit

Fin IT


CCA Transition Plan


CCA Transition Plan

Initial Impact Analysis should give WARNINGS to BOD & C-Level Mgmt Immediately!

In-Scope EntityWith Control Deficiency from

Prior Year

Vol. #3 – COSO IC Effectiveness (pg.65)- 66


FACTS:• Private Co., retail furniture company (family owned)• $200MM Rev and exclusively in Western US Sales• Evaluation of Principle #1

COSO 2013 FINDINGS1. No formal training program to make employees aware of

importance to adherence to standards of conduct.2. No process to evaluate EEs against the published integrity &

ethics policy3. Processes to ID & Address Deviations are ad hoc

Readiness test

QUESTION: Is this a Control Deficiency, Significant Def., or Major Deficiency?


Step 4: Develop & Execute the Plan

Company Overview/Forecast (2 mos. lead time)

SOX Aggregate Impact(3 mos. lead time)

Finance & IT Deliverables Impact assessment(3-4 mos. lead time)

ComplianceControl

Analysis (“CCA”)


Control Compliance Analysis

[email protected]

Contact Information

Sonia Luna, President, [email protected]

700 S. Flower Street #1100Los Angeles, CA 90017P: (213) 250-5700


http://www.linkedin.com/in/sonialuna/

Economy & Finance

2013 COSO v ERM NEW FRAMEWORK Webinar SLIDES