Upload
wwwavivaspectrumcom
View
2.300
Download
0
Embed Size (px)
DESCRIPTION
Learn how to compare 2013 COSO and ERM framework and how it will impact your internal control documentation!
Citation preview
2013 COSO v ERM
Compliance Made Simple ©
Agenda
Why Change Something that’s Working?
Overview of 2013 New Framework
COSO v ERM Framework
Practical “Real Life” Examples
Transition Plan
Compliance Made Simple ©
Join COSO Implementation LinkedIn Group for FREE templates, advise and learn from others implementing this new framework.
Implementation Resources
Compliance Made Simple ©
COSO 2013 Implementation
Hyperlink
Compliance Made Simple ©
Why change?Social media and it’s impact to business processes, relationships and growth strategies were not foreseen factors.Fact: 92% of all companies use social media tools to recruit according to 2012 Jobvite Social Recruitment survey
93%
Reason #1: Social Media
Reason #2: Changes In IT Environment
Compliance Made Simple ©
2012 - The Business Perspective on Cloud Computing – A Literature Review of Research on Cloud Computing by Hoberg, Wollersheim, Krcmar
Compliance Made Simple ©
Reason #3: Globalization
Over 95% of the World’s
population lives outside of the US
(a)
(a) 2013 Internationalization of Intangibles Corrado & Hulten
Compliance Made Simple ©
What did we end up with?Holy Grail of Internal Control Frameworks
Vol/Name#
Pages
Exec Sum. Overview 10
Vol 2: Framework/App 186Vol 3: Tools/Effectiveness 146
Vol 4: SOX ICFR 159
Total pages 501
Compliance Made Simple ©
How We See Framework Changes?
1992COSO
“Good”
ERM2004
Small COSO2006
“Better”
2013 COSO “BEST”
20 Principles(76
Attributes)
?? Principles(?? Points of
Focus)
Compliance Made Simple ©
How We See Framework Changes?
1992COSO
“Good”
ERM2004
Small COSO2006
“Better”
2013 COSO “BEST”
20 Principles(76
Attributes)
17 Principles
(86 Attributes)
Compliance Made Simple ©
Clarity of Attributes v POF During the comment period,
respondents were concerned that keeping Attributes as in the initial draft would create a “checklist mentality”
Thus in the Updated Framework they stated them as “Points of Focus” (“POF”)
POF are important characteristics of principles
Compliance Made Simple ©
Compliance Made Simple ©
How does this impact ERM? ERM still exists and can be used During comment period some
respondents requested that their be further integration of ERM concepts to the updated framework such as “Risk Appetite”
ERM and 2013 COSO are complimentary to each other and NEITHER is superseding the OTHER!
Compliance Made Simple ©
Governance
ERM
New 2013 COSO “IC”
Internal Controls is the “BASE” or FOUNDATION
ERM is much BROADER than just looking at effective Internal Controls (Strategy/Risk Assessment)
ERM is just PART of the OVERALL Governance Process in an organization
How does ERM and New COSO Visually LOOK?
Compliance Made Simple ©
COSO v ERM (Side by Side)
COSO v ERM
Compliance Made Simple ©
Objective Setting component of ERM Framework considers the process used by Mgmt & BOD for setting operations, reporting and compliance objectives.
IC = Objectives are a PRECONDITION to an effective system of controls
COSO v ERM
Compliance Made Simple ©
Strategic Objectives reflect Mgt’s choice of how the Entity will CREATE VALUE for its stakeholders
IC = Mgmt trying to meet these specific objectives.
COSO v ERM
Compliance Made Simple ©
ERM = Risk Assessment Expanded, but only INTRODUCES Risk Appetite and Risk Tolerance concepts
IC = Concept of Risk Tolerance is included as a precondition to IC but NOT part of IC.
Compliance Made Simple ©
Now let’s take a look at NEW COSO
Compliance Made Simple ©
Compliance Made Simple ©
New Framework and ERM DifferencesControl Environment
Common to BOTH Intro. New & Expanded in ERM
ERM Exclusive
Demonstrates commitment to integrity & ethical values
Exercises oversight responsibility
Establishes Risk Mgmt Philosophy
Est. structures, authority & responsibility
Est. risk culture
Demonstrates commitment to competency
Est. risk appetite
Enforces accountability
Compliance Made Simple ©
Control Environment Key Differences ERM has a whole chapter devoted to
“Entity’s Risk Management Philosophy” included in the section called “Internal Environment”.1. Provides Examples of how shared beliefs
and attitudes characterizing HOW an entity considers risks
2. How it reflects on these values and influences its culture and operating style
Compliance Made Simple ©
Risk AssessmentCommon to BOTH
Intro. New but expanded in ERM ERM Exclusive
Assesses Fraud risk
ID & analyzes risks/events Distinguishes risk & Opportunities
ID & Analyzes Significant Change
Develops Portfolio view
Compliance Made Simple ©
ERM Advantages – Risk Assessment process1. ERM = Risks are “Inherent” &
“Residual”2. ERM Addresses “Interrelated Risks”,
which are risks that include a “single event which may create MULTIPLE RISKS”
3. Potential events with positive impact represent opportunities, while those with negative impact represent risks
Compliance Made Simple ©
ERM – Advantage Real Life Examples – with Miley Cyrus
Strategy = Figure out your
lifeInternal
Environment = Dad Famous
Country singer
Miley Cyrus = Career Risk Assessment
Step 1: Internal Environment allows her to set objectives/goals for herself.
Achy breaky heart has:
1. Translated into 100 languages2. Only single to reach triple platinum
and #1 single in 1992 (Australia)
Compliance Made Simple ©
ERM and Miley Cyrus
Compliance Made Simple ©
Step 2: EVENT Identification= Disney (Pure Brand)
Compliance Made Simple ©
Step 3: Risk Assessment (Part 1 )= Music Career
Compliance Made Simple ©
Step 4: Risk Assessment “Risk Appetite” Ditch Good Girl Look to Riskier Looks & Music
Compliance Made Simple ©
Step 5: Risk Response = RISKIER LOOKS & VMA Actions
Compliance Made Simple ©
IC & ERM have 4 Risk response categories :
1. Avoid the Risk“Run Back to Disney Roots!”
ERM and Miley Cyrus
Compliance Made Simple ©
Compliance Made Simple ©
2.Reduce = Cut Down on Bad Girl Image (keep your clothes on!)
ERM and Miley Cyrus
Compliance Made Simple ©
ERM and Miley Cyrus
3.Share the Risk = Be weirder than Lady Gaga
Compliance Made Simple ©
4. Accept = Remember what happened to Britney or “Britney who?”
Get reactions like this!
ERM and Miley Cyrus
Compliance Made Simple ©
Miley’s “Risk Response” ChoicesLike IC & ERM Four Categories1. Avoid = Run Back to Disney Roots!2. Reduce = Stop the Bad Girl Image3. Share = Befriend “Lady Gaga”4. Accept = Remember what happened to Britney or “Britney
who?”
ERM ADVANTAGE: However if she decides to implement the ERM framework she would need to ALSO consider potential responses from these categories with intent of achieving a residual risk level aligned with her RISK Tolerances
ERM and Miley Cyrus
Compliance Made Simple ©
So what should she choose?
1. Avoid = Run Back to Disney Roots!2. Reduce = Stop the Bad Girl Image3. Share = Befriend “Lady Gaga”4. Accept = Remember what happened to
Britney or “Britney who?”
Polling Question
ERM Risk Assessment Solution
Compliance Made Simple ©
Time Machine
Get back to her good girl success patterns
Compliance Made Simple ©
ERM Risk Assessment Solution
Compliance Made Simple ©
Principle# Points of Focus
10 6
11 4
12 6
Compliance Made Simple ©
New Framework and ERM DifferencesControl Activities
Common to Both Intro. New but expanded in ERM
ERM Exclusive
Selects & develops control activities
NONE NONESelects & develops general controls over IT
Deploys through policies and procedures
Compliance Made Simple ©
Principle# Points of Focus
13 5
14 4
15 5
New 2013 Audit
Layering Trends
Compliance Made Simple ©
New Framework and ERM DifferencesInformation & Communication
Common BOTHIntro. NEW but expanded in ERM
ERM Exclusive
Communicates Internally Uses relevant information (Pr.#13)
NONE
Communicates Externally
Vol#4 – 2013 COSO page 122 Example Data Validation
Compliance Made Simple ©
Created a higher bar
For Internal Control Testing
Why increase scrutiny of Data Validation?
3 Layered Testing
High Risk & Use of
Judgment?
Compliance Made Simple ©
Principle# Points of Focus
16 7
17 3
New Framework and ERM DifferencesMonitoring
Compliance Made Simple ©
Common to BOTH
Intro. New & Expanded in ERM
ERM Exclusive
Conducts ongoing &/or separate evaluations
NONE NONE
Evaluates & Communicates deficiencies
NONE NONE
The NEW 2013 IC Framework presents a more current view of monitoring a using a baseline & monitoring external service providers!
Compliance Made Simple ©
COSO Health Check – On Your Own
Free Tool Evaluation of 86 Attributes go to www.AvivaSpectrum.com/Blog
Included:1) Introduction2) Overall Assessment3) Components (167 rows
data)4) Principles w/Attr. (386
rows of data)5) Deficiencies
COSO’s Transition guidance
Compliance Made Simple ©
Compliance Control Analysis
Compliance Made Simple ©
Step 1 – Awareness & Education!
CCA Transition Plan
Group Document Delivery Date Next Steps
Board of Directors
Executive Summary
FY 2013 3rd Quarter Meeting
Agreement on Transition plan
C-Level Executive Summary
FY 2013 3rd Quarter Meeting
Internal Transition meeting Dec. 13, 2013
SOX Director • All Four COSO Materials
• COSO Cloud Based Guidance
• Monitoring guidance Vol #3
Nov. 4th Draft Transition plan for Dec. 13th meeting (Dec. 6th)
Step 2 – Preliminary Impact Assessment
Map your existing system of internal control against the updated COSO Framework.
Compliance Made Simple ©
CCA Transition Plan
Area Assessment File name
Items/Controls Covered
New 2013 Impact
# of Approaches (Vol. 4)
Est. Eval. Lead Time
Due Date
Impact inventory listing due
ELC 2013-ELC Assessment.xls
45 5 PR & 17 POF
25 Unique Examples
2 weeks Nov. 1st Nov. 8th
These are NOT ControlsEstimate 2-3 Controls per
approach
Compliance Made Simple ©
Step 3: BOD & External AuditorsEach business unit or location may prepare its own local level assessment.
CCA Transition Plan
Corporate Office
Fin
IT
Division 1
Fin
IT
Operating Unit
Fin IT
Compliance Made Simple ©
CCA Transition Plan
Compliance Made Simple ©
CCA Transition Plan
Initial Impact Analysis should give WARNINGS to BOD & C-Level Mgmt Immediately!
In-Scope EntityWith Control Deficiency from
Prior Year
Vol. #3 – COSO IC Effectiveness (pg.65)- 66
Compliance Made Simple ©
FACTS:• Private Co., retail furniture company (family owned)• $200MM Rev and exclusively in Western US Sales• Evaluation of Principle #1
COSO 2013 FINDINGS1. No formal training program to make employees aware of
importance to adherence to standards of conduct.2. No process to evaluate EEs against the published integrity &
ethics policy3. Processes to ID & Address Deviations are ad hoc
Readiness test
QUESTION: Is this a Control Deficiency, Significant Def., or Major Deficiency?
Compliance Made Simple ©
Step 4: Develop & Execute the Plan
Company Overview/Forecast (2 mos. lead time)
SOX Aggregate Impact(3 mos. lead time)
Finance & IT Deliverables Impact assessment(3-4 mos. lead time)
ComplianceControl
Analysis (“CCA”)
Contact Information
Sonia Luna, President, [email protected]
700 S. Flower Street #1100Los Angeles, CA 90017P: (213) 250-5700
Compliance Made Simple ©