David Barton Managing Director

UHY Advisors

TIME: 12pm PDT / 3pm EDT, Tuesday, October 21st

Susan Hols Senior Solutions Consultant

BlackLine Systems Inc.

AGENDA • See a live demonstration of how BlackLine Systems’ Task Product

can be used to help companies organize and manage the work around complying with the new COSO Framework

• Quick review of the COSO Framework and what is new • Key steps to be taken to ensure all relevant issues have been

considered and appropriate changes have been implemented in the framework

• Practical implementation examples facilitated through directed case studies and activities

• Best practices for organizations to establish and accelerate the implementation of the new framework

Susan Hols Senior Solutions Consultant

BlackLine Systems Inc.

COSO Functionality in BlackLine – Screen Demo

COSO Framework: 5 Components & 17 Principles

CONTROL ENVIRONMENT

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability

RISK ASSESSMENT 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change

CONTROL ACTIVITIES 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures

INFORMATION & COMMUNICATION 13. Uses relevant information 14. Communicates internally 15. Communicates externally

MONITORING 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies

Optional : COSO Points of Focus

1 2 3 4 5 6 7 8 9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77

Public Company

Internal Control Activities

Map them to COSO Framework

Department Control # Control Activity Accounts Payable CA 053 All postings to the General Ledger are run

and validated to ensure that the GL and subledger are in balance.

Systems CA 054 Segregation of Duties is maintained throughout all systems and all roles and responsibilities are reviewed by management on an annual basis

Systems CA 055 Requests for access to systems and associated responsibilities/functionality is reviewed and approved by management.

General Ledger CA 056 All balance sheet reconciliations are prepared and reviewed by management on a monthly basis. All reconciliation exceptions are addressed on a timely basis.

General Ledger CA 057 All reconciliations deemed as critical (as per Corp. Policy 146) are completed and approved by workday 6.

Step2: Evaluate and assess compliance of Internal Control Activities to COSO Framework

Step1: Map Control Activities

• Add additional control activities • Remediate any exceptions/deficiencies • Annually assess

Actio

ns: Step3:

David Barton Managing Director

UHY Advisors

COSO Functionality in BlackLine – Screen Demo

ABOUT UHY Advisors • Top 20 Global Public Accounting and Consulting Firm • 7,000 staff in 260 offices in 85 countries • Global resources and capabilities to assist you with all of your local,

national and international service requirements

• Certified BlackLine Implementation Partner • Leading implementation partner in 2012 and 2013 • Subject matter expertise across all BlackLine modules • Unique project management and finance transformation methodology

BlackLine and UHY Advisors

COSO Internal Control Integrated Framework • On May 14, 2013, COSO released an updated version of its Internal

Control – Integrated Framework – Intended to make the framework more relevant for investors and

shareholders – Focused on enhancing control structures to deal with rapid changes

in business environment

• Original COSO framework will be superseded after December 15, 2014 – It’s time to get busy – External auditors and PCAOB will likely begin enforcement

What’s New? • “Fundamental Concepts” are now “Principles”

– 17 Principles across the 5 components • In order for a system of control to be deemed “effective”:

– All 17 principles must be “present and functioning” – All 5 components must operate together in an integrated manner

• Each Principle contains multiple points of focus • Financial Reporting has been expanded to include non-financial and

internal reporting

What Does “present and functioning” mean? • Present equates to the existence of a control, i.e. is it active? • Inference toward effective design • Functioning equates to operating effectiveness, i.e. it has been tested • Task module is a great way to prove operation and possibly testing

5 Elements and 17 Principles

Control Environment Risk Assessment Control Activities Information and

Communication Monitoring Activities

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

3. Management establishes–with board oversight–structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organization holds the individuals accountable for their internal control responsibilities in the pursuit of objectives.

6. The organization specifies objectives with sufficient clarity to enable identification and assessment of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9. The organization identifies and assesses changes that could significantly impact the system of internal control.

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the achievement of objectives.

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Where to Begin?

• Most companies have some form of controls documentation (flowcharts, narratives, matrix)

• Step 1 is to map your existing controls to the 2013 COSO framework – Gap analysis – Remediation (fill the gaps)

• Export existing COSO Template tasks • Compare to existing internal controls

Possible Controls Status

• Control exists in your BlackLine Task Module and in your control matrix (existing Task user)

• Control exists in your control matrix but not in Template (add control) • Control exists in Template but not in your control matrix

(remediation)

Risk Key Control(s)

High

Controller group reviews Great Plains automated calculations. JE's are reviewed and approved by Controller. CA 061 Controller group maintains a Month-end Close Checklist. CA 063 A draft of financial statements is sent each month by Assistant Controller to CEO, President, Controller, and COO for reasonableness review. Only the Controller and Assistant Controller have access to Great Plains during the closing periods. CA 054 Controller group prepares GL balance sheet reconciliation; GL is compared to sources, subsidiary schedule/ledger, or other reports that provide detailed account activity information. CA 059 CA 060 Annually, Goodwill impairment analysis reviewed for reasonableness. Controller and Assistant Controller review the financial statements for the impact of material and/or unique exposure items. High

Control Exists in Both

High

Controller group prepares GL balance sheet reconciliation; GL is compared to sources, subsidiary schedule/ledger, or other reports that provide detailed account activity information Annually, Goodwill impairment analyses (SFAS 142) are summarized by Controller's group and reviewed for reasonableness

High

JE's are reviewed and approved by Controller. CA 061 Changes to the chart of accounts are approved by the Controller and implemented by the Assistant Controller. A draft of financial statements is sent each month by Assistant Controller to CEO, President, Controller, and COO for reasonableness review.

Add a control to BlackLine Task Module

Control in Template, not in Matrix

• Specifies suitable objectives

• Identifies and analyzes risk

• Assesses fraud risk

• Identifies and analyzes significant change

Risk Assessment

What’s Next?

• Map your current controls and documentation to the new framework • Perform a gap analysis • Develop a transition plan

– Consider centralized PMO – Ensure top-down approach – Identify roles and responsibilities – Facilitate awareness and perform training

• Remediate gaps • Communicate with stakeholders

THANK YOU!

https://www.blackline.com/ http://uhy-us.com/