FEI - BlackLine Systems Webinar July 24, 2014 12 pm ET / 9am PT 1.5 CPE

Introduction This session will cover key areas to focus on when transitioning to COSO’s updated internal control framework, to make implementation most efficient and effective. Now that its mid-July, 2014, with COSO’s 2013 framework set to supersede the COSO’s 1992 framework less than six months from now (as announced by COSO, as of Dec. 15, 2014), it’s time for your COSO Implementation to “Get Real” and “Get it Right!”

Program Outline Housekeeping/CPE Capsule Overview of COSO 2013 Project Planning, Roles & Responsibilities Mapping from COSO ‘92 to COSO 2013 Working with Auditors; Sarbanes-Oxley Implementation issues; Fraud Assessment Q&A Benefits Closing Remarks

CPE Credits and Supplemental Information

We are offering 1.5 CPE credits for this webinar To be eligible to receive these credits, please ensure you answer at least four (4) out of the five (5) polling questions You will receive the CPE certificate via e-mail approximately 4 weeks after the webinar date Register for the remaining webinars in this series hosted by BlackLine Systems in conjunction with FEI. Watch for announcements to be posted on:

– FEI’s COSO Resources page, www.financialexecutives.org/coso ,and on

– BlackLine’s webinars page https://www.blackline.com/news-events/webinars

4

WHY IS THE UPDATED COSO FRAMEWORK IMPORTANT

Internal controls are critical yet companies don’t always update them for changes in the business, industry or environment Companies are now faced with new risks and opportunities that should be considered

– Reliance on technologies

– Increasing regulatory requirements and oversight

– Social media

– Outsourcing business functions

– Emphasis on controls around non-financial reporting

– More focus on fraud

5

Polling Question 1 How far along are you in completing your COSO 2013 implementation? Haven’t started yet Early stages About mid-way Mostly done Management done, but we haven’t really consulted with our

auditors yet as to the effectiveness of internal control under COSO 2013

Management done, and we know where we stand with our auditors on the effectiveness of internal control under COSO 2013

Not applicable (e.g. I don’t work for a company that has to implement COSO 2013)

SPEAKERS

SPEAKERS

Overview

COSO’s Updated Internal Control Framework

Update considers changes in business and operating environments

Changes in environments... Drive updates to the Framework...

Expectations for governance oversight

Globalization of markets and operations

Changes and greater complexity in the business

Demands and complexities in laws, rules, regulations, and standards

Expectations for competencies and accountabilities

Use of, and reliance on, evolving technologies

Expectations relating to preventing and detecting fraud COSO Cube

What is not changing... What is changing... 1. Retain core definition of internal

control 2. Retain five components of internal

control 3. Retain requirement of five

components for an effective of system of internal control

4. Retain important role of judgment in designing, implementing, and conducting internal control, and in assessing effectiveness of internal control

1. Articulate fundamental concepts underlying the five components as principles

2. Consider changes in business and operating environments

3. Expand operations and reporting objectives

4. Provide additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives

Update intends to ease use and application

Requirements for Effective Internal Control

Effective internal control requires that: – Each of the five components of internal control and relevant principles are

present and functioning – The five components are operating together in an integrated manner

When a component or relevant principle is deemed not present and functioning or when components are deemed not operating together, a “major deficiency” exists

When a major deficiency exists, the entity cannot conclude that it has met the requirements for effective internal control

Requirements for Effective Internal Control

Components operate together when: – Components are present and functioning

– Internal control deficiencies aggregated across components do not result in one or more major deficiencies

– An internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives is a major deficiency

– A major deficiency exists when management determines that a component and relevant principle is not present or functioning or components are not operating together

– Management uses only relevant criteria (as established by regulators, standard-setting bodies, and other relevant third parties) for defining severity of, evaluating, and reporting internal control deficiencies

The Five Components of Internal Control

Control Environment

Risk Assessment

Control Activities

Information &

Communication Monitoring

Components of Internal Control Remain Unchanged from COSO’s 1992 Framework

Update articulates principles of effective internal control (continued) Control Environment

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises

oversight of the development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Update articulates principles of effective internal control (continued) Risk Assessment

6. The organization specifies objectives with sufficient clarity to enable the identification

and assessment of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9. The organization identifies and assesses changes that could significantly impact the system of internal control.

Update articulates principles of effective internal control (continued) Control Activities

10. The organization selects and develops control activities that contribute to the

mitigation of risks to the achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the achievement of objectives.

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place.

Update articulates principles of effective internal control (continued) Information & Communication

13. The organization obtains or generates and uses relevant, quality information to

support the functioning of other components of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.

15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.

Update articulates principles of effective internal control (continued) Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate

evaluations to ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Points of Focus The Framework describes points of focus that are important

characteristics of the principles – Some points of focus may not relevant, and others may be

identified based on specific circumstances

– The points of focus may facilitate designing, implementing, and conducting internal control and assessing its effectiveness

There is no requirement to separately assess whether points of focus are in place

Transition Timing May 2013 – Paul Beswick, SEC Chief Accountant:

– SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. However, at this time, I’ll simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition”

September 2013 – Center for Audit Quality, SEC Regulations Committee meeting highlights:

– [SEC Staff] indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement to use a suitable, recognized framework

Draft Disclosure A key part of your disclosure will be to identify which version of

the COSO Framework you have used: COSO 1992 or COSO 2013.

Possible Impact Does your organization apply and interpret the narrative included in the 1992 Framework in the same manner as the COSO Board? Does your system of internal control cover all 17 principles? Does your SOX program include the documentation and evaluation of all 5 components, or only of Control Activities? Does your risk assessment give enough consideration to fraud risk? Do your controls extend to processes that have been outsourced? Have you documented and evaluated your Board’s oversight of the system of internal controls? How will you use the framework – for SOX only, or also for other reporting, operating, or compliance objectives?

Recap The framework hasn’t really changed much at all

– Same definition of internal control / 5 components

– Still follow SEC guidance in determining severity of deficiencies

– Areas of emphasis:

• Considering fraud in the risk assessment

• Controls over outsourced processes

• Role of Board in oversight of the system of internal controls

All relevant principles must be present and functioning (Points of Focus are not required). Are all of the principles covered in your SOX 404 program?

– Do you have the gaps in control, documentation, or monitoring?

– Your evaluation of the system of IC at the end of the year will need to address all relevant principles.

Polling Question 2 What is required under COSO 2013 for Internal Control to be deemed “effective”?

All 17 Principles have to be Present and Functioning The 5 core components of internal control have to operate together The 87 Points of Focus have to map to your Entity-Level Controls All of the above Just the first two points above

Project Management, Roles and Responsibilities

Dow’s COSO 2013 Transition: Project Planning Dow will transition to COSO 2013 during 2014

Focused on Internal Control over External Financial Reporting Project managed by the Internal Control Compliance Group Broad awareness and communication – Key functions engaged (Finance, IT, HR, etc.)

– Coordinated with Internal Audit Audit Committee oversight External auditor engagement Consideration of ICEFR “hot topics”

Polling Question 3 Which of the following most closely describes your company’s approach to mapping for COSO 2013?

We are mapping our existing controls to COSO 2013’s 17 Principles, but not to the 87 points of focus.

We are mapping our existing controls to COSO 2013’s 17 Principles AND all 87 points of focus, because of strong pressure from our auditors to do so.

We are mapping our existing controls to COSO’s 17 principles and most or all of COSO’s 87 points of focus voluntarily because we found it helpful to do so.

We are mapping our existing controls to COSO’s 17 principles and most or all of COSO’s 87 points of focus voluntarily, because we believe it will reduce the work and cost of our external auditor engaging in the same activity by enabling them to review our having done that exercise.

Don’t know

Mapping Your Controls To COSO 2013

Mapping Analysis Background Internal Control is not a new concept

COSO’s 5 core components are not “new” Sarbanes-Oxley Section 404 is not “new” Judgment is still required in designing, implementing, and assessing internal control Transition from COSO 1992 to COSO 2013 considered by many, as a practical matter, a “mapping” exercise

Gap Analysis “Mapping” or Alternative Method of Gap Analysis Will Vary Degree of documentation and effort will vary, company by company based on … – Current state of internal control

– Degree to which current controls have kept up with change

– Quality and quantity of existing documentation

– Size and complexity of the business

Mapping Analysis: Raytheon’s Approach

We started with the COSO Excel templates available when Framework purchased We modified the COSO standard templates to map our key controls to the points of focus for each of the 17 principles

– Explanations for each assignment were documented to serve as a record of why the control met the point of focus

The mapping exercise identified the level of coverage for the points of focus within each principle and allowed us to:

– Assess if all points of focus were covered

– Assess strength/weakness of coverage

Mapping Analysis: Lessons we Learned Took longer than expected to complete COSO material was helpful throughout the process Focused on the impact to Internal Control Over Financial Reporting to ensure completion in 2014 Project timeline was helpful to ensure communication with stakeholders, including internal and external auditors Required documentation enhancements in selected areas

Dow’s COSO 2013 Transition: Controls Mapping & Gap Assessment

Performed a robust gap assessment – Mapped existing controls to Points of Focus and Principles

Will not result in a significant change to Dow’s SOX compliance process or controls – Expanded documentation of specific attributes of certain controls

– Will need to obtain specific evidence of operating effectiveness

– Enhanced controls in a few areas

Polling Question 4 How confident are you that Chief Executive Officers and the Boards

of Directors that oversee them are up to speed about the changes to the COSO internal control framework and how it plays into the CEOs and CFOs Sarbanes-Oxley assertions for calendar-year-end companies beginning this year-end?

Very confident Confident Not very confident

Working with the Auditors Management’s Perspective

Since 2004, our SOX programs have evolved and improved. Most of us have robust systems of controls and have developed thorough and efficient programs for monitoring our controls and evaluating effectiveness. Our auditors have audited our controls and have given their opinions year after year. COSO 2013 is not a major change to the 1992 Framework. So, the transition project should not be a major effort. We shouldn’t be starting over on SOX, with a blank sheet of paper and a top-to-bottom documentation exercise.

Working with the Auditors Auditors Perspective

Since 2004/2007, audits of internal controls have been based on AS2/AS5, and have been influenced by PCAOB inspections. COSO 2013’s 17 principles and 60 or so Points of Focus are new elements in the internal controls audit. The PCAOB alert issued in November included several areas in the audit of internal controls that auditors are going to focus on this year, in addition to COSO (e.g.; management review controls). The PCAOB will be looking for documentation on all of the above, so the Auditors will be cascading these requirements on their clients. The firms have developed templates for collecting the documentation; the comprehensive nature of these templates can potentially generate more work than the minor tweaks to the framework might suggest would be necessary.

Suggestions: We have engaged with our auditors early and often, sharing our plans and early assessments, and seeking their feedback. Our project plan includes reviews with them at each step along the way:

– Preliminary Assessment

– Project Plan Review

– Mapping Exercise

– Documentation / Remediation

– Testing and Evaluation

We have segregated the COSO project from work related to other PCAOB-highlighted topics. We have tried wherever possible to use our auditors templates, in the interest of overall efficiency, but we have discussed the need to limit the amount of detail we are trying to collect in these forms.

Benefits The COSO board firmly believes that the principles in the COSO framework can help companies be more successful.

Risk Assessment One of the most significant updates to COSO’s framework, from

management’s perspective, is Principle 8, which requires Management to perform a Fraud Risk Assessment.

Dow’s COSO 2013 Transition: Consideration of Fraud Risk

Internal Control Compliance Group conducts formal ICFR fraud risk assessment annually Input from a multiple groups across the organization Identify & document fraud schemes specific to ICFR Consider what groups could commit the fraud and how Identify controls in place to detect and mitigate each fraud risk Consideration of fraud risks at Outsourced Service Providers Audit Committee oversight Fraud awareness training and communication Ongoing monitoring activities

Polling Question 5

Who leads your COSO Project Planning Team at your company?

Internal Audit Sarbanes-Oxley Group in Corp. Compliance Dept. Sarbanes-Oxley Group in Corporate Controllers Internal Control/Financial Control Group in Corporate Compliance Internal Control/Financial Control Group in Corporate Controllers Finance/Corporate Controllers Dept – Other Other

ABOUT BLACKLINE Global headquarters in Los Angeles with regional main offices in

London and Sydney

More than 850 clients (many in the Fortune 500/Global 1000)

Over 100,000 users worldwide in 100+ countries

First to market and offer software to automate the entire financial close process BlackLine Certified Implementation Professionals all around the world

USERS OFFICES CERTIFIED PARTNERS

100+ COUNTRIES 100,000+ USERS

GLOBAL DEPLOYMENT

About COSO For more information about COSO, go to www.coso.org When ordering the COSO Internal Control Framework, FEI members use Discount Code FEIIC Visit www.financialexecutives.org/coso

About FEI / FERF For more information about COSO, internal controls, Governance Risk and

Compliance and topics of interest to senior-level financial executives, audit committee members, and academics, visit Financial Executives International

(FEI), Financial Executives Research Foundation (FERF) and FEI Daily.

www.financialexecutives.org

www.ferf.org

daily.financialexecutives.org

www.financialexecutives.org/coso

48

Join FEI before August 31 and pay $399.

Join online and enter discount code

COSO714 during check-out. www.financialexecutives.org/join

Questions? Contact FEI’s Member Services Dept. 973.765.1000 | 877.359.10710 | membership@financialexecutives.org

Become FEI’s Newest Member!