COSO 2013 Internal Control
Framework
A Guide to Implementation Justin Adamson July 24, 2014Agenda
COSO Background
Changes to the Framework
Roadmap to Implementation
3
Who/What is COSO?
A private sector initiative, jointly sponsored and funded by: American Accounting Association (AAA)
American Institute of Certified Public Accountants (AICPA)
Financial Executives International (FEI)
Institute of Management Accountants (IMA)
The Institute of Internal Auditors (IIA)
Formed after the SEC and U.S. Congress enacted campaign finance law reforms and the 1977 Foreign Corrupt Practices Act
Primary responsibility is to develop frameworks and guidance on enterprise risk management, internal control and fraud deterrence
Committee of Sponsoring Organizations
of the Treadway Commission (COSO)
COSO 1992 – Initial Framework
Initial framework defined
control functions in terms of:
Entities (2)
Categories (3)
Components (5)
5
COSO 2013 – Revised Framework
Revised the framework elements:
Entities (4)
Categories (3)
Components (5)
Source: Chapter 2 of COSO Internal Control:
Integrated Framework (2013).
Supersedes previous framework on December 15, 2014
COSO 2013: Key Changes
Codification of fundamental concepts from original framework
as “Principles” and offers points of focus for each principle
Expands the financial reporting category of objectives to
include other forms of reporting (internal and non-financial)
Consideration for changes to business and operating
environments
Increased relevance and dependence on IT
Focus on fraud risk assessment
7
COSO Internal Control – Integrated
Framework
The 5 components and 17 principles of internal control are
intended to function in an integrated manner
Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities
1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability
6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk
9. Identifies and analyzes significant change
13. Uses relevant information 14. Communicates internally 15. Communicates externally
16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 10. Selects and develops control activities
11. Selects and develops general controls over technology 12. Deploys through policies and procedures
COSO Internal Control – Integrated
Framework
Points of focus describe important characteristics of each Principle
Source: coso.org
Control Environment 1. The organization demonstrates a commitment to integrity and ethical values.
Points of Focus:
• Sets the Tone at the Top
• Establishes Standards of Conduct
• Evaluates Adherence to Standards of Conduct
• Addresses Deviations in a Timely Manner
Control Examples:
BOD and established committees charged with oversight
Code of Conduct defining integrity and ethical values expected by the company Follow-up/Investigation process of reported ethics violations
9
COSO Internal Control – Integrated
Framework
Risk Assessment 7. Identifies and Analyzes Risk
Points of Focus:
• Includes Entity, Subsidiary, Division, Operating Unit and Functional Levels
• Analyzes Internal and External Factors
• Involves Appropriate Levels of Management
• Estimates Significance of Risks Identified
• Determines How to Respond to Risks
Control Examples:
Risk/Control Self Assessment process and adherence (Likelihood/Impact ranking) Risk and/or Performance metric dashboard monitoring and documentation of
acceptance or avoidance
Documented governance and oversight process to ensure risks are communicated to appropriate levels of mgmt. (escalation path)
COSO 2013: Why now?
Catching up with emerging trends
Globalization of economies
Complexity of business
operations
Growing reliance on
technology
Increased reliance on
third-party
Increased volume and maturity
of fraud schemes
Increased government oversight,
regulations, and legislation
Increased focus and scrutiny of
BoD and Senior Management
oversight
11
Implementation Roadmap
Evaluate & Plan Map to New Framework
Refine & Enhance Documentation
Communicate & Train
Read and interpret new framework
Attend consultant webinars, seminars, and training classes
Develop transition strategy with key stakeholders
Top-down, risk based review of controls and map to framework as appropriate
Consult with key mgmt. personnel to ensure appropriate coverage
Consult with external auditors on COSO 2013 compliance
Identify and clarify COSO 2013 controls in your universe Ensure appropriate testing is in place Internal Audit Involvement
Consult with External Auditors Communicate control framework to key management, external auditors, and BOD
Provide training and awareness of the new framework to stakeholders
Implementation Considerations
All 5 components and all 17 principles must be present, functioning and operating together in an integrated manner
Principles are present and functioning if any deficiencies are less than “major” (same as material weakness using traditional SOX control deficiency methods)
If implementing the framework for SOX compliance only, consider building the foundation for applying it to other company objectives
Take this opportunity to take a fresh look at all controls
Consider controls for vendors, and external business partners
Implementation Evidence:
Mapping of 17 principles to key controls
Memo documenting implementation approach and process (who was involved, timeline, etc.)
13
Lessons Learned From Early Adopters
This is not a complete overhaul of your system of internal controls – no major projects, consultants, or mountains of documents
Top down, risk-based approach is recommended – COSO did not intend this to be a checklist exercise.
Utilize currently available COSO guidance, manuals and tools
Engage external and internal auditors early and often
Engage internal/external stakeholders from the beginning
Approaches, complexity and level of effort vary by organization
Controls and processes likely exist, but just aren’t documented
If it’s not documented, it doesn’t count!
Present and functioning (tested)