COSO changes coming in 2014 An overview of COSO’s 2013 update to the Internal Control – Integrated Framework January 7, 2014
Agenda Overview of updated 2013 COSO Internal Controls – Integrated Framework Principles & Points of Focus supporting the Five Components Transitioning to the 2013 Framework Other Considerations
Overview of COSO IC-IF Internal Control - Integrated Framework (ICIF) Originally released in 1992 Updated in May 2013, including three companion documents Authored by PwC under direction of COSO Board Committee Of Sponsoring Organizations of the Treadway Commission
COSO 2013 update Updated Internal Control – Integrated Framework issued on May 14, 2013 Companion documents include: Internal Control – Integrated Framework Executive Summary Illustrative Tools for Assessing Effectiveness of a System of Internal Controls Internal Control over External Financial Reporting: A Compendium of Approaches and Examples Transition Date: December 15, 2014
2013 update: What’s new? Expands operations and reporting objectives Codification of 17 principles supporting the five components Points of Focus to help identify and evaluate 17 principles Addresses increased relevance and dependence on IT Increased guidance on fraud risk assessment and responses Updated for changes in business and operating environments
2013 update: What’s the same? Core definition of internal controls Objectives: Operations, Reporting & Compliance Five components of internal controls: Control Environment Risk Assessment Control Activities Information & Communication Monitoring Role judgment plays in design, implementation, operation and assessment of internal controls
17 Codified Principles
Internal Control Objectives Operations: “relate to the achievement of an entity’s basic mission and vision operational . . . financial performance, productivity . . . and includes safeguarding of assets against loss” (‘92 framework “effectiveness and efficiency of the entity's operations, including performance and profitability goals and safeguarding resources against loss”) Reporting: “pertains to the preparation of reports for use by organizations and stakeholders and may relate to financial and non-financial reporting . . . External reporting objectives are driven primarily by regulations and/or standards established by regulators and standard-setting bodies . . .” (‘92 framework was know as Financial Reporting objective “preparation of reliable published financial statements, including prevention of fraudulent public financial reporting”) Compliance: “conduct activities, and often take specific actions, in accordance with applicable laws and regulations . . . understanding which laws, rules and regulations apply across the entity (‘92 framework “pertains to adherence to laws and regulations to which the entity is subject”)
Principles & Points of Focus: Control Environment “The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. . . The control environment comprises the integrity and ethical values of the organization . . . enabling the board of directors to carry out its oversight responsibilities . . . structure and assignment of authority and responsibility . . . attracting, developing, and retaining competent individuals . . . rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.” 1. Organization demonstrates a commitment to integrity and ethical values Tone at the Top Establishes Standards of Conduct Evaluates adherence to Standards of Conduct Addresses deviations in a timely manner. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control Establishes oversight responsibilities Applies relevant expertise Operates independently Provides oversight for the system of internal control
Principles & Points of Focus: Control Environment Continued 3. Management establishes, with Board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives Considers all structures of the entity Establishes reporting lines Defines, assigns and limits authorities and responsibilities 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives Establishes policies and practices Evaluates competence and addresses shortcomings Attracts, develops and retains individuals Plans and prepares for succession 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives Enforces accountability through structures, authorities, and responsibilities Establishes performance measures, incentives and rewards Evaluates performance measures
Principles & Points of Focus: Risk Assessment “Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.” 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives Operations Objective: Reflects Management’s Choices Considers Tolerances for Risk Includes Operations and Financial Performance Goals Forms a Basis for Committing of Resources Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of five specific objectives: Operations Objectives External Financial Reporting Objectives External Non-Financial Reporting Objectives Internal Reporting Objectives Compliance Objectives
Principles & Points of Focus: Risk Assessment “Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.” 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives External Financial Reporting Objective: Complies with applicable accounting standards Considers Materiality Reflects entity activities Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of five specific objectives: Operations Objectives External Financial Reporting Objectives External Non-Financial Reporting Objectives Internal Reporting Objectives Compliance Objectives
Principles & Points of Focus: Risk Assessment Continued 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels Analyzes Internal and External Factors Involves Appropriate Levels of Management Estimates Significance of Risks Identified Determines How to Respond to Risks 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives Considers Various Types of Fraud Assesses Incentive and Pressures Assesses Opportunities Assesses Attitudes and Rationalizations 9. The organization identifies and assesses changes that could significantly impact the system of internal control Assesses Changes in the External Environment Assesses Changes in the Business Model Assesses Changes in Leadership
Principles & Points of Focus: Control Activities “Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may . . . encompass a range . . . of activities . . . Where segregation of duties is not practical, management selects and develops alternative control activities.” 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels Integrates with Risk Assessment Considers Entity-Specific Factors Determines Relevant Business Processes Evaluates a Mix of Control Activity Types Considers at What Level Activities Are Applied Addresses Segregation of Duties
Principles & Points of Focus: Control Activities Continued 11. The organization selects and develops general control activities over technology to support the achievement of objectives Determines Dependency between the Use of Technology in Business Processes and Technology General Controls Establishes Relevant Technology Infrastructure Control Activities Establishes Relevant Security Management Process Control Activities Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action Establishes Policies and Procedures to Support Deployment of Management’s Directives Establishes Responsibility and Accountability for Executing Policies and Procedures Performs in a Timely Manner Takes Corrective Action Performs Using Competent Personnel Reassesses Policies and Procedures
Principles & Points of Focus: Information & Communication “Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations. 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control Identifies Information Requirements Captures Internal and External Sources of Data Processes Relevant Data into Information Maintains Quality throughout Processing Considers Costs and Benefits
Principles & Points of Focus: Information & Communication Continued 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control Communicates Internal Control Information Communicates with the Board of Directors Provides Separate Communication Lines Selects Relevant Method of Communication 15. The organization communicates with external parties regarding matters affecting the functioning of internal control Communicates to External Parties Enables Inbound Communication
Principles & Points of Focus: Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning Considers a Mix of Ongoing and Separate Evaluations Considers Rate of Change Establishes Baseline Understanding Uses Knowledgeable Personnel Integrates with Business Processes Adjusts Scope and Frequency Objectively Evaluates 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate Assesses Results Communicates Deficiencies Monitors Corrective Actions
Transition to 2013 Framework Transition to the 2013 Framework, 1992 Framework to be superseded on December 15, 2014 COSO issued transition document “The 2013 Framework & SOX Compliance – One Approach to An Effective Transition” by Steven McNally, CPA SEC implications in transitioning to the 2013 Framework Developing a transition plan, documentation & other considerations
COSO Guidance on Transition The 2013 COSO Framework & SOX Compliance – One Approach to An Effective Transition By Stephen McNally, CPA Develop Awareness, Expertise and Alignment Timeless concepts, Expanded reporting, Codified principles, Conduct Preliminary Impact Assessment Evaluate existing system, leverage existing documentation, identify gaps Facilitate Broad Awareness Engage broader organization, educate & build awareness, leverage key stakeholders Develop & Execute Transition Plan for SOX Compliance Documentation & evaluation, testing, gap remediation, external review & testing Drive Continuous Improvement Tone at the top, culture & processes, improve reporting & communication
SEC Reporting Implications I understand that COSO intends to supersede their 1992 Framework . . .we expect there will be questions about whether the SEC will provide management with any transition or implementation. . . SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. . . I’ll simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition. Paul Beswick Chief Accountant, SEC SEC definition of internal control over financial reporting has NOT changed. Material weakness (SEC/PCAOB) vs major deficiency (COSO) Disclosures: framework used for assessment and plan for transition
SEC Reporting implications continued Regulation 13a-15(f) defines internal controls over financial reporting as: “A process . . . To provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in accordance with GAAP . . .” Policies and procedures must: Maintain records in reasonable detail that accurately and fairly reflect the transactions and dispositions of the assets of the issuer Ensure receipts and expenditures of the issuer are made only in accordance with authorizations of management and directors, and Provide reasonable assurance regarding prevention of timely detection of the unauthorized acquisition, use or disposition of the issuers assets that could have a material effect on the financial statements.
Transition plan High level assessment and implications of adopting 2013 Framework ASAP Determine the impact at the Entity, Division, Operating and Functional levels across the organization Identify key stakeholders and decision makers associated with the organization Internal Controls (specifically over Financial Reporting) Leverage existing processes, procedures and documentation Develop a transition plan: Responsibilities and expectations Timeline Reporting and communication Opportunities and benefits
Documentation Documentation of the organizations system of internal controls Provides evidentiary support regarding design and operating effectiveness Allows for ongoing monitoring and communication Basis for managements assessment Support for third parties (Shareholders, Regulators, External Auditors) Responsibility and accountability Training and consistency
Other Considerations Organizational objectives related to risk, operations, controls, and reporting Use of third-party service provides and SaaS Size and scope of entity, subsidiaries, foreign operations Judgment regarding internal controls, specifically over External Financial reporting Costs and benefits of internal controls Limitations of internal controls
Companion documents Executive Summary Illustrative Tools for Assessing Effectiveness of a System of Internal Controls Templates & scenarios Do not modify existing framework Internal Controls over External Financial Reporting: A Compendium of Approaches and Examples Examples of how principles apply to External Financial Reporting Illustrate design and implementation for any size entity Demonstrate how Points of Focus support principles
References & Links COSO references & links SEC references & links The 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf Executive Summary, 2013 Internal Control – Integrated Framework http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf The complete updated 2013 IC-IF compendium is available through the AICPA, Ebook member price $216 http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990027/PC-990027.jsp SEC references & links Remarks at the 32nd Annual SEC and Financial Reporting Institute Conference Paul Beswick, Chief Accountant, U.S. Securities and Exchange Commission http://www.sec.gov/News/Speech/Detail/Speech/1365171575494 Jeff Lliteras, CPA Consulting Services Manager Eide Bailly LLP 877 W. Main Street, Suite 800 Boise, ID 83702 208.424.3528 jlliteras@eidebailly