Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chicagoland IASA Spring Conference

Similar presentations


Presentation on theme: "Chicagoland IASA Spring Conference"— Presentation transcript:

1 Chicagoland IASA Spring Conference
CNA Insurance 2013 COSO Framework April 17, 2014 Speaker background Project lead for CNA’s COSO 2013 adoption While at CNA, I have worked within their Internal Audit Group, Technical Advisory Group, and currently within their Accounting Controls and Support Group. Worked for KPMG within the Insurance Practice auditing primarily P&C Clients Audience Questions How many of you currently utilize the COSO Framework as your Internal Control Framework? How many of you are aware of the 2013 updated Framework? Are any of you involved in implementing the new Framework?

2 Today’s Goals The goals of today’s presentation are to help you better understand: The updates to the COSO Framework, including the 17 principles required to be in place and functioning within the 5 components of internal control Key steps for transitioning to the new framework Lessons learned from CNA’s adoption efforts

3 Agenda COSO Framework: CNA’s Approach: Questions / Discussion
Overview & Background 2013 Update CNA’s Approach: Project Plan Initial Gap Analysis Lessons Learned Questions / Discussion

4 COSO Overview & Background

5 What is COSO? Committee of Sponsoring Organizations (COSO) of the Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (aka the Treadway Commission) Joint initiative of five private sector organizations American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Financial Executives International (FEI) Institute of Management Accountants (IMA) The Institute of Internal Auditors (IIA) COSO established Framework over Internal Control (IC) in 1992 Source: COSO Bullet #1 Bullet #2 -COSO is a think tank that brings together industry professionals, accounting professionals, and academics to address Internal Control. Bullet #3 -Since its release the COSO Framework has been used throughout the world and is recognized as a leading Framework for designing, implementing, and conducting internal control and assessing the effectiveness of internal control.

6 1992 Framework 5 Components of Internal Control:
Control Environment- tone at the top; integrity and ethical values of the organization. Risk Assessment- identifying and analyzing risks within the organization. Control Activities- policies and procedures to mitigate risk. Information & Communication- information required to carry out IC activities. Monitoring Activities- on-going evaluation to assess IC. The Framework defines Internal Control is a process, effected by an entity’s BoD, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Point out: 5 Components of IC 3 types of Objectives Operating: Effectiveness and efficiency of operations Reporting: Internal and external financial and non-financial reporting (reliability, timeliness, transparency and regulatory standards) Compliance: Adherence to laws and regulations to which the entity is subject to Structure of IC and application level Walk Through 5 Components Control Environment =Entity Level Controls/Culture Risk Assessment= ERM or other risk assessment process that assesses risk enterprise wide and at the appropriate level. Control Activities= Actual control activities, for ICFR these are your SOX / MAR controls Information and Communication= Internal and external to facilitate IC Monitoring Activities COSO Cube Source: COSO

7 ICFR Attestation 1992 Framework is widely used today to comply with Section 404 of Sarbanes Oxley Act of 2002 in the certification of internal control over financial reporting. The control framework used by a public company is disclosed within MANAGEMENT'S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING in the SEC filing and is disclosed for Model Audit Rule (MAR).

8 2013 Update to Framework

9 What is changing Source: COSO The 5 Components of IC have not changed
However they have been enhanced to refresh and articulate Key Risk and Operating Environment changes over the past 20 years: Advancements in and increased dependence on technology Globalization of entities Enhancements in corporate governance Increased use of outsourcing Increased reporting requirements [In 1992 we were at FAS 109 codification started after FAS 168] Deal with multiple basises of accounting (US GAAP, UK GAAP, IFRS, STAT) Source: COSO

10 1992 vs. 2013 Framework 1992 Framework 2013 Framework
To reflect the changes in the environment, the update utilizes the idea of principles which articulate and expand upon the components. Objectives: 1992 Financial Reporting Focus 2013-Financial Reporting, Operational and Compliance 2013 Framework

11 Seventeen Principles Source: COSO
All principles may not be relevant to all entities, however for most entities, especially sophisticated entities, the principles are presumed to be relevant. A strong case would have to be presented to substantiate a principle not being present. Any Questions on the Principles?? Source: COSO

12 Effective Systems of Internal Control
For effective internal control: Each of the 5 components and 17 principles must be present and functioning. Present is defined as “the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives.” Functioning is defined as “the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.” The five components must operate together in an integrated manner to reduce risk to an acceptable level. Present = Designed Effectively Functioning = Operating Effectively For Internal Controls over Financial Reporting, this is satisfied via SOX / MAR For Operating and Compliance only controls, this would be covered by separate attestation process In the case of a Deficiency, an assessment as to the impact on the principle, component, and the framework as a whole would have to occur. Major Deficiency= Component can not be mitigated to an acceptable level.

13 Control Breakout FOCUS: Internal Governance
As you progress down the chart, the components coverage over assertions goes from indirect (think of an entity level control) to direct in nature (specific controls with mapped assertions). Entity level controls are more qualitative in nature. Control environment and Risk assessment cover 9 of the 17 principles while control activities only covers 3 principles. One of the biggest shifts from 1992 framework to 2013 framework will be the documentation of the entity level and higher level controls to support the related principles. Walkthrough the process of identifying appropriate/sufficient documentation for BoD and Executive level governance.

14 Points of Focus For each principle COSO has identified points of focus to assist management in designing, implementing, and maintaining internal control. The points of focus may (or may not) be relevant and there is no requirement to perform a separate evaluation. Presumption is for a sophisticated organization that most would be relevant. Principle 1: The organization demonstrates a commitment to integrity and ethical values: Sets the tone at the top Establishes Standards of Conduct Evaluates adherence to standards of conduct Addresses deviations in a timely manner Bullet #2 Our expectation would be that our auditors would inquire at the point of focus level although not required.

15 COSO/AICPA Reference Materials
Project deliverable #1 – Internal Control-Integrated Framework (2013 Edition) Consists of three volumes: Executive Summary Framework and Appendices Illustrative Tools for Assessing Effectiveness of a System of Internal Control Sets out: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness Mention Executive summary Source: COSO

16 COSO/AICPA Reference Materials
Project deliverable #2 – Internal Control over External Financial Reporting: A Compendium.... Illustrates approaches and examples of how principles are applied in preparing financial statements Considers changes in business and operating environments during past two decades Provides examples from a variety of entities – public, private, not-for-profit, and government Aligns with the updated framework Source: COSO

17 Transition Transition period ending December 15, 2014.
After which time COSO will consider the 1992 Framework to be superseded. Any reporting between now and the end of the transition period should disclose which version of the Framework is being used. No regulator requirement SEC determining what the impact would be if you maintained using the 1992 Framework in 2014 However, I am not advocating that you postpone implementing the update.

18 CNA’s Project Plan

19 CNA’s Project Plan Step 1 Develop Awareness, Expertise, and Alignment
Step 2 Conduct Preliminary Impact Assessment Step 3 Facilitate Broad Awareness, Training, and Comprehensive Assessment Step 4 Develop and Execute COSO Transition Plan for SOX Compliance / Best Practice Step 5 Drive Continuous Improvement

20 Step 1 Develop Awareness, Expertise, and Alignment
CNA’s Project Plan Step 1 Develop Awareness, Expertise, and Alignment Gain senior leadership and board alignment and support Build awareness and expertise Educate management Map principles to existing controls Identify opportunities to expand applications of internal control Establish management support, we established a Steering committee headed by our corporate controller

21 Step 2 Conduct Initial Analysis
CNA’s Project Plan Step 2 Conduct Initial Analysis Evaluate the existing framework Leverage the original mapping of components to controls Identify key business owners Identify COSO updates which may impact your framework Identify gaps / opportunities for improvement Bullet #1 needs work Identify key business owners Think broadly about the framework and identify key contributors of to your Company’s IC Framework -HR -ERM -IA -Compliance -Financial Reporting Identify gaps Identifying a GAP under the 2013 Framework would make the Company question why they currently do not have a GAP in their current IC.

22 CNA’s Project Plan Step 3 Facilitate Broad Awareness, Training, and Comprehensive Assessment Identify potential gaps and/or documentation enhancement opportunities Engage business to enhance existing controls and/or add new controls to meet the update’s requirements

23 Step 4 Develop and Execute COSO Transition Plan for SOX Compliance
CNA’s Project Plan Step 4 Develop and Execute COSO Transition Plan for SOX Compliance Phase 1: Formalize Framework (Documentation & Evaluation) Phase 2: Validation: Business Acceptance and Auditor Acceptance Phase 3: Establish Test Plan for 2014 Phase 4: Testing of 2014 Framework and External Review

24 Step 5 Drive Continuous Improvement
CNA’s Project Plan Step 5 Drive Continuous Improvement There is a difference between an adequate and a best-in-class system of internal control May want to consider at what level your analysis is at. Similar to SOX, the IC over operating and compliance risk should be continually reassessed.

25 CNA’s GAP Analysis Began Discussions in January
Engaged management and began initial mapping/gap analysis in February Engaged the business to review analysis in March to now Looking to formalize framework in June.

26 CNA’s Gap Analysis First 5 Columns are COSO Last 3 are CNA’s Mapping
Documentation enhancement opportunities with respect to Fraud and BoD and executive committees Partnering with ERM and IA to have a standardized control inventory and proper risk mapping and monitoring.

27 Lessons Learned Limited Gaps
Refinement and Enhancement of Documentation Non-SOX Participants Education of IC and Attestation Process Need Business to be Owners of the Process No “Requirement” for Compliance and Operational Risks (Best Practice) Financial Reporting Requirement from SOX Insurance Specific Linkage to ORSA (highlight global view) Used to satisfy MAR requirements Used to document and monitor IC over external vendors and service providers Provides a comprehensive listing of Risks and controls

28 Questions?


Download ppt "Chicagoland IASA Spring Conference"

Similar presentations


Ads by Google