COSO Framework Update
IIA Columbus Chapter
May 17, 2013
Rick Machold, CPA, CRMA
Chief Audit Executive
© 2012 Total System Services, Inc.® All rights reserved worldwide.
Contents
COSO Framework Update
COSO History
COSO Change Drivers
COSO 2013 Framework
COSO “Overarching Truths”
Best Next Actions
2
© 2013 Total System Services, Inc.® All rights reserved worldwide.
Breaking Story - May 14, 2013
3
© 2013 Total System Services, Inc.® All rights reserved worldwide.
COSO History
4
© 2012 Total System Services, Inc.® All rights reserved worldwide.
COSO History
The National Commission on Fraudulent Financial Reporting was formed in
1985 with James C. Treadway, Jr., former SEC Commissioner and GC,
Paine Webber as its Chairman. The “Treadway Commission” was thus
formed as a private sector initiative to inspect, analyze and make
recommendations on fraudulent corporate financial reporting.
5
© 2013 Total System Services, Inc.® All rights reserved worldwide.
The Overarching Recommendation
“All public companies should maintain internal controls that provide
reasonable assurance that fraudulent financial reporting will be
prevented or subject to early detection – this is a broader concept
than internal accounting controls…The Commission also
recommends that its sponsoring organizations cooperate on
developing additional, integrated guidance on internal controls…”
-- Treadway Commission Report
6
© 2013 Total System Services, Inc.® All rights reserved worldwide.
The Sponsoring Organizations
7
© 2013 Total System Services, Inc.® All rights reserved worldwide.
The COSO Story Continued…
“Management is required to base its
assessment of the effectiveness of the
company's internal control over financial
reporting on a suitable, recognized control
framework established by a body of experts
that followed due-process procedures,
including the broad distribution of the
framework for public comment.” (Sec 404(b))
8
© 2013 Total System Services, Inc.® All rights reserved worldwide.
COSO Change Drivers
9
© 2012 Total System Services, Inc.® All rights reserved worldwide.
COSO Change Drivers
Much has happened since 1992. Several changes in the business
environment have driven the compelling need for an Update:
Environment changes
…have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
models
Demands and complexities in laws, rules,
regulations, and standards
Expectations for competencies and
accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and
detecting fraud
10
© 2013 Total System Services, Inc.® All rights reserved worldwide.
COSO Cube (2013 Edition)
COSO 2013 Framework
11
© 2012 Total System Services, Inc.® All rights reserved worldwide.
COSO Project Deliverable #1
•
Consists of three volumes:
– Executive Summary
– Framework and Appendices
– Illustrative Tools for Assessing
Effectiveness of a System of
Internal Control
•
Sets out:
– Definition of internal control
– Categories of objectives
– Components and principles of
internal control
– Requirements for effectiveness
COSO Project Deliverable #2
•
Illustrates approaches and
examples of how principles are
applied in preparing financial
statements
•
Considers changes in business
and operating environments during
past two decades
•
Provides examples from a variety
of entities – public, private, not-forprofit, and government
•
Aligns with the updated Framework
Summary of Changes
The Update increases ease of use and broadens application
What is not changing...
What is changing...
• Core definition of internal control
• 17 Principles codified
• Three categories of objectives
and five components of internal
control
• Role of objective setting clarified
• Each of the five components of
internal control are required for
effective internal control
• Important role of judgment in
designing, implementing and
conducting internal control, and
in assessing its effectiveness
• Reflects increased role and
relevance of technology
• Incorporates enhanced
discussion of governance
• Expands “Reporting” objective
• Enhances consideration of antifraud expectations
• Increases focus on non-financial
reporting objectives
5 Components, 17 Principles, 73 Points of Focus
TSYS Audit Application: COSO Evaluation
What’s your COSO Elevator Speech?
Example Only
“The control environment provides an atmosphere in which people conduct their
activities and carry out their control responsibilities. It serves as the foundation for the
other components. Within this environment, management assesses risks to the
achievement of specified operational, compliance and reporting objectives. Control
activities are implemented to help ensure that management directives to address the
risks are carried out. Meanwhile, relevant risk and control information is captured and
communicated throughout the organization. The entire internal control process is
then monitored on a periodic and ongoing basis and modified as conditions warrant.”
COSO “Overarching Truths”
18
© 2012 Total System Services, Inc.® All rights reserved worldwide.
COSO “Overarching Truths”
– COSO is not a “standard” (but “thought leadership and guidance”)
– Internal control is everyone’s job
– Control is ideally an enabler, not an inhibitor
– Effective internal control is built-in, not added-on
– Establishment of business objectives* is a precondition to effective
internal control
* Business objectives are different from control objectives.
Business objective – what the business/process seeks to accomplish (performance outcomes: profitability,
growth, efficiency, effectiveness,)
Control objective – what the control activity seeks to accomplish (control outcomes: accuracy, completeness,
logical security, business continuity, etc)
Best Next Actions
20
© 2012 Total System Services, Inc.® All rights reserved worldwide.
Best Next Actions
• Read COSO’s updated Framework and illustrative documents
• Educate the audit committee, C-suite, operating unit and functional
management
• Establish a process for identifying, assessing, and implementing
necessary changes in controls and related documentation
• Develop and implement a transition plan timely to meet key
objectives – e.g., apply updated Framework by December 31, 2014
for external reporting