COSO 2013
Perspectives Conference
November 26, 2013
Agenda

Framework background

Reasons for change

Timeline

Changes to the framework and its components

Accompanying Guidance and Illustrative Tools

Stakeholder perspectives

Considerations for transition

Understanding Current ICFR Matters
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
1
Background summary
On May 14th, 2013, The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) issued its updated Internal Control – Integrated Framework (Framework) and related
illustrative documents. The original Framework, issued in 1992, has been one of the most widely
accepted frameworks for designing and evaluating systems of internal control. It is used by most
U.S. public companies and many others to evaluate and report on the effectiveness of their
internal control over external financial reporting.
The new framework is available at www.ic.coso.org
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
2
Project timeline
Assess & Survey
Stakeholders
Design & Build
Public Exposure
& Assess
Finalize
2010
2011
2012
May 14, 2013
Transition Period
Effective Date
June 2013 – November 2014
December 2014
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
3
Internal control – Integrated framework
Information & Communication
Unit A
Unit B
Activity 1
Activity 2
Monitoring
Control Activities
Risk Assessment
Control Environment
Original COSO Cube
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
4
Fundamental concepts

Geared to achievement of objectives – operations, reporting, and compliance

A process – ongoing tasks and activities

Effected by people – actions taken at every level of the organization

Able to provide reasonable assurance – but not absolute assurance

Adaptable to entity structure – flexible in application

Five components of internal control – requirements to achieve effective internal control:
–
Control Environment
–
Risk Assessment
–
Control Activities
–
Information and Communication
–
Monitoring Activities
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
5
Driving the change
Since the inception of the original Framework:
1. Business has changed dramatically –

Increasingly global

More complex

Driven by technology
2. Investors are more engaged –

Seeking greater transparency

Demand greater accountability for the integrity of internal control systems that support
organizations’ operations, governance and external communications
3. Regulatory Regimes have expanded –

Additional forms of external reporting are emerging
The COSO Board decided to update the original Framework to make it more relevant to
investors and other stakeholders.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
6
What is not changing
1. Retains the core definition of internal control
–
Internal control is a process, effected by an entity’s board of directors, management, and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance
2. Retains the five components of internal control
3. Retains the requirement of five components for an effective system of internal control
4. Retains management’s important role of judgment in designing, implementing and
conducting internal control, and in assessing effectiveness of internal control
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
7
Updated COSO cube
The update considers changes in business, operating, and regulatory environments
Drive updates to the Framework…

Expectations for governance oversight

Globalization of markets and operations

Changes in business models

Demands and complexity in laws, rules,
regulations, and standards
Risk Assessment
Expectations for competencies and
accountabilities
Control Activities


Use of, and reliance on, evolving
technologies

Expectations relating to preventing and
detecting fraud
Control Environment
Entity
Division
Operating Unit
Function
Changes in the environments…
Information &
Communication
Monitoring Activities
Updated COSO Cube
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
8
Changes across all areas of the original framework
The more significant changes to the original Framework include:

Clarifying the Role of Objective Setting in Internal Control. The original Framework
identified objective setting as a management process, and indicated that having objectives
was a pre-condition to internal control. The new Framework emphasizes that point and states
that objective-setting is not a part of internal control.

Reflection of the Increased Relevance of Technology. Technology has evolved
substantially since 1992 from large stand-alone mainframe computers that process batches of
transactions to highly sophisticated, decentralized, and mobile applications involving multiple
real-time activities that can operate across many systems. Technology can affect how all
components of internal control are implemented.

Enhancing Governance Concepts. The new Framework includes more content on
governance related to the board of directors and its committees including audit,
compensation, nomination, and governance.

Expanding the Objectives of the Financial Reporting Category. This category would
expand to consider external reporting beyond financial reporting, and expand internal
reporting for both financial and non-financial information.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
9
Changes across all areas of the original framework (continued)
The more significant changes to the original Framework include (continued):

Enhancing Consideration of Anti-fraud Expectations. The Framework contains more
discussion on fraud. It also includes as a principle that management considers the potential
for fraud when assessing risks to achieve its objectives.

Considering Different Business Models and Organizational Structures. Business models
and structures have evolved. An increasing number of companies are using third parties to
provide products or services necessary to their operations. Competition, globalization,
dynamic industry and technological changes, new business models, competition for talent,
cost management, and other factors have required management to look beyond internal
operations to obtain necessary services.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
10
Changes across all areas of the original framework (continued)
The more significant changes to the original Framework include (continued):

Applying a Principles-Based Approach. The Framework focuses greater attention on principles by explicitly identifying 17
that are implicit in the original Framework. The 17 broad principles represent the fundamental concepts associated with the
components of internal control, and apply to all organizations. Attributes that represent characteristics associated with the
principles are included.
Control Environment
1.
2.
3.
4.
5.
Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
Risk Assessment
6.
7.
8.
9.
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Information and
Communication
Monitoring Activities
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
11
Applying the framework – key concepts
Each of the five components and relevant principles is present and functioning.

“Present” refers to the determination that the components and relevant principles exist in the
design and implementation of the system of internal control to achieve specified objectives.

“Functioning” refers to the determination that the components and relevant principles
continue to exist in the operations and conduct of the system of internal control to achieve
specified objective.
The five components operate together in an integrated manner.

“Operating together” refers to the determination that all five components collectively reduce,
to an acceptable level, the risk of not achieving an objective. Components should not be
considered discretely; instead, they operate together as an integrated system.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
12
Key changes to internal components
The new Framework changes the internal control components as follows:
Control Environment
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Entity
Division
Operating Unit
Function

Expanded guidance on:
–
What creates and encompasses the control environment
–
Accountability for internal control
–
Integrity as a prerequisite to internal control and ethical
behavior
–
Governance concepts, including oversight by the board of
directors, independence considerations, and relevant skills
and expertise.
–
Evaluating adherence to standards of conduct
–
Differences in cultural and potential impacts on control
environment.
–
Planning and preparation for succession
Monitoring Activities
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
13
Key changes to internal components (continued)
The new Framework changes the internal control components as follows:
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Entity
Division
Operating Unit
Function
Risk Assessment

Specifically defines “risk”

Includes the concepts of inherent risk and assessing fraud risk

Clarifies that the risk assessment process includes risk
identification, risk analysis, and risk response

Expands the discussion regarding risk tolerance and how risk
may be managed, including through accepting, avoiding, and
sharing risks

Discusses consideration of the rate of change (including with
respect to the entity’s business, operations, and technology)
in the determination of the frequency of a company’s risk
assessment process.

Separates the “financial reporting” objective into four
categories:
1. External financial reporting,
Monitoring Activities
2. External non-financial reporting,
3. Internal financial reporting, and
4. Internal non-financial reporting.

Adds discussion regarding possible corruption occurring within
the entity
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
14
Key changes to internal components (continued)
The new Framework changes the internal control components as follows:
Control Environment
Risk Assessment
Control Activities
Entity
Division
Operating Unit
Function
Control Activities

Modified description of control activities as business process
control activities and transaction control activities

Expanded discussion regarding:

–
Relationship of control activities and risk assessment
–
Control activities at different levels of an organization
–
Preventative controls versus detective controls
Technology and related concepts, including technology
infrastructure, security, acquisition and development, and the
relationship between automated control activities and general
controls over technology.
Information &
Communication
Monitoring Activities
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
15
Key changes to internal components (continued)
The new Framework changes the internal control components as follows:
Information & Communication
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
Entity
Division
Operating Unit
Function


Additional guidance regarding:
–
How information and communication support the
functioning of the other components of internal control
–
Communication between the organization and external
parties
–
Importance of direct communication between personnel
and the board of directors
–
Reevaluating information needs
–
Considering security and restricted access to information
as well as the costs and benefits of obtaining and
managing information.
Expanded discussion on obtaining and identifying relevant
information, evaluating the quality of information, verifying
sources of information, and retaining information
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
16
Key changes to internal components (continued)
The new Framework changes the internal control components as follows:
Monitoring Activities
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
Evaluating the achievement of all the principles in the ED as
part of the assessment of internal control

Discussion regarding the distinction between control activities
and monitoring activities

Inclusion of the concepts of:
Entity
Division
Operating Unit
Function
Control Environment


–
Using a baseline of understanding of internal control
(in establishing plans for ongoing and separate
evaluations)
–
Using IT in the context of monitoring
–
Using monitoring to identify gaps, anomalies, root causes,
and opportunities for improvement
Additional considerations regarding monitoring at different
levels of an organization and monitoring of third-party service
providers.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
17
Accompanying Guidance to the Framework

Issuance of the revised Framework also includes the following Tools:
–
Illustrative Tools for Assessing Effectiveness of a System of Internal Control
–
Internal Control over Financial Reporting: A Compendium of Approaches and Examples
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
18
Illustrative tools for assessing effectiveness of a system of internal control

Tools include a collection of templates and scenarios that can assist users when assessing
the effectiveness of a system of internal control based on the requirements set forth in the
updated Framework.

Templates help management present a summary of assessment results and its determination
of whether components and principles are present and functioning

Scenarios illustrate how templates can be used to support an assessment of effectiveness of
a system of internal control, including:

–
Is a component and relevant principles present and functioning?
–
Are the five components present, functioning and operating together in an integrated
manner?
Illustrative tools do not replace or modify the updated Framework.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
19
Internal control over financial reporting: A compendium of approaches and
examples
Overview of ICOFR Compendium

Types of external financial reports – financial statements for external purposes and other
external financial reporting derived from an entity’s financial and accounting books and
records

Suitable objectives – financial reporting rules and standards form the basis upon which
management specifies suitable objectives for the entity and subunits

Judgment – proper application of suitable objectives to the entity’s transactions mitigates risk
of material misstatement

Overlapping objectives – operations, compliance and non-financial reporting objectives may
overlap or support the external financial reporting objective

Deficiencies in internal control – material weakness and significant deficiency reflect
definitions established by regulators for internal control over financial reporting

Smaller entities – principles are suitable and presumed relevant for all entities, and smaller
entities may apply these principles using different approaches
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
20
Stakeholder perspectives
Stakeholder
Actions for Consideration
Questions to Consider
First Line of
Defense – Senior
Management
• Develop your plan to transition from the 1992
to the 2013 Framework. Your transition plan
should consider:
Education on and evaluation of the 2013
Framework and its changes
Mapping of the existing system of internal
control to the 2013 Framework
Assessment of the efficiency and
effectiveness of the existing system of
internal control
Implementation of new or upgraded
controls, if needed,
Interaction with the Audit Committee,
Board, and external auditors
Evaluation of impacts on reporting (e.g.,
sustainability reporting and changes in
internal control under Regulation S-K,
Item 308(c))
• Has my documented system of
internal control kept pace with
significant changes in my business
organization, operations, technology
and governance needs?
• Does my control structure create
the flexibility needed to manage
increased globalization, an
increasing complex regulatory
environment and rapidly changing
technology and its impacts on my
stakeholders?
• Do my risk assessment and
monitoring controls function as an
“early warning system” that act in
unison with the other COSO
objectives?
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
21
Stakeholder perspectives (continued)
Stakeholder
Actions for Consideration
Questions to Consider
First Line of
Defense – Line
Management
• Map the 17 principles and/or points of focus
to your existing controls or controls the
organization is contemplating in an
organizational transformation within each
component to demonstrate where the
relevant principles are present and
functioning in support of the objectives.
• Identify and discuss control design gaps with
senior management and develop plans to
remediate any such gaps.
• Does my control structure reflect a
cohesive approach to controls for
my organizational unit or function?
• Does my control structure address
the revised language of the
reporting objective to cover internal
and external financial and
non-financial reporting?
• Have I designed my risk
assessment and monitoring controls
in a way that is precise enough to
manage the specific risks within my
organizational unit or function?
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
22
Stakeholder perspectives (continued)
Stakeholder
Actions for Consideration
Questions to Consider
Second Line of
Defense – Risk,
Compliance and
Other Policy
Setting Groups
• Perform an assessment of the impact of the
2013 Framework on your organization’s
policies, guidance, training and related tools.
• Work with senior and line management to
communicate the impact of the 2013
Framework on the organization to Internal
Audit and the Board/Audit Committee.
• Has the organization defined and
provided guidance on risk tolerance,
risk velocity and persistence in a
way that is readily understood within
the organization?
• Has the organization taken full
advantage of the use of monitoring
controls, including data analytics,
within its control structure to better
monitor the effectiveness of
process-level controls and identify
process-level changes?
• Can we use the 2013 Framework to
better integrate our compliance
needs to lower costs and create a
more transparent compliance
process?
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
23
Stakeholder perspectives (continued)
Stakeholder
Actions for Consideration
Questions to Consider
Third Line of
Defense Internal Audit
•Discuss with the audit committee the impact of
the 2013 Framework on Internal Audit’s
operations and plans.
•Proactively work with first and second lines of
defense to create and manage the transition
process to the 2013 Framework.
• Have we identified the potential
impacts of the 2013 Framework on
our audit methodology?
• Is there a focus on evaluating the
clarity of business objectives such
that significant risks to those
objectives can be identified and
assessed?
• Does the organization’s and internal
audit’s risk assessments
incorporate risk tolerance, velocity
and persistence?
• Does our methodology actively
assess whether controls are
adapting to changing risk profiles or
changing objectives?
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
24
Stakeholder perspectives (continued)
Stakeholder
Actions for Consideration
Questions to Consider
Boards of
Directors and
Audit
Committees
• Understand how management is addressing
the 2013 Framework and the timing and
implications of migrating from the 1992
Framework to the 2013 Framework.
• Engage in discussions with your external
audit firm to review the organization’s 2013
Framework transition plan and understand
implications on the execution of the 2013 and
2014 audits.
• Has management’s plan fully
addressed all aspects of the
changes to the 2013 Framework?
• Does management’s transition plan
appropriately account for the
people, process and technology
resources that will be needed for
the transition?
• What changes does the external
audit firm expect as a result of the
2013 Framework for your
organization?
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
25
Considerations for transition
Proposed thoughts for new framework transition

Understanding and Awareness– key personnel within the organization understand the new
framework, fundamentals not changing and key framework changes

Preliminary Assessment– perform an initial mapping of the company’s system of internal
control over a key area (such as financial reporting) to the framework as a pilot for
benchmarking

Broad Assessment – depending on the organization, complete the assessment on the
broader internal control environment, educating and training personnel through the process

Transition Plan– develop a transition plan and core team of management to execute

–
Document and Evaluate
–
Validation Testing and Gap Remediation
–
External Review Testing
Continuous Improvement– continuously evolve the system of internal control, embedding
responsibility into the company’s culture, business processes and procedures
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
26
Understanding
Current ICOFR
Matters
ICFR Executive Summary

ICFR is important and has recently been the subject of regulatory scrutiny

The SEC’s expectations of management and the PCAOB’s expectations of auditors
with respect to ICOFR are similar

ICOFR will continue to be scrutinized until management and auditors make
measurable improvements
–

Measurable improvements begin by making sure that management and auditors have an
appropriate understanding of the flow of information from initiation to recording and
reporting, the related risks to financial reporting, and the controls that mitigate those risks.
ICOFR “Hot Topics” include:
–
Management Review Controls
–
Controls over the Completeness and Accuracy of Information
–
IT Application and IT General Controls
–
Use of Third Parties
–
Identifying and Evaluating Control Deficiencies
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
28
Questions
Citations

COSO News Release – COSO Issues Updated Internal Control-Integrated Framework and
Related Illustrative Documents. (May 14th, 2013)

COSO – Internal Control – Integrated Framework, Executive Summary (May 2013)

Compliance Week – COSO Approves Final Internal Control Framework Update, Tammy
Whitehouse (March 21, 2013)

KPMG Defining Issues – COSO Releases Proposed Update to Internal Control-Integrated
Framework for Comment, Thomas J. Ray and Rocco Venezia (December 2011, No. 11-69)

KPMG Thought Leadership– The road to transition: COSO’s Internal Control 2013 –
Integrated Framework, Sam Fogleman, Sue Townsen, and Emad Bibawi (June 2013)

COSO– The 2013 COSO Framework & SOX Compliance, J. Stephen McNally (June 2013)
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 174426
30
© 2013 KPMG LLP, a Delaware limited liability
partnership and the U.S. member firm of the KPMG
network of independent member firms affiliated with
KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.
NDPPS 174426
The KPMG name, logo and “cutting through
complexity” are registered trademarks or trademarks
of KPMG International.