COSO Framework 2013 & SOX Compliance Roxanne L. Halverson, CISM, CGEIT Atlanta ISACA Geek Week – August 19, 2013 What’s Happened • On May 14, 2013, after a little more than 20 years the Committee of Sponsoring Organizations of the Treadway Commission (a/k/a as COSO) has revised its widely used 1992 framework to update it for the modern realities of how business is carried out two decades later, especially with respect to how technology is used in business. • COSO specifically set its transition date and determined it will no longer make its earlier version available after December 15, 2014 to facilitate a transition. 2 Call to Action Each publicly traded company subject to SOX Section 404 compliance must gain senior management’s alignment & support, assess the impact of the Framework on existing SOX compliance activities and then complete a timely transition to the updated Framework no later than December 15, 2014 3 Background • Authored by PwC under the direction of COSO • Widely adopted by organizations around the world • COSO developed the related illustrative documents to provide tools to assist companies in implementing or evaluating their system of internal control & offer specific approaches & examples as to how the Framework applies to external financial reporting. 4 Drivers Behind COSO’s Refresh Project • Result of a significant multi-year project – 2 rounds of public exposure • Lessons Learned from applying the original framework – Included lengthy discussions of internal control concepts that are not institutional knowledge – Concepts of internal control principles may have been embedded in the original Framework, the principles themselves were “hidden” within the details – Practitioners have used the Framework primarily for internal control over financial reporting yet the Framework encompasses 3 major categories of objectives, including operations, overall reporting, and compliance objectives • Objective was to keep “COSO” relevant & streamline the original Framework – Clarify the requirement of effective internal control – Update the context for applying internal control to many changes in business an operating environments – Broaden its application by expanding the operations and reporting objectives – Enhancing usability 5 Newly Release COSO Documents Internal Control-Integrated Framework Executive Summary Provides a high-level overview of the 2013 Framework & is intended for the CEO & other senior management, BODs and regulators Internal Control-Integrated Framework & Appendices 175 pages that defines the Framework in detail Defines internal control, underlying principles & direction for all levels of mgt. Internal Control-Integrated Framework Illustrated Tools for Assessing Effectiveness of a System of Internal Control Provides templates and scenarios to support mgt. in applying the Framework, specifically in terms of assessing effectiveness. Internal Control over External Financial Reporting: A Compendium of Approaches & Examples Provides practical approaches & examples illustrating how the components & principles in the Framework can be applied in preparing external financial statements. Intended to be used as a resource to research on specific principles vs. being read cover to cover 6 Case for Transition • COSO Board emphasized that the key concepts and principles defined in the original Framework remain fundamentally sound for designing, implementing, & maintaining systems of internal controls & assessing effectiveness • Next slides review Fundamentals Retained 7 Fundamentals Retained • Report’s general organization structure & component chapter structure • Formal definition of internal control “COSO Cube” • 5 components that work together in an integrated manner – – – – – Control environment Risk Assessment Control Activities Information & communication Monitoring Activities 8 Fundamental remaining – page 2 • Emphasis that internal control is a process effected by people that can only provide reasonable vs. absolute assurance and has inherent limitations • Internal control is geared toward achieving specified objectives • Internal control can be applied at the entity level or any of an entity’s units • Concepts relating to cost-benefit analysis – Mgt needs to use judgment but cost alone is not an acceptable reason to avoid implementing internal controls • Discussion of appropriate documentation • Relationship between the management process & internal control • Importance of management’s judgment in designing, implementing, and conducting internal control, and assessing its effectiveness 9 One Transition Approach • Step 1: Develop Awareness, Expertise & Alignment • Step 2: Conduct Preliminary Impact Assessment • Step 3: Facilitate Broad Awareness, Training, and Comprehensive Assessment • Step 4: Develop and Execute COSO Transition Plan for SOX Compliance • Step 5: Drive Continuous Improvement 10 Step 1- Develop Awareness, Expertise & Alignment • Provide awareness to senior management so gain their support • Initial audience – COSO/SOX subject matter experts in your company • Obtain & review newly released publications (listed on prior slide) • In addition to those go to COSO website (www.coso.org) which includes press releases and “Frequently Asked Questions” document 11 Step 1 – Other resources • Webinars • Articles • External auditor • Networking & building connections with peers at similar companies can benefit you & your teams. 12 COSO Timeless Concepts “Internal Controls is a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance” Still provides for 3 categories of objectives: Operations Reporting Compliance Still provides 5 integrated components Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities Updated “COSO Cube” Continues to allow a company to consider internal controls from an entity, division, operating unit or function like a shared service center/center of excellence 13 Expanded Reporting Category • Under objective categories, the reporting category was expanded to include not only external reporting but internal reporting and nonfinancial reporting objectives • Explicitly permits use in these other reporting situations even though they aren’t directly relevant from a SOX perspective 14 The most significant enhancement is the formulation of “17 Principles” of internal control which serve as the criteria for determining whether an entity’s internal control is “effective” CONTROL ENVIRONMENT • 1. Demonstrates commitment to integrity & ethical values 1992 Framework conceptually introduced 17 relevant principles associated with the 5 components of internal control 2. Exercises oversight responsibility 3. Establishes structure, authority & responsibility 4. Demonstrates commitment to competence 5. Enforces accountability • They are essential in assessing that the 5 components are present & functioning RISK ASSESSMENT 6. Specifies suitable objectives 7. Identifies and analyzes risk 8 Assess fraud risk • These concepts are now explicitly articulated in the 17 principles 9. Identifies and analyzes significant change CONTROL ACTIVITIES 10. Selects & develops control activities • COSO Board believes each principle adds value & is suitable to all entities presumed relevant 11. Selects & develops general controls over technology 12. Deploys through policies & procedure INFORMATION & COMMUNICATIONS 13. Uses relevant information 14. Communicates internally • Document the rationalization if a principle isn’t relevant 15, Communicates externally MONITORING 16. Conducts ongoing and/or separate evaluations 17. Evaluates & communicates deficiencies 15 Requirements of Effective Internal Control • For management to conclude that its system of internal control is effective, all 5 components of internal control and all relevant principles must be present & functioning • Being “present” implies a given component or principle exists within the design & implementation of an entity’s system of internal control • “Functioning” implies the component or principle continues to exist in the operation & conduct of the internal control system • Effective internal control also requires that all 5 components operate together in an integrated manner. • Management can conclude they do if each component is present and functioning and the aggregation of internal control deficiencies across the components doesn’t result in one or more major deficiences 16 Internal Control Deficiencies • A major deficiency exists if an internal control deficiency or combination thereof severely reduces the likelihood of an entity achieving it’s objectives • If mgt. used it’s professional judgment to determine that a control objective isn’t being met because a relevant principle or associated component isn’t present & functioning or the 5 components aren’t operating together, the entity has a major deficiency • While the 2013 Framework defines the terms “deficiency” & “major deficiency” mgt should use relevant criteria as established by standards-setting bodies, regulators and other relevant third parties for defining the severity of evaluating and reporting deficiencies 17 Points of Focus provided by 2013 Framework • Describes to assist management in the design, implementation, and maintaining internal control & assessing whether the 17 principles are present & functioning • Represent important characteristics of the respective principles defined in Framework or uniquely identified by management • Enablers – not required – in order to have an effective system of internal control 18 Step 2: Conduct Preliminary Impact Assessment • Once 2013 Framework is understood you need to assess how transitioning to it will impact your company’s current SOX program • The most significant factor may be how well management implemented the original one • Map your existing system of internal control against the update Framework • This will help you determine the degree of work required to complete the transition • Instead of mapping directly to the 5 components of internal control, first map to the 17 principles that underlie each of the 5 components • Develop a list of gaps to remediate 19 Step 3: Facilitate Broad Awareness, Training, and Comprehensive Assessment • Step 1 & 2 targeted the company’s SOX compliance subject matter experts or core SOX compliance team • Step 3 – engaging the broader organization to build awareness & to build awareness and to pressure-test the preliminary impact assessment conducted in Step 2 • Depending on the nature & complexity of your organization, SOX compliance efforts may occur centrally, or there may be multiple layers of assessment – Example each Business Unit or location may prepare it’s own local assessment 20 Step 3 continued • Either way, you should facilitate broad awareness of COSO’s updated Framework & the potential impact on your SOX compliance program • Discuss the impact of COSO’s 2013 Framework on your SOX efforts with your company’s external auditors. – Provide stakeholders a brief update, via email or in person, will be sufficient. – In other cases, in-depth training & work sessions may be needed 21 Step 3 continued • Leverage key stakeholders, such as process/controls owner or business unit SOX leads, to pressure-test you preliminary impact assessment, especially in a more decentralized or highly complex environment • Have those who are directly responsible for implementing your company’s SOX controls critique the preliminary mapping from Step 2 to ensure analysis is complete & accurate 22 Step 4 – Develop & Execute COSO Transition Plan for SOX Compliance • Planning Phase – finalize your company’s updated SOX compliance: – – – – Methodology & approach Define project governance & decision rights Develop a detailed project plan with key milestones Identify and assign resources, and complete other necessary planning activities • Set realistic plans & expectations • Regardless of current SOX compliance programs some effort in transition is required 23 Step 4 – Phase 1 Documentation & Evaluation • You may need to update the format and or flow of your underlying documentation aligning it to the new mapping created during Step 2. • All 5 components of internal control and all relevant principles must be present and functioning • Underlying documentation must support management in making such a conclusion • Phase entails evaluating the design of the underlying controls & enhancing the design as needed 24 Step 4 – Phase 2: Validation Testing & Gap Remediation • Once you’re satisfied that your company’s controls around external financial reporting and disclosure are effective in their design, you need to perform SOX validation testing to ensure these controls have been implemented and are operating as expected. • Remediate any action items or gaps if deficiencies are identifed 25 Step 4: Phase 3 External Review & Testing • Prepare for the external auditor needing/wanting to assess & gain comfort with the updated SOX compliance program and supporting documentation. 26 Step 5: Drive Continuous Improvement • Adequate vs. best-in-class system of internal controls • Stronger corporate governance should translate into stronger business results & increased shareholder value 27 Step 5 continued • Once 2013 Framework transition is complete, challenge yourself to drive continuous improvement with these practices: – Ensure there is appropriate tone at the top – Embed internal control responsibility into the fabric of your company’s culture, business processes & procedures – Improve control reporting & communication – Enhance your enterprise risk management capability – Tooling & Automation 28 Call to Action • Last reminder – Key Takeaway • Those who currently use COSO’s 1992 Framework should complete their transition to the 2013 version no later than December 15, 2014 as the former version will be superseded • While most companies expect few changes & a relatively smooth transition you still need to work through it • The onus is on “us” / those working in publicly traded companies subject to SOX Section 404 compliance to build awareness, assess the impact, complete timely transition • The 5-step process is one approach that could support you and your team’s success 29 COSO – COBIT Mapping 30 Questions? Contact Information: Roxanne Halverson – rhalverson@us.ibm.com 678-366-7292 31 Copyright @2013, The Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1234567890 PIP 198765432 Kathleen Hoffeilder, CFO. Com, May 21, 2013, New Guidelines Could Help Deter Fraud J. Stephen McNally, CPA, 2013. The 2013 COSO Framework & SOX Compliance, Strategic Finance, June 2013 PwC Dataline, A Look At Current Financial Reporting Issues, No. 2013-09, dated May 14, 2013. Richard M. Steinberg, Compliance Week, July, 3013, Insights Into COSO’s Internal Control Framework, pages 52-53. Tammy Whitehouse, iCompli, So Far, SEC Hold Silent on New COSO Framework, May 22, 2013 32