COSO Framework 2013
&
SOX Compliance
Roxanne L. Halverson, CISM, CGEIT
Atlanta ISACA Geek Week – August 19, 2013
What’s Happened
• On May 14, 2013, after a little more than 20 years the
Committee of Sponsoring Organizations of the
Treadway Commission (a/k/a as COSO) has revised its
widely used 1992 framework to update it for the
modern realities of how business is carried out two
decades later, especially with respect to how
technology is used in business.
• COSO specifically set its transition date and determined
it will no longer make its earlier version available after
December 15, 2014 to facilitate a transition.
2
Call to Action
Each publicly traded company subject to SOX
Section 404 compliance must gain senior
management’s alignment & support, assess
the impact of the Framework on existing SOX
compliance activities and then complete a
timely transition to the updated Framework no
later than December 15, 2014
3
Background
• Authored by PwC under the direction of COSO
• Widely adopted by organizations around the
world
• COSO developed the related illustrative
documents to provide tools to assist companies
in implementing or evaluating their system of
internal control & offer specific approaches &
examples as to how the Framework applies to
external financial reporting.
4
Drivers Behind COSO’s Refresh Project
•
Result of a significant multi-year project
– 2 rounds of public exposure
•
Lessons Learned from applying the original framework
– Included lengthy discussions of internal control concepts that are not
institutional knowledge
– Concepts of internal control principles may have been embedded in the original
Framework, the principles themselves were “hidden” within the details
– Practitioners have used the Framework primarily for internal control over
financial reporting yet the Framework encompasses 3 major categories of
objectives, including operations, overall reporting, and compliance objectives
•
Objective was to keep “COSO” relevant & streamline the original Framework
– Clarify the requirement of effective internal control
– Update the context for applying internal control to many changes in business an
operating environments
– Broaden its application by expanding the operations and reporting objectives
– Enhancing usability
5
Newly Release COSO Documents
Internal Control-Integrated Framework Executive
Summary
Provides a high-level overview of the 2013
Framework & is intended for the CEO & other
senior management, BODs and regulators
Internal Control-Integrated Framework &
Appendices
175 pages that defines the Framework in detail
Defines internal control, underlying principles &
direction for all levels of mgt.
Internal Control-Integrated Framework
Illustrated Tools for Assessing Effectiveness
of a System of Internal Control
Provides templates and scenarios to support mgt. in
applying the Framework, specifically in terms of
assessing effectiveness.
Internal Control over External Financial
Reporting: A Compendium of Approaches &
Examples
Provides practical approaches & examples illustrating
how the components & principles in the Framework
can be applied in preparing external financial
statements.
Intended to be used as a resource to research on
specific principles vs. being read cover to cover
6
Case for Transition
• COSO Board emphasized that the key concepts
and principles defined in the original Framework
remain fundamentally sound for designing,
implementing, & maintaining systems of internal
controls & assessing effectiveness
• Next slides review Fundamentals Retained
7
Fundamentals Retained
• Report’s general organization structure &
component chapter structure
• Formal definition of internal control “COSO Cube”
• 5 components that work together in an
integrated manner
–
–
–
–
–
Control environment
Risk Assessment
Control Activities
Information & communication
Monitoring Activities
8
Fundamental remaining – page 2
• Emphasis that internal control is a process effected by people
that can only provide reasonable vs. absolute assurance and has
inherent limitations
• Internal control is geared toward achieving specified objectives
• Internal control can be applied at the entity level or any of an
entity’s units
• Concepts relating to cost-benefit analysis
– Mgt needs to use judgment but cost alone is not an acceptable reason
to avoid implementing internal controls
• Discussion of appropriate documentation
• Relationship between the management process & internal control
• Importance of management’s judgment in designing,
implementing, and conducting internal control, and assessing its
effectiveness
9
One Transition Approach
• Step 1: Develop Awareness, Expertise &
Alignment
• Step 2: Conduct Preliminary Impact
Assessment
• Step 3: Facilitate Broad Awareness, Training,
and Comprehensive Assessment
• Step 4: Develop and Execute COSO
Transition Plan for SOX Compliance
• Step 5: Drive Continuous Improvement
10
Step 1- Develop Awareness, Expertise &
Alignment
• Provide awareness to senior management so
gain their support
• Initial audience – COSO/SOX subject matter
experts in your company
• Obtain & review newly released publications
(listed on prior slide)
• In addition to those go to COSO website
(www.coso.org) which includes press releases
and “Frequently Asked Questions” document
11
Step 1 – Other resources
• Webinars
• Articles
• External auditor
• Networking & building connections with peers at
similar companies can benefit you & your teams.
12
COSO Timeless Concepts
“Internal Controls is a process effected by an
entity’s board of directors, management, and other
personnel, designed to provide reasonable
assurance regarding the achievement of objectives
relating to operations, reporting, and compliance”
Still provides for 3 categories of objectives:
Operations
Reporting
Compliance
Still provides 5 integrated components
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Updated “COSO Cube”
Continues to allow a company to consider
internal controls from an entity, division, operating
unit or function like a shared service center/center
of excellence
13
Expanded Reporting Category
• Under objective categories, the reporting
category was expanded to include not only
external reporting but internal reporting and
nonfinancial reporting objectives
• Explicitly permits use in these other reporting
situations even though they aren’t directly
relevant from a SOX perspective
14
The most significant enhancement is the formulation of “17 Principles” of
internal control which serve as the criteria for determining whether an
entity’s internal control is “effective”
CONTROL ENVIRONMENT
•
1. Demonstrates commitment to integrity & ethical values
1992 Framework conceptually introduced
17 relevant principles associated with the 5
components of internal control
2. Exercises oversight responsibility
3. Establishes structure, authority & responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
•
They are essential in assessing that the 5
components are present & functioning
RISK ASSESSMENT
6. Specifies suitable objectives
7. Identifies and analyzes risk
8 Assess fraud risk
•
These concepts are now explicitly
articulated in the 17 principles
9. Identifies and analyzes significant change
CONTROL ACTIVITIES
10. Selects & develops control activities
•
COSO Board believes each principle adds
value & is suitable to all entities presumed
relevant
11. Selects & develops general controls over technology
12. Deploys through policies & procedure
INFORMATION & COMMUNICATIONS
13. Uses relevant information
14. Communicates internally
•
Document the rationalization if a principle
isn’t relevant
15, Communicates externally
MONITORING
16. Conducts ongoing and/or separate evaluations
17. Evaluates & communicates deficiencies
15
Requirements of Effective Internal Control
•
For management to conclude that its system of internal control is
effective, all 5 components of internal control and all relevant
principles must be present & functioning
•
Being “present” implies a given component or principle exists within
the design & implementation of an entity’s system of internal control
•
“Functioning” implies the component or principle continues to exist in
the operation & conduct of the internal control system
•
Effective internal control also requires that all 5 components operate
together in an integrated manner.
•
Management can conclude they do if each component is present
and functioning and the aggregation of internal control deficiencies
across the components doesn’t result in one or more major
deficiences
16
Internal Control Deficiencies
•
A major deficiency exists if an internal control deficiency or
combination thereof severely reduces the likelihood of an entity
achieving it’s objectives
•
If mgt. used it’s professional judgment to determine that a control
objective isn’t being met because a relevant principle or associated
component isn’t present & functioning or the 5 components aren’t
operating together, the entity has a major deficiency
•
While the 2013 Framework defines the terms “deficiency” & “major
deficiency” mgt should use relevant criteria as established by
standards-setting bodies, regulators and other relevant third parties
for defining the severity of evaluating and reporting deficiencies
17
Points of Focus provided by 2013 Framework
• Describes to assist management in the design,
implementation, and maintaining internal control &
assessing whether the 17 principles are present &
functioning
• Represent important characteristics of the respective
principles defined in Framework or uniquely identified
by management
• Enablers – not required – in order to have an effective
system of internal control
18
Step 2: Conduct Preliminary Impact Assessment
• Once 2013 Framework is understood you need to
assess how transitioning to it will impact your
company’s current SOX program
• The most significant factor may be how well
management implemented the original one
• Map your existing system of internal control against the
update Framework
• This will help you determine the degree of work
required to complete the transition
• Instead of mapping directly to the 5 components of
internal control, first map to the 17 principles that
underlie each of the 5 components
• Develop a list of gaps to remediate
19
Step 3: Facilitate Broad Awareness, Training,
and Comprehensive Assessment
• Step 1 & 2 targeted the company’s SOX compliance
subject matter experts or core SOX compliance team
• Step 3 – engaging the broader organization to build
awareness & to build awareness and to pressure-test
the preliminary impact assessment conducted in Step 2
• Depending on the nature & complexity of your
organization, SOX compliance efforts may occur
centrally, or there may be multiple layers of assessment
– Example each Business Unit or location may prepare it’s own
local assessment
20
Step 3 continued
• Either way, you should facilitate broad
awareness of COSO’s updated Framework &
the potential impact on your SOX compliance
program
• Discuss the impact of COSO’s 2013 Framework
on your SOX efforts with your company’s
external auditors.
– Provide stakeholders a brief update, via email or in
person, will be sufficient.
– In other cases, in-depth training & work sessions may
be needed
21
Step 3 continued
• Leverage key stakeholders, such as
process/controls owner or business unit SOX
leads, to pressure-test you preliminary impact
assessment, especially in a more decentralized
or highly complex environment
• Have those who are directly responsible for
implementing your company’s SOX controls
critique the preliminary mapping from Step 2 to
ensure analysis is complete & accurate
22
Step 4 – Develop & Execute COSO
Transition Plan for SOX Compliance
• Planning Phase – finalize your company’s
updated SOX compliance:
–
–
–
–
Methodology & approach
Define project governance & decision rights
Develop a detailed project plan with key milestones
Identify and assign resources, and complete other
necessary planning activities
• Set realistic plans & expectations
• Regardless of current SOX compliance
programs some effort in transition is required
23
Step 4 – Phase 1 Documentation & Evaluation
• You may need to update the format and or flow
of your underlying documentation aligning it to
the new mapping created during Step 2.
• All 5 components of internal control and all
relevant principles must be present and
functioning
• Underlying documentation must support
management in making such a conclusion
• Phase entails evaluating the design of the
underlying controls & enhancing the design as
needed
24
Step 4 – Phase 2: Validation Testing & Gap
Remediation
• Once you’re satisfied that your company’s
controls around external financial reporting and
disclosure are effective in their design, you need
to perform SOX validation testing to ensure
these controls have been implemented and are
operating as expected.
• Remediate any action items or gaps if
deficiencies are identifed
25
Step 4: Phase 3 External Review & Testing
• Prepare for the external auditor needing/wanting
to assess & gain comfort with the updated SOX
compliance program and supporting
documentation.
26
Step 5: Drive Continuous Improvement
• Adequate vs. best-in-class system of internal
controls
• Stronger corporate governance should translate
into stronger business results & increased
shareholder value
27
Step 5 continued
• Once 2013 Framework transition is complete, challenge
yourself to drive continuous improvement with these
practices:
– Ensure there is appropriate tone at the top
– Embed internal control responsibility into the fabric of your
company’s culture, business processes & procedures
– Improve control reporting & communication
– Enhance your enterprise risk management capability
– Tooling & Automation
28
Call to Action
•
Last reminder – Key Takeaway
•
Those who currently use COSO’s 1992 Framework should complete their
transition to the 2013 version no later than December 15, 2014 as the
former version will be superseded
•
While most companies expect few changes & a relatively smooth transition
you still need to work through it
•
The onus is on “us” / those working in publicly traded companies subject to
SOX Section 404 compliance to build awareness, assess the impact,
complete timely transition
•
The 5-step process is one approach that could support you and your team’s
success
29
COSO – COBIT Mapping
30
Questions?
Contact Information:
Roxanne Halverson – rhalverson@us.ibm.com
678-366-7292
31
Copyright @2013, The Committee of Sponsoring Organizations of the Treadway
Commission (COSO). 1234567890 PIP 198765432
Kathleen Hoffeilder, CFO. Com, May 21, 2013, New Guidelines Could Help Deter
Fraud
J. Stephen McNally, CPA, 2013. The 2013 COSO Framework & SOX Compliance,
Strategic Finance, June 2013
PwC Dataline, A Look At Current Financial Reporting Issues, No. 2013-09, dated
May 14, 2013.
Richard M. Steinberg, Compliance Week, July, 3013, Insights Into COSO’s Internal
Control Framework, pages 52-53.
Tammy Whitehouse, iCompli, So Far, SEC Hold Silent on New COSO Framework,
May 22, 2013
32