Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

COSO 2013: Leading Practices for Effective Transition

COSO 2013: Leading
Practices for Effective
Transition
SIFMA Internal Auditors Society Annual
Conference
Delray Beach, Florida
November 4, 2013
Agenda
COSO 2013 Framework: Summary of Changes
Transition Considerations
Q&A
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
2
Poll Question #1:
Do you work for a public or private company?
A.
Public
B.
Private
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
3
Poll Question #2:
How many resources (headcount) does your Internal Audit Department have?
A.
< 10
B.
10 - 50
C.
> 50
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
4
Poll Question #3:
Please describe your type of Financial Institution
A.
Bank
B.
Broker – Dealer
C.
Asset Manager
D.
Investment Adviser
E.
Insurance Company
F.
Finance Company
G.
Mortgage Company
H.
Trust Company
I.
Savings and Loan Association
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
5
Poll Question #4:
When is your organization planning on implementing the new COSO 2013
framework?
A.
2013
B.
2014
C.
>2014
D.
Not planning on implementing the new framework
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
6
COSO 2013 Framework:
Summary of Changes
Introduction to COSO 2013
Updated Internal Control – Integrated Framework
(2013 Framework) issued on May 14, 2013
Companion documents:

Internal Control – Integrated Framework:
Executive Summary

Illustrative Tools for Assessing Effectiveness of a
System of Internal Control

Internal Control over External Financial Reporting:
A Compendium of Approaches and Examples
COSO 1992 Framework will be available until December 15, 2014, then
superseded
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
8
Why Update What Works
Original Framework
(today)
Enhancements to
ease
use and
application
Updated
Framework
COSO’s Internal Control-Integrated Framework (1992
Edition)
Fundamental
concepts relating
to effective
internal control
Changes in
business,
operating and
regulatory
environments
Changes in
business,
operating and
regulatory
environments
Formalizes
Principles
Underlying
Components
Updates Context
Expands
Application
COSO’s Internal Control-Integrated Framework (2013
Edition)
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
9
COSO 2013 Framework – Summary of Changes
What is not changing...
What is changing...

Core definition of internal
control


Three categories of
objectives and five
components of internal
control
Updated for changes in
business and operating
environments

Expanded operations and
reporting objectives suitable for
other purposes

Implicit fundamental concepts
underlying five components
codified as 17 principles

Updated for increased
relevance and dependence on
IT

Addresses fraud risk
assessment and response
(Principle #8)


Each of the five components
of internal control are
required for effective internal
control
Important role of judgment in
designing, implementing and
conducting internal control,
and in assessing its
effectiveness
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
10
COSO Components and Principles
17 Principles codified under the 2013 Framework based on implicit fundamental concepts of the 1992
Framework
Control
Environment
1.
2.
3.
4.
5.
Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
Risk Assessment
6.
7.
8.
9.
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
Control Activities
10.Selects and develops control activities
11.Selects and develops general controls over technology
12.Deploys through policies and procedures
Information and
Communication
Monitoring
Activities
13.Uses relevant information
14.Communicates internally
15.Communicates externally
16.Conducts ongoing and/or separate evaluations
17.Evaluates and communicates deficiencies
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
11
Points of Focus

Points of Focus provide example characteristics of the principles

Points of focus may facilitate designing, implementing, and conducting internal control

A point of focus may not be suitable or relevant, and others may be identified

There is no requirement to separately assess whether points of focus are in place
Component
Control Environment
Principle
1. The organization demonstrates a commitment to
integrity and ethical values.
Points of Focus
1. Sets the Tone at the Top
2. Establishes Standards of Conduct
3. Evaluates Adherence to Standards of Conduct
4. Addresses Deviations in a Timely Manner
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
12
Clarifies requirements for effective internal control

Each principle is suitable to all entities; all principles are presumed relevant
except in rare situations where management determines that a principle is not
relevant to a component

Components operate together when all components are present and
functioning and internal control deficiencies aggregated across components do
not result in one or more major deficiencies

A major deficiency exists if the organization cannot conclude that each of the five
components and relevant principles are present and functioning and the five
components operate together in an integrated manner

A major deficiency represents an internal control deficiency or combination thereof
that severely reduces the likelihood that an entity can achieve its objectives
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
13
Transition Considerations
COSO Components: Challenges

Control
Environment



Risk
Assessment
Control
Activities




Information and
Communication
Monitoring
Activities


Public companies: may need to improve documentation and assess
existing controls not specifically evaluated to support management’s
assessment.
Non-public companies: challenging to demonstrate principles.
Ensuring and demonstrating that individuals have appropriate skills,
execute Internal Control responsibility and are held accountable are
stronger are more pervasive.
Many companies have not done a robust top down risk assessment for
financial reporting that links significant accounts, assertions and risks at the
consolidated, subsidiary, unit level or material investees as appropriate
(SOX purposes).
If framework is used for operational purposes but no robust risk policies
and frameworks exist: challenge to implement/demonstrate concepts such
as risk appetite, velocity and persistency.
Evaluating the dependency and linkage between business processes,
automated controls and GITCs.
Precision and evidence of management review controls, etc. Accountability
Capturing internal and external sources of data
Management considers and documents the source of data utilized in each
control and the basis for reliability of such data. Many companies are finding
that they have not assessed the completeness or accuracy of such data.
Performing ongoing monitoring that controls are present and functioning areas of opportunity – data or predictive analytics, etc.
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
15
Poll Question #5:
Which of the changes discussed in the new framework do you expect will be
the most challenging to your organization?
A.
Evaluating the dependency and linkage between business processes,
automated controls and GITCs
B.
Demonstrating enhanced governance concepts
C.
Addresses fraud risk assessment and response
D.
Demonstrating how components operate together in an integrated manner
E.
Other
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
16
Poll Question #6:
What is the perceived level of effort in your organization to demonstrate that the
components and underlying principles are operating in an integrated manner?
A.
Low
B.
Medium
C.
High
D.
Not Sure
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
17
Poll Question #7:
During the implementation of the new COSO 2013 framework, is your
organization taking a fresh look at their SOX Compliance approach?
A.
Yes – Driven by the new Framework
B.
Yes – Not related to the new Framework
C.
No – Still assessing the new Framework
D.
No – No SOX refresh needed to comply with the new Framework
E.
Not applicable – not implementing the new Framework
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
18
Transition Considerations



Judgment
–
Framework does not prescribe the specific controls; it sets out the principles
–
Need to evaluate all 17 principles, instead of just the 5 components
–
Controls are the function of management’s and the Board’s judgments
Organizational boundaries
–
Management retains responsibility for objectives; managing risks; selecting,
developing and deploying effective controls over third-party service providers
–
Increased importance of information and communication
Large vs. smaller entities
–
Principles are applicable to all entities
–
Different risks and different advantages to be considered

Explicit requirement that management consider risks related to fraud

Benefits and costs of internal control

Deferred maintenance of the organization’s existing SOX program
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
19
Transition Timeline and Effort

COSO determined the 2013 Framework will supersede 1992 Framework
effective December 15, 2014
–
Pending SEC monitoring of the transition phase

Assess the implications of the 2013 Framework as soon as feasible

Impact of adopting the updated Framework will vary by entity

Organizations should disclose whether the 1992 or 2013 version of the
Framework is used during the transition period

Opportunity to take a fresh look

–
at the efficiency and effectiveness of business processes, risk assessments,
and controls responsive to the risks
–
at the ICFR assessment prepared under the 1992 Framework
Treat 2013 assessment as a “Dress Rehearsal”!
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
20
Transition Approach

Transition from 1992 to 2013 COSO Framework might result in relatively few
changes, but a transition process needs to be formulated and work should
commence at an early date.

COSO published “The 2013 COSO Framework & SOX Compliance – One
Approach to An Effective Transition” by Stephen McNally (Campbell Soup)
discussing the following five steps to transition:
Step 1
Develop awareness, expertise and alignment
Step 2
Conduct preliminary impact assessment
Step 3
Facilitate broad awareness, training, and comprehensive
assessment
Step 4
Develop and execute COSO transition plan for SOX compliance
Step 5
Drive continuous improvement
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
21
Next Steps for Risk/Control Professionals

Get familiar with COSO 2013
–

Educate your Board, Audit Committee and company management
–


Education on and evaluation of the 2013 Framework changes.
Communicate the impact of the new Framework.
Plan how you will transition your organization
–
Map the 17 principles and points of focus to your existing controls within each
component to demonstrate where the relevant principles are present and
functioning in support of the objectives.
–
Identify and discuss control design gaps with senior management and develop
plans to remediate any such gaps.
Available resources
–
KPMG Defining Issues No. 13-26, May 2013
–
The road to transition: COSO’s Internal Control 2013 – Integrated Framework
–
COSO’s McNally transition article
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
22
Poll Question #8:
What is the perceived level of effort to comply with the new COSO 2013
Framework?
A.
Low
B.
Medium
C.
High
D.
Not Sure
© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 218070
23
Contact Information
Ravi Gupta
Pamela de Maaijer
Director
Director
Internal Audit, Risk and Compliance
Services (IARCS) – Financial Services
Internal Audit, Risk and Compliance
Services (IARCS) – Financial Services
51 JFK Parkway
Short Hills, NJ 07078
ravigupta@kpmg.com
Tel: 201 563 2788
Mobile: 973 912 4630
345 Park Avenue
New York, NY 10154
pademaaijer@kpmg.com
Tel: 212 954 7067
Mobile: 917 306 4871
© 2013 KPMG LLP, a Delaware limited liability
partnership and the U.S. member firm of the KPMG
network of independent member firms affiliated with
KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.
NDPPS 218070
The KPMG name, logo and “cutting through
complexity” are registered trademarks or
trademarks of KPMG International.
Related documents
See slides
See slides
Graduate - Summer Intern Application form 2016-2017
Graduate - Summer Intern Application form 2016-2017
CB (13) 11 CIVIL SERVICE COMMISSION Capability Review and
CB (13) 11 CIVIL SERVICE COMMISSION Capability Review and
Slide pack - WTC Twente
Slide pack - WTC Twente
Associates to KPMG Deal Advisory starting in 2016
Associates to KPMG Deal Advisory starting in 2016
smcgahan Bio_9-16
smcgahan Bio_9-16
Flash International Executive Alert
Flash International Executive Alert
Mr. Simon Topping - AHK Greater China
Mr. Simon Topping - AHK Greater China
Download