IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

2013 New COSO 2013 Framework and Current Trends in Risk Management

Session 105

Page � 3

Agenda

� COSO 2013 framework Overview

� Why the update ?

� What has been updated and what has remained the same?

� Codification of 17 principles and points-of-focus

� Key Areas of Focus

� Transition and impact

� Impact on Audits & Financial Exams

� Our point of view

� Next steps

� Applying the new COSO 2013 framework

� Risk management considerations

� How does COSO 2013 impact my organization

� Questions

Page � 4

Originally issued in 1992, COSO’s Internal Control – Integrated Framework (the “1992 Framework”) became one of the most widely accepted internal control frameworks in the world. In

order to address the significant changes to business and operating environments that have taken place over the past 20

years, on May 14, 2013, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated 2013 Internal Control-Integrated Framework to

supersede the 1992 Framework on December 15, 2014

Overview

Page � 5

Update driven by input of stakeholders:

0% 20% 40% 60% 80% 100%

Control Activities

Monitoring

Control Environment

Information &Communication

Risk Assessment

Difficult to interpretSomewhat difficult to interpretModerately easy to interpretGenerally easy to interpretEasy to interpret

Do stakeholders understand the components of

effective internal control?

Source - COSO’s survey of users and

stakeholders, worldwide – January to September

2011

Page � 6

Update expected to increase ease of use and broaden application

What is not changing... What is changing...

• Core definition of internal control

• Three categories of objectives and five components of internal control

• Each of the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring activities) are required foreffective internal control

• Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness

• Changes in business and operatingenvironments considered

• Operations and reporting objectives expanded

• Fundamental concepts underlying five components articulated as 17 principles

• Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added

Page � 7

Environments changes... …Have driven Framework updates

Expectations for governance oversight

Globalization of markets and operations

Changes and greater complexity in business

Demands and complexities in laws, rules,

regulations, and standards

Expectations for competencies and

accountabilities

Use of, and reliance on, evolving technologies

Expectations relating to preventing and

detecting fraud

Update considers changes in business and operating environments

COSO Cube (2013

Edition)

Page � 8

Why the update ?

� Business and operating environments have changed dramatically, becoming increasingly

complex, technologically driven and global in scope.

� Stakeholders are more engaged, seeking greater transparency and accountability for the

integrity of systems of internal controls that support business decisions and governance.

ICIF works

well todayCOSO’s Internal Control – Integrated Framework (1992 Edition)

Refresh

objectives

Enhancements

ICIF will work

better tomorrow COSO’s Internal Control – Integrated Framework (2013 Edition)

Address significant changes to the

business environment and associated

risks

Updated, enhanced and

clarified framework

Increase focus on operations,

compliance and non-financial

reporting objectives

Expanded internal and non-

financial reporting guidance

Codify criteria to use in the

development and assessment of

systems of internal control

Principles

Points of focusPoints of focusPoints of focusPoints of focus

Page � 9

Update clarifies requirements for effective internal control

5

Components

17 Principles

Points of Focus

Internal Controls

• Effective Internal Control provides

reasonable assurance that each

component and supporting principle

is present and functioning and the

five components are integrated

effectively

• Principles are suitable and presumed

relevant for all entities

• Principles can support achievement

of single, multiple, or overlapping

objectives

• Applying principles provides a basis

for evaluation of internal control

effectiveness across an organization

Page � 10

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

Update articulates 17 principles of effective internal control

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

13. Uses relevant information

14. Communicates internally

15. Communicates externally

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

Page � 11

Updated Framework: Describes important

characteristics of each principle

� For Example:

� Points of focus may not be suitable or relevant, and others may be identified.

� Points of focus may facilitate designing, implementing, and conducting internal control.

� There is no requirement to separately assess whether points of focus are in place.

Control Environment1. The organization demonstrates a commitment to

integrity and ethical values.

Points of focus:• Sets the tone at the top• Establishes standards of conduct• Evaluates adherence to standards of conduct• Addresses deviations in a timely manner

Page � 12

• More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may be managed, and linkage between risk assessment and control activities.

• Considering the potential for fraud risks to the achievement of an organization’s objectives.

Risk Assessment

• Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles.

• Requires management to specifically consider how OSPs are monitored.

Outsources Service

Providers (OSPs)

• Considerations related to IT are included in 14 out of 17 principles.

• Discussion of using IT to assist in continuous monitoring within the system of internal control (i.e., use of data analytics).

• Requirements for ensuring quality of information (i.e., data integrity).

Information Technology

(IT)

2013 Framework and Guidance –Key Areas of Focus

Page � 13

Transition & Impact

� Users are encouraged to transition applications and related documentation to the updated

Framework as soon as feasible

� Updated Framework will supersede original Framework at the end of the transition period

(i.e., December 15, 2014)

� During the transition period, external reporting should disclose whether the original or

updated version of the Framework was used

� Impact of adopting the updated Framework will vary by organization

− Does the system of internal control need to address changes in business?

− Does the system of internal control need to be updated to address all principles?

− Does the organization apply and interpret the original framework in the same manner

as COSO?

− Is the organization considering new opportunities to apply internal control to cover

additional objectives?

Page � 14

Transition & Impact (continued)

� The principles-based approach provides flexibility in applying the Framework to multiple,

overlapping objectives across the entity

• Easier to see what is covered and what is missing

• Focus on principles may reduce likelihood of considering something that’s irrelevant

� Understanding the importance of specifying suitable objectives focuses on those risks

and controls most important to achieving these objectives.

� Focusing on areas of risk that exceed acceptance levels or need to be managed across

the entity may reduce efforts spent mitigating risks in areas of lesser significance.

� Coordinating efforts for identifying and assessing risks across multiple, overlapping

objectives may reduce the number of discrete risks assessed and mitigated.

Page � 15

Transition & Impact (continued)

� Selecting, developing, and deploying controls to effect multiple principles may also reduce

the number of discrete, layered-on controls.

� Applying an integrated approach to internal control - encompassing operations, reporting,

and compliance – may lessen complexity.

� In assessing severity of internal control deficiencies, use only the relevant classification

criteria as set out in the Framework or by regulators, standard-setting bodies, and other

relevant third parties, as appropriate.

Page � 16

Our Point of view- Overview

� Helps increase transparency. The structure and rigor presented in this framework around 17 principles and point of focus helps establish transparency and accountability in an organization’s process of designing and implementing its system of internal control.

� Strengthened governance. For companies utilizing COSO, the new framework will also aid in strengthening the governance and oversight on internal control in an organization.

� Maintain an optimum balance. COSO 2013 framework does not necessarily warrant redesigning the organization’s system of internal control. Management must ensure that their approach for transitioning is effective and efficient.

� Implementation of new COSO 2013 framework. While the fundamental elements of the new COSO framework remain the same, it is important to update existing documentation to support that the system of internal control considers the 17 principles.

Page � 17

Our Point of view- Impact on External Audits

� More defined guidance = Better sources of Information for testing. Does not mean more testing. In fact, it might require less testing if companies implement the updated COSO Framework effectively

� Aligns with greater emphasis and specific measures on corporate governance

� Better synergy with ERM and related controls design. A Strong ERM Framework ties is well with the new COSO Framework

� Better defines the role of technology into risk management and controls

Page � 18

Impact on External Audits

� Examining Internal Controls Over Financial Reporting

(ICoFR)

• System of Internal Control must be examined

• 5 components are supported by 17 principles, which include:

• Commitment to integrity and ethical values;

• Exercises oversight responsibility;

• Demonstrates a commitment to competence;

• Assesses fraud risk.

• What is the burden of proof?

• Moreover, what constitutes solid audit evidence?

Page � 19

Impact on External Audits

� Increased focus on the following:• Electronic Audit Evidence

• Increased focus on validating information

» Tying out of balances does not suffice;

» Report parameters and illustrative screenshots required;

» Only “in scope” applications can be relied upon;

• Review Controls• THAT its reviewed is not enough: WHO, WHAT, HOW…

» Who is performing the review?

» What is their review process?

• Evaluating the Impact of Deficiencies• What is the impact of a deficiency?

• Inherent risk vs. residual risk

» How does a failure or a failure rate impact residual risk index;

» What is the effect of all failures identified:

» Cumulative impact;

» Synergistic – do multiple failures exacerbate individual risks?

Page � 20

Our Point of view- Impact on Financial Examinations

� New framework provides greater focus on the linking between risks, strategy and controls

� Updated documentation will provide greater insight and reliability into existing documentation and testing performed by Internal and external auditors

� Less testing if fully implemented; better aligns with a risk focused exam, including mapping of controls related to key risks and the reasoning behind those controls, especially when it comes to soft areas like corporate governance and strategy

� Examiners should look for implementation of the 17 criteria during their evaluation of the IT framework, including gaps in existing documentation

Page � 21

Next Steps

Companies should consider COSO’s 4 step approach transition guidance for purposes of complying with Section 404 of the Sarbanes-Oxley Act which include:

1. Read COSO’s updated Framework and illustrative documents

2. Initiate a discussion with senior management and the audit committee on the new COSO framework, highlighting its key changes and implications to the system of internal control at the organization

3. Review and establish a process for identifying and assessing necessary changes in controls (if any) and related documentation

4. Document your approach toward the application of the new COSO framework and transition plan, including changes in controls and related documentation

Given the integral role management, the audit committee, internal audit and other risk management functions all play in an effective system of internal control, a coordinated approach to address the key changes in the new COSO framework is essential.

Page � 22

Client

considerations

and next steps:

The four-step

approach

Understand

and educate

Assess

Plan and

implement

Communicate

Next Steps

Page � 23

Applying the new COSO 2013 framework- Steps to Implementation

A

B

C

D

E

F

Review existing internal control assessment results and perform an overall assessment with respect to the five

components and supporting 17 principles

Evaluate each of the five components individually and collectively, and document (in summary) whether the

relevant principles are present and functioning

For each component, formally evaluate whether each of the 17 principles (to the extent they are relevant) is

present and functioning and document the summarized assessment, including any deficiencies/gaps

Create a detailed mapping of all internal controls to each of the five components and related principles and

document (may not be required if A,B and C above can be adequately supported)

Identify additional controls (if any) that may be relevant to fully support a component and/or principle to be

present and functioning in the design and implementation of the system of internal control

Update overall internal control documentation to reflect changes in the new COSO framework, including but

not limited to: financial and non-financial reporting (both internal and external), documenting whether the 17

principles are present and functioning, and clarifying the objectives: a) effectiveness and efficiency of operations,

b) compliance with regulatory requirements and c) reporting

Page � 24

Applying the new COSO 2013 framework for management

Steps to Implementation- Cont’d

G

H

Update management’s control self-assessment process to include the three objectives (as part of risk

assessment) and five components and 17 principles (as part of self-assessment questionnaires)

Update risk assessment methodology (as applicable) and documentation to include evaluation of the three

objectives, five components and 17 underlying principles

APPLYING THE NEW COSO FRAMEWORK 2013 FOR INTERNAL

AUDITFOR AN INTERNAL AUDIT DEPARTMENT:

I

J

Revise the IA risk assessment methodology to address the seventeen principles supporting the five components

for achievement of the three objectives

Include reference of the 17 principles in assurance reviews performed by internal audit and its communication to

senior management and the audit committee

Page � 25

Risk management considerations to help management achieve business objectives

Building upon the COSO 2013 internal control framework, internal audit and other assurance providers should consider the following opportunities to help organizations achieve their business objectives.

• Objective setting process should be reviewed as part of risk assessment

• Ownership of risk and coordination of risk management activities should be encouraged

• Risk assessment and evaluation criteria should be formalized

• Cost benefit analysis on risk mitigation activities should be performed

• Enterprise Risk Assessment Methodology

• Risk Coverage – Combined Assurance Model; Risk & Control Framework Assessment Methodology

• Risk assessment, evaluation and quantification tools

• Cost of controls and Risk Enabled Performance Management (REPM)

Opportunity Solution

Page � 26

How does this impact my organization?

� ERM/ORSA

� Model Audit Rule

� Internal Audit and Regulators

� Action Steps in Implementation

� Impact of COSO 2013 on External Audit

Page � 27

� Differences:

� Strategy-Setting, Strategic Objectives and Risk Appetite – aspects of ERM, not Internal Control Framework

� Identification of emerging risks, and application of risk tolerance

� Create a Governance / Risk Framework: integrate across business

units and departments:

� Risk Assessment

� Control Activities

� Monitoring and Reporting

� Enhance documentation, communication and transparency

ERM & ORSA

Page � 28

MAR Transition Considerations

Companies applying the 1992 version of the Framework in conjunction with their SOX / MAR compliance process and for other purposes have to consider the following :

• How do we evaluate the effectiveness of internal control?

• When and how do we transition to the New Framework?

• What do we communicate to the certifying officers regarding the New Framework?

• What do we communicate to the audit committee regarding the New Framework?

• What are the Sarbanes-Oxley / MAR implications in transitioning to the New Framework?

• What do we do now?

Deadline for use in financial reporting – Year End 12/31/2014

Page � 29

Internal Audit and Regulators

� Relying more and more on “governance, risk and

compliance” processes

• The 2nd Line of Defense

� ERM / ORSA framework and reporting – Used in planning

� Internal Controls – Enhanced documentation and risk

mitigation strategies creates value

• reduced effort,

• more effective audits / exams,

• improved performance and reporting)

Page � 30

Clarity of Roles and Responsibilities Structured into “Three Lines of Defense”

Senior Management

Board / Audit Committee

1st Line of Defense 2nd Line of Defense3rd Line of

Defense

Management C

ontro

ls

Internal C

ontro

l

Measures

Financial Control

Security

Risk Management

Quality

Compliance

Legal

Internal A

udit

External A

udito

r /

Regulators

Page � 31

Action Steps in Implementation

� Learn what has changed and develop a transition plan

� Communicate changes to stakeholders, implications to the

organization and execute plan

� Evaluate and enhance your system of internal controls,

including operating practices, process improvement and

documentation

� Utilize and apply strategy to operations and technology

• Enhance Data Analytics and Information / Reporting

Questions and Comments

Page � 33

Jerry Ravi, Partner

EisnerAmper – Consulting / ERM Services

732.243.7590

Jerry.Ravi@eisneramper.com

Dianne Batistoni, Partner

EisnerAmper – Regulatory Audit and Consulting

Services

732.243.7220

Dianne.Batistoni@eisneramper.com

Prashant Panavalli, Senior Manager

EisnerAmper – Consulting / ERM Services

732.243.7243

Prashant.Panavalli@eisneramper.com

THANK YOU!!!!

Our Contact Information

IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

Please Complete the Session Evaluation Form on the Conference App and Include Your Conference Registration ID# to be Included in a Drawing for a Free Conference Registration for the 2014 Annual Conference!NOTE: Your Conference Registration ID# is Located at the Bottom Left Hand Corner of Your Badge.