COSO 2013 and The Auditor

COSO 2013 and The Auditor

What the auditor needs to know about COSO 2013 implementations.

Corporate Compliance Seminars

1

Control. Comply. Communicate.

John C. Blackshire, CPA / 479-200-4373 / [email protected]

Property of Corporate Compliance Seminars www.compliance.seminars.com

Accountant, Auditor, IT Projects, Compliance Assessor, Sales Director, Trainer

• The Accountware Group / Corporate Compliance Seminars• Training, system design, implementation, security, customization, support,

documentation, change management

• Walker Interactive Products• Financial system designer, financial system implementation, integration, user

support, sales, training

• Insurance Systems of America• Created and managed internal consulting organization, developed system

implementation methodology, deployed accounting systems.

• KPMG• Financial Auditor of insurance, financial services, manufacturing clients

• Past Meeting Coordinator - IIA International Conference

2Property of Corporate Compliance Seminars www.compliance.seminars.com

“COSO is a bunch of policies and

procedures. It can’t help us.” –

CEO

“We hire great people. They do a great job!”

– HR Director“Our numbers are rock-solid!”

– Internal Audit Director


“We spent $30M and two years

installing SAP. It has strong

controls” - CIO

4

The SituationSection 1

Why the COSO Committee?



John C. Blackshire, CPAPh: 479-200-4373 / [email protected]

© 2015 Corporate Compliance Seminars

Property of Corporate Compliance Seminarswww.compliance.seminars.com

5

Organization of thePetroleum Exporting

Countries (OPEC)

- General prosperity- Decreased government spending- Tax reductions- Tightened money supply to stem inflation- Increased defense budget- Deregulation: “free market” economy- Oil price controls lifted


Problems in the 1970’s and 1980’s

• Oil price skyrocketed; high interest rates; overvalued real estate; national debt tripled

• Savings & Loan industry collapse; bribes from US companies

• Business failures: Continental Bank; Crazy Eddie’s Electronics, ZZZZ Best, Inc.

Solutions

1977: Foreign Corrupt Practices Act – anti-bribery and internal control requirements

1985: National Commission on Fraudulent Financial Reporting

aka “Treadway Commission”. Mission: “To identify causal factors that can lead to fraudulent financial reporting.”

1987: Treadway Report

1990: CFO Act – Fiscal control in Federal agencies

1999: Blue Ribbon Committee on Improving theEffectiveness of Corporate Audit Committees

2002: Sarbanes-Oxley Act

6Property of Corporate Compliance Seminars

www.compliance.seminars.com

7

1985 - Committee of Sponsoring Organizations (COSO)of the Treadway Commission was formed “to identify the causal factors

that can lead to fraudulent financial reporting.”

“COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.”


SEC: “The term internal control over financial reporting is defined as a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

• Pertain to the maintenance of records that in reasonable detail accurately and fairlyreflect the transactions and dispositions of the assets of the issuer;

• Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and

• Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.” (Rule 13a-15 (f) )



9

1992

2006

2009

2013

Guidance on Monitoring Internal

Control Systems

Internal Control —Integrated Framework

Guidance for Smaller Public

Companies

Internal Control —Integrated Framework


Property of Corporate Compliance Seminars


Why update the “Internal Control – Integrated Framework”?

• The 1992 framework was extremely poorly documented

• Made significant changes to documentation of the framework to standardize the documentation of its usage

• Codify criteria to use in development and assessment of systems of internal control

• Expanded the business objectives being considered


What did not change... What changed...

1. Management is responsible for internal control

2. Five components of internal control

3. Three categories of internal control

4. The fundamental criteria used to assess effectiveness of systems of internal control

5. Use of judgment in evaluating the effectiveness of systems of internal control

1. Definition of internal control

2. Codification of principles with universal application for use in developing and evaluating the effectiveness of systems ofinternal control

3. Expanded financial reporting objective to address internal and external, financial and non-financial reporting objectives

4. Increased focus on operations, compliance and non-financial reporting objectives based on user input

“The experienced reader will find much familiar in the updated Framework, which builds on what has proven effective in the original version.”

COSO Update creates “Principles of Control” and “Points of Focus”

COSO 2013 Definition of “Internal Control”

“A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding achievement of objectives related to operations, reporting, and compliance.”

“Internal control is…

• Geared to the achievement of objectives in one or more separate but overlapping categories

• A process consisting of ongoing tasks and activities—it is a means to an end, not an end in itself

• Effected by people—it is not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control

• Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and board of directors

• Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process”

Property of Corporate Compliance Seminarswww.compliance.seminars.com 12

• “Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that:

• Each component and each relevant principle is present and functioning

• The five components are operating together in an integrated manner”

• “Each principle is suitable to all entities…”

• “All principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e.g., governance, technology)”

• “Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies…”

• “A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives…”


PoF Statements from COSO

• “Points of focus may not be suitable or relevant, and others may be identified”

• “Points of focus may facilitate designing, implementing, and conducting internal control assessments”

• “There is no requirement to separately assess whether points of focus are in place”


Control Environment Principle of Control 1“The organization demonstrates a commitment to integrity and ethical values.”

Points of Focus:• Sets the Tone at the Top• Establishes Standards of Conduct• Evaluates Adherence to Standards of Conduct• Addresses Deviations in a Timely Manner

• “The Framework does not prescribe controls to be selected, developed, and deployed for effective internal control.”

• “An organization’s selection of controls to effect relevant principles and associated components is a function of management judgment based on factors unique to the entity.”

• “A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles.”

• “However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management’s assessment of whether components and relevant principles are present and functioning.”


16

The Problems

Section 2

What are the issues within the Marketplace?






Guidance to PCAOB Staff

• “Considerations of Audits of ICFR”

• Issued October 24, 2013

• Based on past three years of inspections

Areas

1. “Risk Assessment and the Audit of Internal Control”

2. “Selecting Controls to Test”

3. “Testing Management Review Controls”

4. “IT Considerations”

5. “Roll Forward of Controls Tested at an Interim Date”

6. “Using the Work of Others”

7. “Evaluating Identified Control Deficiencies”

17

“More than one in threeaudits inspected by the

PCAOB were so deficient the auditors should not have

signed off!”

-CFO Journal January 2014

James R. DotyChairman, PCAOB


18

To Listen

To Interpret

To Hear

What does audit mean??

Property of Corporate Compliance Seminarswww.compliance-seminars.com

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

6. Specifies relevant objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

13. Uses relevant information

14. Communicates internally

15. Communicates externally

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficienciesProperty of Corporate Compliance Seminars


20

COSO 1992 was not suitable to the SEC criteria.

Where are the regulators going?

Does Section 302 and 404 certification work?

Why was COSO 1992 Updated?


21

Was COSO 1992 free from bias. (36%)

Was COSO 1992 sufficiently complete. (36%)

Did COSO 1992 provide reasonable measurements. (34%)

SEC Criteria under SOX 404


Was COSO 1992 relevant to evaluation of ICFR (40%)

22

What happened in 2008?

Is audit quality up or down?

Are material weaknesses up or down?

Does Section 302 and 404 certification

work?


How about investor returns?

23

The Implications

Section 3

What are the conditions we need to address?






24

COSO 2013 the default standard.

Can internal controls prevent or lessen economic issues?

COSO has announced a rewrite of the COSO ERM Framework.

Where are the regulators going?


1. What is the definition of the risk brands being considered in the client’s internal control assessment?

2. Is the financial information recorded completely, accurately and timely and inagreement with US GAAP?

3. Are the financial accounting, compliance and operating practices documented and understood throughout the organization, including at off-site locations?

4. Are the internal controls adequate to detect and report errors and fraud?

5. Are we, the external auditors, independent and effective to report errors and deviations from GAAP, policies, procedures and internal controls?

6. Is the client’s Audit Committee independent and critically examining financial reports and fraud allegations?

7. Are key performance metrics, risks, controls and compliance activitiesmaintained, monitored and continuously assessed?


Control Environment

Risk Assessment

Control Activities





















27

• “The use of entity-level control assessment is under-utilized.”

• “Effective entity-level monitoring may eliminate or reduce the need for certain transaction-level controls.”

• “Companies can significantly reduce the testing workload by properly designing robust and effective entity level controls.”

Entity-level controls as % of total key controls

Source: Ernst & Young Survey 2013


The term “Entity-Level Controls” describes the aspects of a system of internal control that have a pervasive effect on the on the entity’s controls, such as:

• controls related to the control environment (ex. management’s philosophy and operating authority and responsibility);

• controls over management override;• the company’s risk assessment process;• centralized processing and controls including shared service environments;• controls to monitor results of operations;• controls to monitor other controls including activities of the internal audit

function, the audit committee, and self-assessment programs;• controls over the period-end financial reporting process; and • policies that address significant business control and risk management practices.



29

What Needs To Be Done

Section 4

What is the auditor to do with COSO 2013?






30

21-24. Operations Objectives

25-27. External Financial Reporting Objectives

28-30. External Non-Financial Reporting Objectives

31-33. Internal Reporting Objectives

34-35. Compliance Objectives

Reflects Management’s ChoicesConsiders Tolerances for RiskOperations and Financial Performance GoalsForms a Basis for Committing of Resources

Complies with applicable accounting standardsConsiders MaterialityReflects Entity Activities

Complies with Externally Established Standards and FrameworksConsiders the Required Level of PrecisionReflects Entity Activities

Reflects Management’s ChoicesConsiders the Required Level of PrecisionReflects entity activities

Reflects External Laws and RegulationsConsiders Tolerances for Risk

“The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.”

Points of Focus


31

36. Includes Entity, Subsidiary, Division, Operating Unit

and Functional Levels

37. Analyzes Internal and External Factors

38. Involves Appropriate Levels of Management

39. Estimates Significance of Risks Identified

40. Determines How to Respond to Risks

The organization identifies and assesses risks at the entity, subsidiary, division, operating unit and functional levels relevant to the achievement of objectives.

Risk identification considers both internal and external factors and their impact on the achievement of objectives.

The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management.

Identified risks are analyzed through a process that includes estimating the potential significance of the risk.

Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce or share the risk.

“The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

Points of Focus


32

41. Considers Various Types of Fraud

42. Assesses Incentives and Pressures

43. Assesses Opportunities

44. Assesses Attitudes and Rationalizations

The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption [and management override of controls] resulting from the various ways that fraud and misconduct can occur

The assessment of fraud risk considers incentives and pressures

The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate act

The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions

“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”

Points of Focus


33

45. Assesses Changes in the External Environment

46. Assesses Changes in the Business Model

47. Assesses Changes in Leadership

The risk identification process considers changes in the regulatory, economic, and physical environment in which the entity operates

The organization considers the potential impact of new business lines, dramatically altered compositions of existing lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies and new technologies

The organization considers changes in the management and respective attitudes and philosophies on the system of internal control

“The organization identifies and assesses changes that could significantly impact the system of internal control.”

Points of Focus


34

Board-Level Actions

Executive-Level Actions

Department Head-Level Actions

Middle Management-Level Actions

Supervisory-Level Actions

Staff-Level Actions

* * * * * GLASS CEILING * * * * *

Entity

Activity


Control Environment

Risk Assessment

Control Activities






















How has the company satisfied the COSO Control Components?Are the controls present? Are the controls functioning? - Summary

Risk Assessment – Risk Committee, Risk Model, Annual assessment,

BoD/ AC review of management’s risk responses, etc.

Control Environment – Board of Directors, Audit Committee, Ethics policy and training, Hotline, Policies and Procedures, etc.

Control Activities – Standards for all activities. Selection of key controls, documentation of key controls, testing, remediation, etc.

Information & Communication – Documentation and communication of SOX/ Risk Assessment, Internal Control reports, etc.

Monitoring Activities – Quarterly executive meetings, metrics, presentation to BoD/ AC, etc.

1. Formalize and reassess risks (entity – business process – IT activity)

• Identify material changes in operations

• Determine in-scope and out-of-scope business units

2. Reassess key controls; considering your “control mix”

• Consider financial and non-financial controls

• Consider external and internal reporting controls

• Consider compliance, operational, fraud and IT controls

3. Link SOX program to the COSO 2013 framework

• COSO narrative or spreadsheet

• COSO Illustrative Toolset or other tool

4. Align risks and key controls to the COSO Components, Principles and Points of Focus

• Consider the organization’s objectives and risks

• Use judgment in selecting the POFs

5. Update SOX documentation for COSO 2013

• Control present and functioning

• Aggregate your deficiencies

• Control effectiveness across Components and PrinciplesProperty of Corporate Compliance Seminars

www.compliance.seminars.com 37

“use common sense”


Key Control:

“The Vendor Disbursements Report is reviewed on a daily basis by the AP Manager and on a weekly basis by the Corporate Controller. The report and certifications are obtained as evidence.”

Principle of Control:

#10: Control activities are defined to reduce entity risks.

#16: Management conducts ongoing and separate evaluations of internal controls.

Component of Control:

#3: Control Activities

#5: Monitoring Activities

Point of Focus:

#44: Addresses the segregation of duties

#69: Considers a mix of ongoing and separate evaluations

39

COSO Component / Principle – Primary Relationship

COSO Component / Principle – Secondary Relationship(s)

Entity Level Controls

2015-2016 COSO ELC Mapping


Key Control COSO Control Component

COSO Principle of Control

COSO Point of Control Focus

Evidence

ControlEnvironment

Risk Assessment

The Vendor Disbursements Report is reviewed on a daily basis by the AP Manager and on a weekly basis by the Corporate Controller. The report and certs are obtained as evidence.

Control Activities

#10: Control activities are defined to reduce entity risks.

#44: Addresses the segregation of duties

Observation and Inspection of Disbursements Report review

Info & Communication

AP Manager Dashboard of Disbursements’Internal Audit report of AP


#16: Management conducts ongoing and separate evaluations of internal controls.

#69: Considers a mix of ongoing and separate evaluations

Controller Monitoring;Internal Audit of Accounts Payable


Consider scoping in more Entity Level risks, controls and assessments

• Assessment of Board and Audit Committee effectiveness

• Assessment of Ethics/ Code of Conduct compliance

• Annual employee awareness of policies and procedures

• Effectiveness of “hotline” (process to report fraud)

• Evaluation of Risk Assessment documentation

• Evaluation of Monitoring controls

Re-evaluate the financial statement risks and key controls

• Financial Statement Assertions (Presentation, Existence, Rights/ Obligations, Cut-Off, Valuation)

Re-evaluate the risks and controls over Compliance and Operational activities

• Assessment of non-financial, internal reporting, business processes, IT and fraud

• Assessment of Outsourced Service Providers (OSPs)


Each of the five COSO Components must be “present and functioning”

• Are they present? - “The determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives.” (“Design”)

• Are they functioning? - “The determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.” (“Operating Effectiveness”)

The five COSO Components must “operate together in an integrated manner” i.e. “the determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective.”

• Management can demonstrate that components operate together when:

• “The components are present and functioning, and

• Internal control deficiencies aggregated across components do not result in the determination that one or more major deficiencies exist.”


Going ForwardSection 10

Direction and Summary

43

COSO 2013: The Sequel



• Alphabetic Keyboard – 1860’s

• Qwerty – Solution to jamming

• Dvorak – 1932

• “Touch” keyboards (keyless)

• Virtual keyboards

• No keyboards--voice dictation, etc.

Do we really like to change?



Cultural Issue Our Suggestions

1. “Risk Awareness” Don’t force the risk assessment routine to an annual exercise. Assess risks on a “needs” basis…monthly or quarterly. Create triggers for all High and Medium Risks.

2. “Communication” Explain “WHY”. Foster the flow of communications up and down the organization. Hold corporate “town hall meetings”. Encourage the sharing of “best practices”. Whistleblower function.

3. “Incentives” Reward practices and behavior above and beyond expectations.

4. “Training - Mentoring” Reinforce the Compliance programs through e-mails, meetings and webinars. Have formal mentorship programs.

5. “Measure” Quantify and track metrics such as financial, risk factors, quality, customer service and improvements. Have established ranges for all metrics and the “Why’s”

6. “Accountability” Hold managers and staff accountable for controllable events such as errors, over budgets and compliance violations.

7. “Fix” Create an effective Mission-Policy-Procedure stack. Identify the root cause and systemic issues.

8. “Continuous Improvement” Encourage positive and negative feedback for process improvement.




Catastrophic Low Low Medium Risk - 15%

HighestRisks – 5%

Major Low Low Medium Risk - 15%

Medium Risk - 15%

Moderate Low Low Low Low

Minor Low Low Low Low

Insignificant Low Low Low Low

Rare Unlikely Possible Likely

The Pareto’s Principle – The 80 - 20 Rule

Reevaluate Significant Financial Accounts and Cycles

Reevaluate Significant Business Processes & Controls

Key Control Map – Business and IT

Test; Deficiencies

Remediate & Retest

Reassess Risks – F, NF, Internal, External, Fraud, Operations, Compliance, IT

Reevaluate and Map the Entity Control Environment

Monitor & Sustain Compliance

Do

cum

en

tatio

n -

Ev

ide

nce



48



John C. Blackshire, CPA / 479-200-4373 / [email protected]


Date post:	18-Jul-2015
Category:	Business
Upload:	corporate-compliance-seminars
View:	192 times
Download:	0 times