coso 2013 - public sector financial management coso presentation.pdf · page 2 agenda † what is...

COSO 2013

Internal Control –Integrated Fram ework

Agenda

• W hat is the COSO Fram ework?

• Codification of 17 principles and points-of-focus

• W hy the update ?

• Sum m ary of Changes to Existing Fram ework

• Transition and im pact

• EY point of view

• The way forward

• Applying the new COSO 2013 fram ework

• Points of discussion

• Questions

W hat is the COSO Fram ework?

Com m ittee of the Sponsoring Organizations (COSO)

COSO is a voluntary private sector organization dedicated to im proving the quality of financial reporting through business ethics, effective internal control and corporate governance.

COSO has established an internal control m odel (i.e. COSO fram ework) against which com panies and organizations m ay assess and im prove their control system s.

• First published in 1992

• Gained wide acceptance following

financial control failures of early 2000s

• M ost widely used fram ework in the US

• Also widely used around the world

M onitoring

Inform ation & com m unication

Control activities

Risk assessm ent

Control environm ent

Unit A

UnitB

Activity 1

Activity 2

COSO Cube (1992 Edition)

COSO Fram eworkObjectives

► Three Objectives:

► Operations objectives –Safeguarding assets, financial perform ance, productivity, quality

► Reporting objectives –External financial reporting, external non-financial reporting, Internal financial and non-financial reporting

► Com pliance objectives –Laws, rules, and regulations that apply

COSO Fram ework1992 vs. 2013 Edition

M onitoring

Inform ation & com m unication

Control activities

Risk assessm ent

Control environm ent

Unit A UnitB

Activity 1

Activity 2

COSO Cube (2013 Edition)COSO Cube (1992 Edition)

Com ponents of the COSO Fram ework• Control Environm ent;

• Risk Assessm ent ;

• Control Activities;

• Inform ation & Com m unications; and

• M onitoring

ICIF works well today

COSO’s Internal Control –Integrated Fram ework (1992 Edition)

Refresh objectives

Enhancem ents

ICIF will work bettertom orrow COSO’sInternal Control –Integrated Fram ework (2013 Edition)

Address significant changes to the business environm ent and associated risks

Updated, enhanced and clarified Fram ework

Increase focus on operations, com pliance and nonfinancial reporting objectives

Expanded internal and nonfinancial reporting guidance

Codify criteria to use in the developm ent and assessm ent of system s of internal control

Principles

Point of Focus

COSO Fram ework Update

• Business and operating environm ents have changed dram atically, becom ing increasingly com plex, technologically driven and global in scope.

• Stakeholders are m ore engaged, seeking greater transparency and accountability for the integrity of system s of internal controls that support business decisions and governance.

Principles-based approach: Principles represent the fundam ental concepts associated with the com ponents of internal

control. It is generally expected that all principles will, to som e extent, be present and functioning for a organization to

have effective internal control. W hen a principle is not being m et, som e form of internal control deficiency exists.

COSO Fram ework17 Principles

1.Dem onstrates com m itm ent to integrity and ethical values

2.Board of directors dem onstratesindependence from m anagem ent and exercises oversight responsibility

3.M anagem ent, with board oversight, establishes structure, authority and responsibility

4.The organization dem onstrates com m itm ent to com petence

5.The organization establishes accountability

6.Specifies relevant objectives with sufficient clarity to enable identification of risks

7.Identifies and assesses risk

8.Considers the potential for fraud in assessing risk

9.Identifies and assesses significant change that could im pact system of internal control

10.Selects and develops control activities

11. Selects and develops general controls over technology

12.Deploys through policies and procedures

13.Obtains or generates relevant, quality inform ation

14.Com m unicates internally

15.Com m unicates externally

16.Selects, develops and perform s ongoing and separate evaluations

17.Evaluates and com m unicates deficiencies

Principles in the

fram ework

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information & Communication

5. Monitoring

COSO 2013-Codification of the 17 principles

COSO Fram eworkControl Environm ent

Principle 1The organization dem onstrates a com m itm ent to integrity and ethical values.

► Points of focus► Sets the Tone at the Top

► Establishes Standards of Conduct

► Evaluates Adherence to Standards of Conduct

► Addresses Deviations in a Tim ely M anner


Principle 2The board of directors dem onstrates independence from m anagem ent and exercises oversight of the developm ent and perform ance of internal control.

► Points of focus► Establishes Oversight Responsibilities

► Applies Relevant Expertise

► Operates Independently

► Provides Oversight for the System of Internal Control


Principle 3Managem ent establishes, with board oversight, structures reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

► Points of focus► Considers All Structures of the Entity

► Establishes Reporting Lines

► Defines, Assigns, and Lim its Authorities and Responsibilities


Principle 4The organization dem onstrates a com m itm ent to attract, develop, and retain com petent individuals in alignm ent with objectives.

► Points of focus► Establishes Policies and Practices

► Evaluates Com petence and Addresses Shortcom ings

► Attracts, Develops, and Retains Individuals

► Plans and Prepares for Succession


Principle 5The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

► Points of focus► Enforces Accountability through Structures, Authorities, and

Responsibilities

► Establishes Perform ance M easures, Incentives, and Rewards

► Evaluates Perform ance M easures, Incentives, and Rewards for Ongoing Relevance

► Considers Excessive Pressures

► Evaluates Perform ance and Rewards or Disciplines Individuals

COSO Fram eworkRisk Assessm ent

Principle 6The organization specifies objectives with sufficient clarity to enable the identification and assessm ent of risks relating to objectives.

► Points of focus► Operations Objectives

► External Financial Reporting Objectives

► External Non-Financial Reporting Objectives

► Internal Reporting Objectives

► Com pliance Objectives


Principle 7The organization identifies risks to the achievem ent of its objectives across the entity and analyzes risks as a basis for determ ining how the risks should be m anaged.

► Points of focus► Includes Entity, Subsidiary, Division, Operating Unit, and

Functional Levels

► Analyzes Internal and External Factors

► Involves Appropriate Levels of M anagem ent

► Estim ates Significance of Risks Identified

► Determ ines How to Respond to Risks


Principle 8The organization considers the potential for fraud in assessing risks to the achievem ent of objectives.

► Points of focus► Considers Various Types of Fraud

► Assesses Incentives and Pressures

► Assesses Opportunities

► Assesses Attitudes and Rationalizations


Principle 9The organization identifies and assesses changes that could significantly im pact the system of internal control.

► Points of focus► Assesses Changes in the External Environm ent

► Assesses Changes in the Business M odel

► Assesses Changes in Leadership

COSO Fram eworkControl Activities

Principle 10The organization selects and develops control activities that contribute to the m itigation of risks to the achievem ent of objectives to acceptable levels.

► Points of focus► Integrates with Risk Assessm ent

► Considers Entity-Specific Factors

► Determ ines Relevant Business Processes

► Evaluates a M ix of Control Activity Types

► Considers at W hat Level Activities Are Applied.

► Addresses Segregation of Duties


Principle 11The organization selects and develops general control activities over technology to support the achievem ent of objectives.

► Points of Focus:► Determ ines Dependency between the Use of Technology in

Business Processes and Technology General Controls

► Establishes Relevant Technology Infrastructure Control Activities

► Establishes Relevant Security M anagem ent Process Control Activities

► Establishes Relevant Technology Acquisition, Developm ent, and M aintenance Process Control Activities


Principle 12The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

► Points of Focus:► Establishes Policies and Procedures to Support Deploym ent of

M anagem ent’s Directives

► Establishes Responsibility and Accountability for Executing Policies and Procedures

► Perform s in a Tim ely M anner

► Takes Corrective Action

► Perform s Using Com petent Personnel

► Reassesses Policies and Procedures

COSO Fram eworkInform ation and Com m unication

Principle 13The organization obtains or generates and uses relevant, quality inform ation to support the functioning of internal control.

► Points of Focus:► Identifies Inform ation Requirem ents

► Captures Internal and External Sources of Data

► Processes Relevant Data into Inform ation

► M aintains Quality throughout Processing

► Considers Costs and Benefits


Principle 14The organization internally com m unicates inform ation, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

► Points of Focus:► Com m unicates Internal Control Inform ation

► Com m unicates with the Board of Directors

► Provides Separate Com m unication Lines

► Selects Relevant M ethod of Com m unication


Principle 15The organization com m unicates with external parties regarding m atters affecting the functioning of internal control.

► Points of Focus:► Com m unicates to External Parties

► Enables Inbound Com m unications

► Com m unicates with the Board of Directors

► Provides Separate Com m unication Lines

► Selects Relevant M ethod of Com m unication

COSO Fram eworkM onitoring Activities

Principle 16The organization selects, develops, and perform s ongoing and/or separate evaluations to ascertain whether the com ponents of internal control are present and functioning.

► Points of Focus:► Considers a M ix of Ongoing and Separate Evaluations

► Considers Rate of Change

► Establishes Baseline Understanding

► Uses Knowledgeable Personnel

► Integrates with Business Processes

► Adjusts Scope and Frequency

► Objectively Evaluates

COSO Fram eworkM onitoring Activities

Principle 17The organization evaluates and com m unicates internal control deficiencies in a tim ely m anner to those parties responsible for taking corrective action, including senior m anagem ent and the board of directors, as appropriate.

► Points of Focus:► Assesses Results

► Com m unicates Deficiencies

► M onitors Corrective Actions

W hy the Update

W hy the Update

Update expected to increase ease of use and broaden application

►Changes in business and operating

environm ents considered

►Operations and reporting objectives

expanded

►Fundam ental concepts underlying

five com ponents articulated as principles

►Additional approaches and exam ples

relevant to operations, com pliance, and

non-financial reporting objectives

added

W hat is changing…

►Core definition of internal control

►Three categories of objectives and five

com ponents of internal control

►Each of the five com ponents of internal

control are required for effective internal

control

►Im portant role of judgm ent in designing,

►im plem enting and conducting internal

►control, and in assessing its effectiveness

W hat is notchanging…

Update considers changes in business and operating environm ents

Environm ents changes... …have driven Fram ework updates

Expectations for governance oversight

Globalization of m arkets and operations

Changes and greater com plexity in business

Dem ands and com plexities in laws, rules, regulations, and standards

Expectations for com petencies and accountabilities

Use of, and reliance on, evolving technologies

Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition)

W hy the Update (cont’d)

Sum m ary of Changes to Existing Fram ework

• Key changes:• Updated, enhanced and clarified

fram ework to address changes in the business and operating environm ents

• Expanded financial reporting category of objectives to include other im portant form s of reporting, such as nonfinancial and internal reporting

• Form alizes as principles concepts underlying effective internal control

• Clarified requirem ent for effective internal control: An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories of objectives -that is, operations, reporting, and com pliance. It requires that (1) each of the five com ponents of internal control and relevant principles are present and functioning, and that (2) the five com ponents are operating together in an integrated m anner.

• Principles-based approach: W hile the 1992 version im plicitly reflected the core principles of internal controls, the 2013 version explicitly states 17 principles that represent the concepts associated with each of the five com ponents. The new fram ework presum es that all 17 principles m ust be present and functioning in an effective system of internal control.

• Present and functioning: Present refers to the determ ination that com ponents and relevant principles exist in the design and im plem entation of the system of IC. Functioning refers to the determ ination that they exist in the operation and conduct of the system of internal control.

• Points of focus: Developed to help m anagem ent design, im plem ent, conduct and assess whether relevant principles are present and functioning.

• Clarifies the role of objective-setting in internal control: The 2013 version preserves the view that objective-setting is a m anagem ent process, but further clarifies the role of objective setting in internal control.

• Reflects the increased relevance of technology:Technologies have evolved from large standalone m ainfram e environm ents to highly sophisticated, decentralized, and m obile applications involving m ultiple real-tim e activities that can cut across m any system s, organizations, processes and technologies. The change can im pact how all com ponents of internal control are im plem ented.

• Enhances governance concepts: The 2013 version includes expanded discussion on governance relating to the board of directors and com m ittees of the board, including audit, com pensation and nom ination/governance com m ittees.

• Expands the reporting category of objectives: The financial reporting objective category isexpanded to consider other types of reporting , such as nonfinancial and internal reporting.

• Enhances consideration of anti-fraud expectations: This 2013 version contains considerably m ore discussion of fraud and also considers the potential for fraud as a principle of internal control.

• Considers different business m odels and organizational structures: Entities now expand their business m odels to further encom pass the use of external parties.

Sum m ary of Changes to Existing Fram ework (cont’d)

Updated Fram ework: Describes im portant characteristics of each principle

► For Example:

► Points of focus m ay not be suitable or relevant,and others m ay be identified.

► Pointsof focus m ay facilitate designing, im plem enting, and conducting internal control.

► There is no requirem entto separately assess whether points of focus are in place.

ControlEnvironm ent

Points of focus:• Sets the tone at the top• Establishes standards of conduct• Evaluates adherence to standards of conduct• Addresses deviations in a tim ely m anner

Principle 1: The organization dem onstrates a com m itm ent to integrity and ethical values.

Principles-based approach: Principles represent the fundam ental concepts associated with the

com ponents of internal control. It is generally expected that all principles will, to som e extent, be

present and functioning for a organization to have effective internal control. W hen a principle is not

being m et, som e form of internal control deficiency exists.

Transition and Im pact

► Users are encouraged to transition applications and related docum entation to the updated Fram ework as soon as feasible

► Updated Fram ework will supersede original Fram eworkat the end of the transition period (i.e., 15 Decem ber 2014)

► During the transition period, entities reporting externally should disclose whether the original or updated version of the Fram ework was used

► Im pact of adopting the updated Fram ework will vary by organization

► Does your system of internal control need to address changes in business?

► Does your system of internal control need to be updated to address all principles?

► Does your organization apply and interpret the original fram ework in the sam e m anner as

COSO?

► Is your organization considering new opportunities to apply internal control to cover

additional objectives?

EY Point of View

• Helps increase transparency. EY em braces the new COSO 2013 fram ework. W e recognize that the update was due, given the changes in the business, operating and regulatory environm ent since the original fram ework was developed, and the structure and rigor presented in this fram ework around 17 principles and point of focus helps establish transparency and accountability in an organization’s process of designing and im plem enting its system of internal control.

• Strengthened governance. For com panies utilizing COSO, the new fram ework will also aid in strengthening the governance and oversight on internal control in an organization.

• M aintain an optim um balance. It is im portant for all key stakeholders –m anagem ent, board and board com m ittees to recognize that the COSO 2013 fram ework does not necessarily warrant redesigning the organization’s system of internal control. M anagem ent m ust ensure that their approach for transitioning to the COSO 2013 fram ework is effective and efficient.

• Im plem entation of new COSO 2013 fram ework. W hile the fundam ental elem ents of the new COSO fram ework rem ain the sam e, it is im portant for organizations to review the 2013 update and consider whether any changes are needed in their internal controls. This would also include updating existing docum entation to support that its system of internal control considers the 17 principles. Depending on the nature of existing internal control docum entation, the extent of this effort m ay vary. Pages 36 and 37 docum ent EY’s recom m ended approach for organizations to perform this evaluation.

Given the integral role m anagem ent, the audit com m ittee, internal audit and other risk m anagem ent functions all play in an effective system of internal control, a coordinated approach to address the key changes in the new COSO fram ework is essential.

The W ay Forward

1.

Initiate a discussion with senior m anagem ent and the audit com m ittee on the new COSO fram ework, highlighting its key changes and im plications to the system of internal control at the organization

2.

Review and establish a process for identifying and assessing necessary changes in controls (if any) and related docum entation

3.

Docum ent your approach toward the application of the new COSO fram ework and transition plan, including changes in controls and related docum entation

Applying the new COSO 2013 fram ework Organizations should consider the following activities in order to transition their internal control docum entation to the COSO 2013 fram ework:

A Review existing internal control assessm ent results and perform an overall assessm ent with respect to the five com ponents and supporting 17 principles

B Evaluate each of the five com ponents individually and collectively, and docum ent (in sum m ary) whether the relevant principles are present and functioning

C For each com ponent, form ally evaluate whether each of the 17 principles (to the extent they are relevant) is present and functioning and docum ent the sum m arized assessm ent, including any deficiencies/gaps

D Create a detailed m apping of all internal controlsto each of the five com ponents and related principles and docum ent (m ay not be required if A,B and C above can be adequately supported)

E Identify additional controls (if any) that m ay be relevant to fully support a com ponent and/or principle to be present and functioning in the design and im plem entation of the system of internal control

F Update internal control docum entation to reflect changes in the new COSO fram ework, including but not lim ited to: financial and non-financial reporting (both internal and external), docum enting whether the 17 principles are present and functioning, and clarifying the objectives: a) effectiveness and efficiency of operations, b) com pliance with regulatory requirem ents and c) reporting

Applying the new COSO 2013 fram ework for m anagem entFor those com panies that have a form al control self assessm ent process established, they should:

G Update m anagem ent’s control self-assessm ent process to include the three objectives (as part of risk assessm ent) and five com ponents and 17 principles (as part of self-assessm ent questionnaires)

H Update risk assessm ent m ethodology (as applicable) and docum entation to include evaluation of the three objectives, five com ponents and 17 underlying principles

I

J Include reference of the 17 principles in assurance reviews perform ed by internal audit and its com m unication to senior m anagem ent and the audit com m ittee

Revise the IA risk assessm ent m ethodology to address the seventeen principles supporting the five com ponents for achievem ent of the three objectives

Applying the new COSO fram ework 2013 for internal auditFor an internalauditdepartm ent:

Points of Discussion

► W hat will preparers need to do differently?

SOX filers should update their internal control docum entation supporting the application of the revised fram ework (by following the approach discussed on page 36).

► Is it m andatory to m ake these changes?

Com panies that utilize COSO for their SOX 404 assessm ents will need to transition to the new fram ework for assessm ents m ade after Decem ber 15, 2014.

► Is the old fram ework still relevant?

The old fram ework will be in effect during the transition period until Decem ber 15, 2014. After that, the old fram ework will be retired. Com panies m aking public assertions during the transition period as to the effectiveness of their internal controls are required to disclose which fram ework was used in the assessm ent.

Points of discussion(cont’d)► Should we use the com pendium of illustrative tools?

The com pendium of illustrative tools is a guidance provided by COSO to help organizations apply the new fram ework. It is only ONE of the several ways in which organizations can design and im plem ent the system of internal control. Please refer to page 34 for m ore ideas on how to apply the new COSO fram ework to your system of internal control.

► How does it link with the ERM ?

ERM is m uch broader than internal control. The COSO ERM fram ework and guidance still stands valid. Internal control is and will continue to be an integral part of the ERM fram ework.

Questions?

coso 2013 - public sector financial management coso presentation.pdf · page 2 agenda † what is...

Documents