COSO Framework Update 2013 - Summary

COSO 2013

Whats New, Whats Changed, Why Does it Matter and Other Frequently Asked Questions

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#1Following the webinar, all attendees will receive a link to a copy of the recorded webcast. You can download a PDF version of the slides through the Attachments link.If you are experiencing technical difficulties during the webcast, let us know by clicking on the Questions link at the top of your screen. Please provide your e-mail address for a swift reply. Although we will not have a formal Q&A at the end of this webcast, we encourage you to submit your questions throughout the webcast. We will address your questions throughout todays COSO webinar or the remaining COSO webinar series we have planned in 2013 and 2014.If you are having trouble hearing the audio through the computer, separate phone lines are available.International+44 (0) 1452 555566United States + 1 866 966 9439Conference ID 36201187

A Reminder 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#2CPE Credits and Supplemental InformationWe are issuing 1 CPE credit for this presentationTo be eligible for CPE credit, please answer four (4) out of the five (5) polling questions throughout the duration of this webinarDownload the CPE Course Evaluation Form through the Attachments link in the webcast softwareReturn this evaluation form to Lark Scheierman at Protiviti via e-mail: lark.scheierman@protiviti.com

Download the PDF version of todays presentation through the Attachments link

Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#33Todays PresentersKeith Kawashima is a Managing Director in Protivitis Silicon Valley office. Keith has over 20 years of experience in finance and accounting including 10+ years with Protiviti/Arthur Andersens Internal Audit practice and more than 10 years corporate experience in both Finance and Operations prior to joining Protiviti. He has been involved in all aspects of a companys internal audit function from establishing a charter and developing a risk-based internal audit plan, to developing and executing work programs, through reporting at the audit committee and board level. Email: Keith.Kawashima@protiviti.com

Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#4Todays PresentersBob Hirth serves as COSO Chair and was unanimously elected by the board of its sponsoring organizations to serve a three year term beginning June 1, 2013. His experience includes all of COSOs mission disciplines; Enterprise Risk Management, Internal Control and Fraud Deterrence. He has worked on assignments and made presentations in over 15 countries, serving more than 50 organizations and working closely with board members, C-level executives, finance and accounting personnel and accounting firm partners and employees.

Most recently, he served as a Senior Managing Director of Protiviti, a global internal audit and business risk consulting firm that operates in 22 countries. Prior to that, he was Executive Vice President, Global internal audit and a member of the Firms six-person executive management team for the first ten years of Protivitis development.

In 2012, Bob was appointed to serve a two year term on the Standing Advisory Group of the Public Company Accounting Oversight Board (PCAOB). In March 2013, he was inducted into The American Hall of Distinguished Audit Practitioners. E-mail: Robert.Hirth@protiviti.com

Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#5Todays PresentersJim DeLoach is a Managing Director in Protivitis Houston office. He has served on the COSO Advisory Council with respect several COSO projects since 2002, the most recent project being the Internal Control Integrated Framework Update. He has worked with, and delivered numerous presentations on risk management to, hundreds of companies and groups in 30 countries. He writes Protivitis Flash Reports, The Bulletin and Board Perspectives: Risk Oversight. In addition, he writes a monthly blog on the online magazine of the National Association of Corporate Directors and a monthly column for Corporate Compliance Insights. He also wrote all four editions of Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements. E-mail: Jim.DeLoach@protiviti.com

Trouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#6Poll Question #1

Have you read the COSO Internal Control Integrated Framework Executive Summary?

YesNo, but it is on my to-do listNo, didnt know how to access itTrouble hearing the audio through the computer? Dial in! Phone: 1 866 966 9439, Conference ID: 36201187 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Lark to administer this poll question.7Topics of Questions You SubmittedBackground and history of COSOReason for changeMost important changes17 principlesPoints of focusPresent and functioningInternal control deficienciesComponents operating togetherTransitioning to the new frameworkLevel of effort requiredChange managementSize of companyImplications for SOXGuidance from the SECIT implicationsPublic vs. private sectorsWorking with external auditorRisk assessmentImplementation guidanceERMFraudInternal auditContinuous improvement

Thank you for all of your questions! 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Speaker Notes:During the webcast registration process we provided you the opportunity to submit your questions regarding the 2013 COSO Framework. We are pleased to report that we received an overwhelming response to this request with more than 2,000 people registering and over 400 questions submitted. Thank you for sharing your questions with us, we have used these questions as we defined the content for our webinar today.

The list that is up on the screen is a summary of the topics covered in the questions you submitted. We had varying types of questions asked by the audience that spanned a wide variety of knowledge and experience with the COSO framework. For example , some people wanted to discuss the background of COSO and the reasons for the change, while others were more focused on specific details related to the implementation of the framework. We also had a number of questions driven toward how this might be impacted by specific external audit firms.

8Questions We are HearingWhat has changed and what does it mean to us?Do we need to move to COSO 2013, or can I stay with COSO 1992?What will our external auditors require?When do we need to change?Under what circumstances should we consider being an early adopter?How much effort will it take for our organization to transition to COSO 2013?If we stay with COSO 1992 this year with the intent to transition next year, do we need to map our controls to the COSO 2013 principles this year?What will happen if we do not transition to COSO 2013 by next year?Will the SEC issue any guidance?If we transition to COSO 2013 next year, do we need to use it for purposes of our Q1 Section 302 executive certification?

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Speaker Notes:Here is a small representation of the questions that we are hearing in the market and from people like you when you submitted them during the registration process.

Because we had such a large number of questions submitted and they covered a wide range of topics, we are developing a webcast series to properly address your questions.

We recognize that the transition to the framework will be different for every organization and that the timing and approach that individual companies take will need to be reflective of their own organizations. Todays webcast is the first of a series of COSO-focused webcasts that Protiviti plans to offer during the remaining of 2013 and into 2014. Due to the number of registrants and the depth of questions, we have decided to have the topic of these webcasts continue to be driven by the registrants

9Today We Will Cover

Background on COSOImportant ChangesDeficiency EvaluationTransitioning to the New FrameworkWhy Change? 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Speakers Notes:We are very excited to talk to you about the 2013 COSO Framework. Today we will cover the topics outlined here. We realize that this is a small representation of the topics you all submitted during the registration process. We have dedicated the next hour to these topics.

Again, this is the first of a series of COSO-focused webcasts that we plan to offer. We will address topics not covered today in a future webcast.10Future COSO WebinarsRegister for our second webinar in this series, scheduled for October 30th, via the Attachments link in the webcast softwareNext Webinar: COSO Implementation GuidanceDiscuss IT General ControlsImplications for Internal AuditLinkage and Impact to ERMUse of COSO for Non-ICFRAnd MoreKeep Your Questions Coming!!Future Webinar Topics

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Speakers Notes:We will host the second webcast in this series during October 2013. During this webcast we will focus on the topic of implementing the 2013 COSO Framework. In that webinar we will get into more details on building the project plan, and how to implement it. You can register for the October webinar via the Attachments link in the webcast software. We will also send out a formal invitation in the coming weeks.

We have plenty to cover in the next hour. Because we gathered your questions ahead of time, and in order to stay on topic, we will not have a formal Q&A session at the end of todays webcast. We want to spend as much time as possible on the topics weve identified for today.

However, we still would like to hear what questions you have in order to design the content for our future webinars and to see if we need to provide clarity on any of the topics we have on todays agenda. So, with that in mind, please submit questions that come to mind during todays event by using the Questions link at the top of the webcast software. Your questions will help design our future COSO webcast series as we want the series to properly reflect the questions top -of-mind to you.11Why Change?Question from our audience: Why were changes in the framework considered necessary? 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Speaker Notes:

Keith to transition to Bob for this slide.

Bob to introduce this section.12Background and History of COSOCommittee Of Sponsoring Organizations of the Treadway CommissionFormed in 1985 in response to corrupt and unethical business practices in the 1970s and 80s Voluntary private sector organizationCOSO Internal Control Integrated Framework was developed in 1992 COSO Cube (1992 Edition)

Used by the majority of companies to evaluate their internal control environment, particularly as it relates to internal controls over financial reporting 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example question received from the audience:What is the purpose of the COSO framework?Are most companies implementing the new COSO model from a SOX perspective (not operational)?

Speaker NotesCOSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

COSO Internal Control - Integrated Framework is by far the most commonly used and referenced framework by which companies and their external auditors evaluate their internal controls over financial reporting, particularly for purposes of SOX reporting in the U.S. There is no mandate to use the COSO Internal Control framework, however, most companies use it for SOX compliance as it meets the criteria set forth by the SEC for a suitable internal control framework.

COSO is an appropriate framework for non-public companies to adopt to improve their internal control structure.

13What is COSO and Why is it a Suitable Model?Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment.Source: PCAOB AS 2

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example question received from the audience:Is COSO required for all businesses?

Speaker Notes:To build on the PCAOBs audit standard number 2, a framework is only suitable when it is:Free from biasPermits reasonably consistent qualitative and quantitative measurement of a companys internal control over financial reportingSufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a companys internal control over financial reporting are not omittedRelevant to an evaluation of internal control over financial reporting

COSO Internal Control Integrated Framework meets these criteria.

COSO has been used primarily for SOX compliance, so that is where the attention is with the adoption over the next 12+ months

14Why Change?Environment changeshave driven Framework updatesCOSO Cube (2013 Edition)*Expectations for governance oversight Globalization of markets and operations Increased complexity of business and organizational structuresDemands and complexity in laws, rules, regulations and standards Expectations for competencies and accountabilitiesUse of, and reliance on, evolving technologiesExpectations relating to preventing and detecting fraud Large-scale governance and internal control breakdownsRisk and risk-based approaches receive greater attention

Source: Chapter 2 of COSO Internal Control: Integrated Framework (2013).* 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example question received from the audience:We received 11 questions in the Why Change category.What prompted the changes to the COSO framework?Why were changes in the framework considered necessary?What are the advantages of the change?

15What Hasnt ChangedInternal control is a process effected by the entitys board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to: OperationsReportingComplianceCore definition of internal controlObjectives represent the columnsComponents represent the rowsObjectives may be set at the entity, division, operating unit or functional levelsThe cube retains its familiarity:

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example question received from the audience;How does the initial COSO translate into COSO 2013?What are the major differences between new and old frameworks?

Speaker Notes For those familiar with the old framework, the new framework will look very familiar.

You can get a copy of the frameworks executive summary on COSOs website. When implementing COSO for SOC, most companies focused on Control Activities to the expense of the other COSO components.

16

What Hasnt ChangedThe criteria used to assess the effectiveness of an internal control system remain largely unchanged. Assessed, using a principles-based approach, relative to the five components of internal controlTo have an effective system of internal control relating to one, two or more categories of objectives, all five components must be:Present and functioning, andOperating togetherThe significant role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness.Principles are provided for each component and management exercises judgment in determining the extent to which these principles are present and functioning 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example question received from the audience;How does the initial COSO translate into COSO 2013?What are the major differences between new and old frameworks?

Speaker NotesCOSOs Monitoring Control and ERM guidance are still in effectThe Smaller Public Company guidance issued by COSO is superseded by the new framework.

17Whats ChangedCodifies 17 principles supporting the five components of internal control1Clarifies role of objective-settling as a precursor to internal control2Reflects increased relevance of technology3Incorporates an enhanced discussion of governance concepts4Expands the reporting category of objectives to include non-financial and internal5Enhances consideration of anti-fraud expectations in its own principle6Increases the focus on non-financial reporting objectives to broaden use7Additional approaches and examples for operations, compliance and non-financial reporting objectives8

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example questions received from the audience:Of the 72 questions we received about What Has Changed, here are a few:How has COSO changed and how does that impact my current framework?What are specific examples of changes to COSO introduced in the updated framework?What are the major changes stemming from the new guidance?What are the advantages of the change?

Speaker NotesKPMG, among several of the big 4, emphasizes in their commentary on the framework that fraud risk assessment may require additional attention by organizations that did not focus their assessment at the appropriate level of depth. Protivitis methodology has been to integrate the fraud risk assessment into our SOX documentation work.Poll Question #2

How do you document your SOX fraud risk assessment?

As a separate standalone analysisIntegrated into our process level risk and controls documentationBoth at an entity level and process levelWe dont evaluate fraud risk explicitly 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Lark to administer this poll question.19Important ChangesQuestion from our audience: How often should we expect that all of the 17 Principles will not apply? 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Speaker Notes:

Jim to introduce this section.20The Most Important Change: 17 Principles Representing Fundamental Concepts Associated with Each ComponentDemonstrates commitment to integrity and ethical values4 Exercises oversight responsibility 4Establishes structure, authority and responsibility 3Demonstrates commitment to competence 4Enforces accountability 5CONTROL ENVIRONMENTConducts ongoing and/or separate evaluations7 Evaluates and communicates deficiencies 3MONITORING ACTIVITIESUses relevant information 5Communicates internally 4Communicates externally 5INFORMATION & COMMUNICATIONSelects and develops control activities 6Selects and develops general controls over technology 4Deploys through policies and procedures 6CONTROL ACTIVITIESSpecifies relevant objectives 5Identifies and analyzes risk 5Assesses fraud risk 4Identifies and analyzes significant change 3RISK ASSESSMENTNo of POF Questions 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example questions from the audience:We received 19 questions around this topic, particularly as it relates to mapping guidance. Some of them include:What are the most important changes?How often should we expect that all of the 17 Principles will not apply?Do you find that most of the 17 principles can be applied to entity level controls?Are there any resources/guidance around mapping the 17 principles to a company's control environment?

Speaker NotesWe expect that all companies will need to evaluate the 17 principles codified in the new framework.

Within control activities, companies generally need to increase the precision of management review controls, and this has been a common finding in the PCAOB inspection report findings for SOX.

21Points of Focus Represent Important Characteristics Associated With the Principles

Principles can be present and functioning without all points of focus. Points of focus represent helpful guidance and do not require separate evaluations. Management must use judgment on the relevance of the points of focus. They are not meant to imply a checklist. An example of these for the Control Environment, Commitment to Integrity and Ethical Values is below.Sets the Tone at the Top The board of directors and management at all levels of the entity demonstrate through their directives, actions and behaviors the importance of integrity and ethical values to support the functioning of the system of internal controlEvaluates Adherence to Standards of ConductProcesses are in place to evaluate the performance of individuals and teams against the entitys expected standards of conduct Establishes Standards of ConductThe expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entitys standards of conduct and understood at all levels of the organization and by outsourced service providers and business partnersAddresses Deviations in a Timely MannerDeviations from the entitys expected standards of conduct are identified and remedied in a timely and consistent manner 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example questions received from the audience;Are the 81 points of focus to be used as guidelines or as mandatory part of the framework?

Speaker NotesCompanies will need to determine whether the points of focus are relevant for their organization.

As you think about points of focus, lets circle back to the three things we should remember about COSO:Overall, the assessment of the effectiveness of internal control is directed to the five components and their underlying principlesWhile points of focus are intended to provide helpful guidance to assist management in designing, implementing and conducting internal control and in assessing whether relevant principles are present and functioning, the New Framework does not require separate evaluations of whether they are in placeIF management intends to use points of focus when evaluating whether the principles to which they apply are present and functioning, assess whether they are suitable, relevant and complete based on the companys specific circumstances

22Poll Question #3

Did you use COSOs 2006 Internal Control over Financial Reporting - Guidance for Smaller Public Companies to guide your SOX documentation?

YesNoNot sure 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Lark to administer this poll question.23Deficiency EvaluationQuestion from our audience: What are the best methods for determining if components are operating together? 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Speaker Notes:

Jim to introduce this section24Present and FunctioningTo determine that a principle and component are present and functioning, the organization must:

Understand the intent of the principle and how it is being appliedWork to help personnel understand and apply the principle consistently across the entityView weaknesses in absence of a principle as a matter requiring managements attention Present refers to the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives (Design and Implementation Effectiveness)Functioning refers to the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives (Operating Effectiveness)Determine to what extent relevant principles underlying the component are present and functioning 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example question from the audience:We received 6 questions around testing. Some of them are:Does COSO provide guidance testing operating effectiveness of the controls?What impact will this have on internal audit's approach to SOX (testing & evaluation of deficiencies?

Speaker Notes:In determining whether a component of internal control is present and functioning, senior management, with the board of directors oversight, needs to determine to what extent relevant principles underlying the component are present and functioning

Principles present and functioning operate within a range of acceptability, and do not need to achieve highest level of performance 25

Assessing Whether Components Operate TogetherFocus of evaluation is on how each of the five components is being applied as an integral part of the overall system of internal control, not just functioning on its ownComponents are interdependent with a multitude of interrelationships and linkages, particularly in terms of how principles interact within and across components From a practical standpoint, management can demonstrate that components operate together when they are present and functioning AND internal control deficiencies aggregated across components do not result in the determination that one or more major deficiencies existTherefore, aggregate internal control deficiencies across components to assess whether major deficiencies exist

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example questions from the audience:What are the best methods for determining if components are "operating together?

Speaker NotesOperating together refers to the determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective

Because components operate together, controls in one area of the framework can be leveraged to address other components, providing the opportunity to streamline controls.

Another view of Operating together recognizes that components are interdependent with a multitude of interrelationships and linkages, particularly in terms of how principles interact within and across components For example:The development and deployment of policies and procedures as part of Control Activities contributes to the mitigation of risks identified and analyzed within Risk Assessment.The communication of internal control deficiencies to those responsible for taking corrective actions as part of Monitoring Activities reflects a full understanding of the entitys structures, reporting lines, authorities and responsibilities as set forth in the control environment and as communicated within Information and Communication.

26Assessment of Internal Control DeficienciesA deficiency is a short-coming in a component or components and relevant principle(s) that reduces the likelihood that the entity can achieve its objectives. Not every deficiency will result in a conclusion that the entity does not have an effective system of internal control.

Major deficiency = an internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectivesManagement may be required to consider additional criteria established by external parties (e.g., regulators, standard-setting bodies, listing agencies, etc.)Alternative or compensating controls may further support a conclusion that a principle is present and functioning 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example questions from the audience:Does a "major deficiency" imply a SOX 404 material weakness that precludes an unqualified opinion?When should we expect a final decision regarding new terminology re: deficiencies and weaknesses?What impact will this have on internal audit's approach to SOX (testing & evaluation of deficiencies?

Speaker Notes COSO has new terminology for deficiencies, and defers to regulatory guidance when the framework is used for that purpose.

The criteria set forth by the new framework (through the components and principles) provide the basis for management to apply judgment when assessing the effectiveness of internal control

27Limitations on Internal ControlNo such thing as absolute assuranceThe framework comments on limitations of internal control, which results from:The quality and suitability of objectives established as a precondition to internal controlThe potential for flawed human judgment in decision-makingManagements consideration of the relative costs and benefits in responding to risk and establishing controlsThe potential for breakdowns that can occur because of human failures (such as simple errors or mistakes)The possibility that controls can be circumvented by collusion of two or more peopleThe ability of management to override internal control functions and decisions 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example questions from the audience:Does COSO provide a confidence level to use?Is there guidance on how to implement 2013 COSO Framework for smaller reporting companies? (6 questions around this)

28Poll Question #4

Were you aware that the criteria for evaluating deficiencies for SOX is unchanged?

NoYes 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Lark to administer this polling question.29Transitioning to the New FrameworkQuestion from our audience: What do you think will be the most difficult part of the transition? 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Speaker Notes:

Keith to introduce this section.

30

Transitioning to the New FrameworkTransition as soon as feasible, but dont wait too long1992 Framework superseded on December 15, 2014Organizations can continue their use of the original version until December 15, 2014Use of 1992 Framework beyond transition period is not an option There is a presumption the New Framework will be used after the transition periodMust disclose which framework was used in the SOX internal control reportThe SEC staff has said they plan to monitor the transition for issuers 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Questions Received from the Audience:We received 33 questions about transitioning to the new framework. Most centered around the effective date. Here are some examples:Effective date?Will it be possible to continue using the 1992 framework after the 2013 implementation date is passed?Will this be delayed further?SEC Expectations? (5 questions)

Speaker NotesCompanies will not want to defer implementing the new framework; you can probably expect the SEC to ask why you used the old framework after December 2014 along with external auditor push back.Organizations should do a gap assessment against COSO 2013 before their next yearend report to determine if there are any gaps that might require disclosure under the old COSO framework.There are a limited number of circumstances where immediate application is encouragedCOSO 2013 provides companies with an opportunity to refresh their documentation and look at it with a new set of eyes.

31Next StepsBecome familiar with COSO 2013Meet with management to discuss COSO 2013 Establish a plan that will help your organization to successfully transition to COSO 2013Consider deploying a centralized, project management office (PMO)-like discipline to ensure a top-down, cost-effective approach to converting the underlying documentation to support a determination that the underlying principles outlined in the New Framework are present and functioningDesignate roles, responsibilities and authorities for converting the documentationDiscuss with external auditor as soon as possible to discuss expectationsDevelop a timeline for transition with appropriate milestones Internal audit should develop and communicate a transition plan to the new framework for purposes of planning, conducting and reporting on risk-based audits

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example questions from the audience:We received 9 questions about implementation specific to the actions necessary. Examples include:What do you think the most difficult part of the transition will be?What are the practical ways to apply the new changes?Do you recommend that the project manager be located outside of Internal Audit?How do you convert current documentation to meet the 2013 requirements?

Speaker NotesFor companies that are getting ready to go public and are using COSO for the first time, it makes sense to use the new framework now.Consider the implications on outsourced service providers.

32Next StepsProject Kick-offQ3/Q4 2013Q1 2014Q2 2014Q3 2014Q4 2014Establish PMO Adopt project plan for transition to COSO 2013Management training on COSO 2013 Revise documentation to reflect change to COSO 2013Begin control testing to assess controls under new frameworkConclude on Internal controls over financial reporting under new framework 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Example question received from the audience:We received 93 questions around implementation, with 32 of them centering around the timeline for implementation and whether it is mandatory.Can you share a sample transition plan?What are the required transition timeline(s) for implementing the updated framework?What is baseline time frame for implementation?

33Implications for SOX Top-down, risk-based approach is unchangedClearly disclose in the internal control report whether the original or 2013 version was utilized during the transition periodConvert existing internal control documentation to the principles-based approachExpect dialogue on the best time to map controls documentation to the 17 Principles Decide whether points of focus should be used and, if so, assess whether they are suitable, relevant and complete based on the companys specific circumstances

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Questions Received from the Audience:We received 25 questions on SOX testing implications.How will this change established SOX programs/testing?How does this impact management's testing of SOX controls?

Speaker NotesDepending on how well your organization has kept their SOX documentation up to date, and depending on whether they have experienced any significant changes recently, will drive the level of update effort. For companies that have experienced the rigor of several years of compliance under Section 404 of Sarbanes-Oxley, it wont be a significant undertaking

The compendium of approaches and examples for application of the framework to internal control over financial reporting may be useful for SOX initiatives and emphasizes the top-down, risk-based approach.

34Poll Question #5

When do you plan on implementing the COSO 2013 framework for ICEFR?

For year-end 2014This yearNot sure 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#35Impact Considerations for Your Adoption of the 2013 FrameworkDoes your system(s) of internal control need to address changes in business?Does your system(s) of internal control need to be updated to address all principles? Does your organization apply and interpret the original Framework in the same manner as COSO?Is your organization considering new applications to cover new objectives?Impact of adopting the updated Framework will vary by organization:

2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Questions Received from the Audience:We received 8 questions on level of effort.What changes are required to implement from a practical perspective?What is the most used approach; identify gaps and then work on the gaps?Anticipated cost and hours?36Protivitis COSO FAQ 2nd Edition

The New Framework issued by COSO is an important development, as it facilitates efforts by the organizations to develop cost-effective systems of internal control to achieve important business objectives and sustain and improve performanceIt also supports organizations as they adapt to the increasing complexity and pace of a changing business environment, manage risks to acceptable levels and improve the reliability of information decision-making 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Weve recently updated our frequently asked questions on COSO Internal Control. 37Future COSO WebinarsRegister for our second webinar in this series, scheduled for October 30th, via the Attachments link in the webcast softwareNext Webinar: COSO Implementation Guidance

Discuss IT General ControlsImplications for Internal AuditLinkage and Impact to ERMUse of COSO for Non-ICFRAnd MoreKeep Your Questions Coming!!Future Webinar Topics 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#Speakers Notes:

Thank you again for attending todays webcast and for continuing to submit questions related to the 2013 COSO Framework. As mentioned earlier, we will review these questions to help design our ongoing COSO webcast series. Dont forget to register for our October webinar using the instructions provided on this slide. We will send out an invitation for this webcast in the near future. 38

Over 1.400 audit programs, checklists, questionnaires, methodologies, policies, charters and templates.ToolsHot topics, regulatory updates, survey reports and other actionable publications. Upgrade to access 42 CPE credits through our online, self-paced courses.Access to hundreds more audit programs and other tools on AuditNet.PublicationsCPEAuditNetAccess our COSO topic and many more!

$595 per subscriber, per year. Find discounts and group pricing on www.knowledgeleader.com/Subscribe.

Have questions? Call 866-925-8513 (US and Canada) | 415-402-6489 (International) or email knowledgeleader@protiviti.com. 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#39 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.#40