coso monitoring - templates

48
2009 COSO Guidance & Impact 1

Upload: wwwavivaspectrumcom

Post on 20-Jun-2015

315 views

Category:

Economy & Finance


0 download

DESCRIPTION

http://www.avivaspectrum.com/contacts COSO 2009 Monitoring Templates free overview

TRANSCRIPT

Page 1: Coso Monitoring - Templates

2009 COSO Guidance & Impact

1

Page 2: Coso Monitoring - Templates

AgendaOverview of COSOPurpose of the

Monitoring GuidanceHow COSO’s 2009

Monitoring Guidance Impacts Smaller Co.

2

Page 3: Coso Monitoring - Templates

Quick Overview of COSOCOSO was formed in 1985 Introduced a Framework for internal controls in 1992COSO is comprised by five professional associations: American Accounting Association AICPA (American Institute of Certified Public Accountants) FEI (Financial Executives International) IIA (The Institute of Internal Auditors) and IMA (Institute of Management Accountants)

3

Page 4: Coso Monitoring - Templates

COSO Guidance - Timeline

1987

Fraud

report

1987 - 1997 Fraud report

on public companies – Issued 1999

1997 – 2007

Fraud report

on public

companies –

Coming Soon

(June 2009)

Monitoring Guidance

Issued Feb. 2009

Guidance for

Smaller Public

Companies

Issued June

2006

Monitoring

Guidance on

Derivatives

Issued 1996

ERM FrameworkIssued 2004

20101985

Framework

Introduced in 1992

4

Page 5: Coso Monitoring - Templates

How to get COSO MaterialsFree download to executive summaries

(e.g. introduction or overview documents) of their guidance materials located at http://www.coso.org/guidance.htm

www.cpa2biz.com : site represents AICPA and COSO related products. Search terms such as Internal controls, or COSO etc.

5

Page 6: Coso Monitoring - Templates

2009 COSO Monitoring GuidanceIntroduction

Free DownloadIntended for CFO, CEO, BOD and AC members

Vol. 1 Guidance Overview

Intended for C-Level, BOD and AC Members, and Director of Internal

Audit

6

Page 7: Coso Monitoring - Templates

2009 COSO Monitoring GuidanceVol.II Application

Discusses How guidance ImpactsAnd Links to 1992 and 2006 COSO

Guidance materialsAudience: DIA, Internal Audit Staff

etc.

Vol. III ExamplesProvides templates to leverage Monitoring

Guidance TheoryAudience: DIA, Internal

Audit Staff etc.

7

Page 8: Coso Monitoring - Templates

Vol. #1 - Overview• Four Sections 1.Purpose of Guidance2.Nature & Purpose of

Monitoring3.A Model for Monitoring4.Summary Considerations

8

Page 9: Coso Monitoring - Templates

Purpose of the GuidanceTwo Primary Objectives:

1. To help improve the effectiveness & efficiency of their internal control systems

2. To provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control process.

9

Page 10: Coso Monitoring - Templates

Application of GuidanceDesigned to meet all three

control objectives of COSO Framework

Due to SOX compliance Guidance has a primary focus on internal controls over financial reporting

10

Page 11: Coso Monitoring - Templates

Guidance Does Not: Change COSO framework or its 2006 guidanceDictate risks or controls that organization must

considerMandate the exact monitoring procedures that

organizations must followIncrease the monitoring effort for organizations in

areas where monitoring is already effective orMandate a certain level or formality of monitoring

documentation, including the use of certain terms

11

Page 12: Coso Monitoring - Templates

Nature and Purpose of MonitoringCOSO Framework states that “monitoring

ensures that internal controls continues to operate effectively” by leveraging two related principles:1. Ongoing and/or separate evaluations enable

management to determine whether the other components of internal control continue to function over time.

2. Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.

12

Page 13: Coso Monitoring - Templates

Linking the 2 Principles to 2006 COSO guidance

Principle #19: Ongoing & Separate Evaluations

Principle #20: Reporting Deficiencies

Source: 2006 COSO guidance, vol #3

13

Page 14: Coso Monitoring - Templates

Establishing a Model for Monitoring

Effective approach to monitoring involves:1. Establishing a

Foundation 2. Designing &

Executing Monitoring procedures

3. Assessing & Reporting

14

Page 15: Coso Monitoring - Templates

Establishing a Foundation

A tone at the top that stressesthe importance of monitoring

Effective organizational structure that considers the roles of management and the board regarding monitoring, and places people with appropriate capabilities, objectivity, authority and resources in monitoring roles and

Baseline understanding of internal control effectiveness

15

Page 16: Coso Monitoring - Templates

Design & ExecutePrioritize Risks: Evaluate controls in areas of

meaningful riskID Controls: select appropriate controls for

evaluation from across any or all of COSO’s 5 components

ID information that will be persuasive in supporting conclusions about control effectiveness

Implement monitoring procedures: evaluate that information through a mix of ongoing monitoring and separate evaluations

16

Page 17: Coso Monitoring - Templates

Assessing and Reporting Results

Prioritize findingsProvide support at the

appropriate organization level for conclusions regarding the effectiveness of internal controls and

Follow up on corrective action: Facilitate prompt corrective actions and documentation as necessary

17

Page 18: Coso Monitoring - Templates

Vol. II – Application Overview

18

Page 19: Coso Monitoring - Templates

Vol. II – Application“Quick Tip”

Concept and it’s application in Grey area

Tips on How to Read Vol.II: Grey areas are only suggestions. Application may vary Co. by Co.

19

Page 20: Coso Monitoring - Templates

Application of “Tone at the Top”

Management’s tone influences the way employees conduct and react to monitoring.

Examples of documenting the monitoring of “Tone at the Top” include:Communicating expectations to employees (via

employee manual, performance evaluation, sign-off on risk/control matrices, or other SOX related documents).

Taking action for control problems by documenting control failures and including remediation plan or compensating control for each gap.

Documentation of follow-up procedures for any control failures identified (via ____________ or ______________)

20Action Item: Update Performance Evaluations

Sonia L
Walkthrough, or Samples
Page 21: Coso Monitoring - Templates

Application of “Organizational Structure” Role of Management & the BOD

Senior Management evaluates the day-to-day control and monitoring activities (Evidenced in SOX or other related document sign-off)

BOD has an oversight role, in which they are responsible for Understanding risks to organizational objectives Controls that management has put in place to mitigate those risks How management monitors to help ensure that the internal system

continues to operate effectively NOTE: Evidence should be documented in the BOD/AC minutes Guidance offers four suggestions for the BOD to perform it’s

oversight responsibilities (1) Inquiries & Observation of management, (2) Internal audit function (if present) (3) Hired resources or specialists when necessary and (4) external auditors.

21Action Item: Principle #19 and #2 of COSO can leverage evidence of Monitoring Risks

Page 22: Coso Monitoring - Templates

Application of “Organizational Structure” (continued)

22

Characteristics of Evaluators Self-review: evaluation of one’s own work

Benefit: usually affords the 1st opportunity to ID control deficiencies

Peer Review: evaluation of co-worker’s or peer’s work Benefit: the individual is close to the control and maybe in the

best position to ID and correct control deficiencies Supervisory Review: evaluation of subordinate’s work

Benefit: same as above Peer Review Impartial Review: often includes internal audit function, people from

other departments or external parties Benefit: Most objective concerning results and can place more

reliance on the effectiveness of ICFR

Source: Vol.2: Figure 5, pg13

Page 23: Coso Monitoring - Templates

Monitoring Changes

COSO offers a high-level overview of an internal control change continuum as follows:

23

Page 24: Coso Monitoring - Templates

Change Continuum Evidence

24

Risk/Control matrices

Narrative/Flowcharts ELC - Assessment

Page 25: Coso Monitoring - Templates

Change Continuum Evidence

25

Test Scripts with supporting documents

Sub-certifications on Controls

Page 26: Coso Monitoring - Templates

Change Continuum Evidence

26

Policy & Procedure for changes

Change Mgmt Form

Documentation Authorization with Changes (1)

(1) See Appendix B-Chg Mgmt Narrative Form

Page 27: Coso Monitoring - Templates

Vol. II Application of Design & Execute

27

Source: Vol.2 Figure 7 COSO 2009 Monitoring Guidance

Page 28: Coso Monitoring - Templates

Risk Assessment

28

•COSO’s monitoring guidance does not state to create a separate risk assessment just for monitoring•Prioritizing risks will allow management to decide on the type, timing and extent of monitoring of controls•Risk Factors to consider:

1. Nature of Operations2. Changes in Operations3. Environmental Factors4. Susceptibility to Theft or Fraud

Page 29: Coso Monitoring - Templates

COSO’s Risk Assessment Examples

29

Revenue Example without score detail and objective = Vol.2

Inventory Example with score detail without objective = Vol.3

Page 30: Coso Monitoring - Templates

30

Page 31: Coso Monitoring - Templates

ID Key Controls

31

• Key-Controls determination can occur at various levels within an organization (e.g. supervisor of a plant has different key monitoring controls than the CFO).

• Key-Control Analysis can be facilitated by considering factors that increase the risk that the internal control system will fail to properly manage or mitigate a given risk, these factors are:1. Complexity2. Judgment3. Manual vs. Automated4. Known Control Failures5. Competence/experience of personnel6. Risk of management override7. Likelihood of control failure detection

Page 32: Coso Monitoring - Templates

ID Persuasive Information

32

•Persuasive information is both suitable AND sufficient in the circumstances and give the evaluator reasonable, but not necessarily absolute, support for the conclusion regarding the continued effectiveness of the internal control system in a given risk area.•Suitable information MUST be relevant, reliable and timely.•Sufficiency is a measure of the quantity of information (i.e., whether the evaluator has enough suitable information)

Page 33: Coso Monitoring - Templates

ID Persuasive Information (Cont.)Relevance of Information

Direct vs. Indirect Information Information that directly confirms the operations of the control

is more relevant than indirectDirect: substantiates the operation of controls and obtained by:

1. Observing controls in operation2. Reperformance or 3. Otherwise evaluating their operation directly and can be

useful in both ongoing monitoring and separate evaluationsIndirect: is all other information that may indicate a change or

failure in the operation of controls such as:1. Operating statistics2. Key risk indicators3. Key performance indicators and4. Comparative industry metrics

33

Page 34: Coso Monitoring - Templates

ID Persuasive Information (Cont.)Reliability of Information

Reliable information: is accurate, verifiable and comes from an objective source. Accurate information: represents the degree to which

information can reasonably be expected to be free from error and/or to communicate results that reflect reality.

Verifiable: represents information that can be established, confirmed or substantiated as true.

Objectivity: is the degree to which the information source is unbiased when evaluated

34

Page 35: Coso Monitoring - Templates

ID Persuasive Information (Cont.)Sufficient Information

Management is required to maintain sufficient suitable information to support its conclusion on the effectiveness of internal controls.

SEC has provided smaller public companies with a general guideline dependent upon risks to determine the sufficient level of support.

35

Page 36: Coso Monitoring - Templates

SEC’s Guidance on Information

36

http://www.sec.gov/info/smallbus/404guide.pdf

Page 37: Coso Monitoring - Templates

Companies Should Consider New Sampling Guidance

37

•May 2008: AICPA issued new Sampling guidelines to align better with their risk based auditing standards (i.e. SAS 101 to SAS 112).

•Management should consider multi-location issues as documented in this new guidance as PCAOB and SEC do not provide best practices on how to make sample selections on a risk-based approach for multi-locations.

Page 38: Coso Monitoring - Templates

Implementing Monitoring

38

COSO Provides in Vol.3 Example of Implementing Monitoring Processes for Inventory, which the template can be applied to any business cycle, including IT.

Can add columns for 1)Evidence to Collect2)Qty of Evidence (is it all stores and all months, if so what periods)

Page 39: Coso Monitoring - Templates

Assess & ReportPrioritize Findings by Risk

39

Risk Examples provided by Vol. 2, have one example of each type of Risk Rating Type (by Significance and Likelihood)

Page 40: Coso Monitoring - Templates

Vol. 2 – Applying Concepts of Monitoring Prioritized Risks

40

Extends the concept in prior slide, in how to prioritize monitoring efforts by rating as well (i.e. High, Med. Low)

Page 41: Coso Monitoring - Templates

IT Guidance to Help Prioritize Findings

41

2006 SOX IT Guidance helps users to assess the prioritization based upon risks

Site: www.isaca.org

Page 42: Coso Monitoring - Templates

Internal Reporting: protocol must be established. Typically includes senior management and the board.

External Reporting: a properly designed & executed monitoring program helps support external certifications or assertions because it provides persuasive information that internal controls operated effectively at a point in time or during a particular period.

42

Reporting Results

Page 43: Coso Monitoring - Templates

COSO’s suggested documentation should include evidence of:Reporting items agrees to source scoping

documentsEvidence collected support that the control has

been adequately corrected/remediatedManagement approval of corrective action and

related evidence

43

Follow-up CorrectiveAction

Page 44: Coso Monitoring - Templates

Impact to Smaller Public Companies

Linking Monitoring Principles (i.e. Principal #19 and 20) to actual business processes (i.e. Financial Statement Close Process, Inventory etc.) will reduce the number of key controls required to assess for SOX

Providing more detailed monitoring reports substantiates management’s evidence of reviewing key controls

Guidance provides management more information on how to leverage key controls for more than one type of risk

44

Page 45: Coso Monitoring - Templates

Practical Steps Using 2009 GuidanceStep 1: Entity-Level Control Assessment, use color coding

offered by 2006 COSO GuidanceStep2: Risk Assessment exercise should include IT to

prevent any miscommunication of prioritizing risks for the organization

Step 3: Evaluate Monitoring guidance issued 2009 by COSO, especially considering three top templates from the guidance:1. Quarterly and Annual Management Representations

(vol.3 – Appendix B)2. Enterprise Wide Risk Matrix (vol.3 – Appendix C)3. Prioritize Risk and Controls (vol.2 – pg. 51 to pg. 55)

45

Page 46: Coso Monitoring - Templates

Segregation of Duties (SOD)2009 Due to economy less staff and more

work allocated to others.Leveraging too smaller staff size may cause a

lack of SOD.2009 & 2006 COSO Guidance have stated

compensating controls are the critical factor to avoid a material weakness.

46

Page 47: Coso Monitoring - Templates

SOD Case Study

47

Page 48: Coso Monitoring - Templates

Q & A

My Contact info:Sonia Luna email: [email protected]

Phone: (323) 828-5862

Blog: www.sox-blog.com

Twitter: http://twitter.com/Sox_Solutions

48