ramifications of the new coso framework & recent pcaob … · new coso framework links it and...

Ramifications of the New COSO Framework & Recent PCAOB Actions

2

• Moderator – Bob Meyer, Senior Vice President of Finance & Corporate Controller, American Tower

• Joann Cangelosi, Partner, Grant Thornton LLP

• Lori Silverstein, Vice President, Controller, Boston Properties

• Marc Panucci, Partner, PriceWaterhouseCoopers

Panelists

3

• The COSO 2013 framework and implications on a company’s internal controls

• Update on PCAOB initiatives and actions

• Trends in auditing

Discussion Topics

4

• Key differences between the 2013 framework and the original 1992 framework – 5 framework components – 17 principles – 81 points of focus

• Transitioning to the new framework

– Timing – Methodology

• Key areas of focus

• Where you can find more information

– www.coso.org 4

The COSO 2013 Framework

5

• The Public Company Accounting Oversight Board issued a Staff Consultation Paper on standard-setting activities related to auditing accounting estimates and fair value measurements for public comment on August 19, 2014.

• An update on the proposal to change the auditor's reporting model issued in 2013

• Feedback on recent PCAOB reviews

• Where you can find more information – www.pcaobus.org

5

PCAOB Initiatives and Actions

6

NAREIT® does not intend this presentation to be a solicitation related to any particular company, nor does it intend to provide investment, legal or tax advice. Investors should consult with their own investment, legal or tax advisers regarding the appropriateness of investing in any of the securities or investment strategies discussed in this presentation. Nothing herein should be construed to be an endorsement by NAREIT of any specific company or products or as an offer to sell or a solicitation to buy any security or other financial instrument or to participate in any trading strategy. NAREIT expressly disclaims any liability for the accuracy, timeliness or completeness of data in this presentation. Unless otherwise indicated, all data are derived from, and apply only to, publicly traded securities. Any investment returns or performance data (past, hypothetical, or otherwise) are not necessarily indicative of future returns or performance.

For more information, visit: www.reit.com

Disclaimer

National Professional Services Group | CFOdirect Network – www.cfodirect.pwc.com In brief 1

PCAOB issues staff consultation paper seeking comment on auditing accounting estimates and fair value measurements

What happened?

On August 19, 2014, the Public Company Accounting Oversight Board (“PCAOB”) issued for public comment a staff consultation paper on standard-setting activities related to auditing accounting estimates and fair value measurements. The staff consultation paper discusses and solicits comment on certain issues related to auditing accounting estimates and fair value measurements in order to assist the PCAOB staff in evaluating whether the existing PCAOB auditing standards can and should be improved. The PCAOB staff is specifically seeking feedback on: (i) the potential need for changes to the PCAOB’s existing auditing standards to better address changes in the financial reporting frameworks related to accounting estimates and fair value measurements, (ii) current audit practices that have evolved to address issues relating to auditing accounting estimates and fair value measurements, (iii) a possible approach to changing existing auditing standards, and the requirements of a potential new standard, and (iv) relevant economic data about potential economic impacts to inform the PCAOB's economic analysis associated with standard setting in this area.

Overview of the approach being considered by the PCAOB staff

Although the PCAOB staff identified a number of alternative approaches that the PCAOB may wish to consider, the PCAOB staff is considering developing a single standard related to auditing accounting estimates and fair value measurements instead of separate standards that exist today. The staff consultation paper discusses that the potential new standard could be designed to:

Align with the PCAOB’s risk assessment standards

Generally retain the approaches to internal control and substantive testing from the existing standards, but include requirements that apply to both accounting estimates and fair value measurements

Establish more specific audit requirements related to the use of third parties in developing accounting estimates and fair value measurements, and

Create a more comprehensive standard related to auditing accounting estimates and fair value measurements to promote greater consistency and effectiveness in application

Use of third parties

A new standard could include the existing requirement related to testing assumptions for fair value measurements developed by a company’s specialist, but apply it more broadly to information provided for accounting estimates. As such, if a company uses a specialist to develop an accounting estimate, a new standard could direct the auditor to test that information as if it were produced by the company. In this case, the auditor would be

No. US2014-16

August 22, 2014

At a glance

The staff of the PCAOB’s Office of the Chief Auditor is evaluating whether existing PCAOB standards relating to auditing accounting estimates and fair value measurements can and should be improved.

http://pcaobus.org/Standards/Documents/SCP_Auditing_Accounting_Estimates_Fair_Value_Measurements.pdf

Questions? PwC clients who have questions about this In brief should contact their engagement partner. Engagement teams who have questions should contact the National Professional Services Group (1-973-236-7800).

Authored by: Neil Weingarten Partner Phone: 1-973-236-5862 Email: [email protected]

Sarah Kenny Director Phone: 1-973-236-5925 Email: [email protected]

© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. To access additional content on financial reporting issues, visit www.cfodirect.pwc.com, PwC’s online resource for financial executives.

required, as applicable, to evaluate the appropriateness of the methods, test the data used, and evaluate the reasonableness of significant assumptions, with respect to the information provided by the specialist. Additionally, the PCAOB staff is considering how a potential new standard could address audit evidence obtained from third-party sources, such as pricing services and broker-dealers. Given the differences in how values of financial instruments are derived and obtained, the PCAOB staff is exploring whether a new standard should set forth specific requirements for evaluating information from third-party pricing sources as part of evaluating the reliability and relevance of the evidence. For example, to evaluate reliability, the auditor could take into account the methods used by a third-party in determining fair value and whether the methodology used is in conformity with the applicable financial reporting framework. As it relates to evaluating the relevance, the auditor could determine, among other matters, when there are no transactions either for the asset or liability or comparable assets or liabilities, how the information was developed, including whether the inputs developed represent the assumptions that market participants would use when pricing the asset or liability, if applicable.

Why is this important?

Financial statements and disclosures of most companies include accounting estimates and fair value measurements.

What's next?

Comments on the staff consultation paper are due on November 3, 2014. Additionally, the PCAOB announced it will host a meeting of its Standing Advisory Group (“SAG”) on October 2, 2014, in Washington, D.C., to discuss matters related to auditing accounting estimates and fair value measurements. The agenda and meeting logistics will be announced closer to the meeting date.

Corporate Governor

New COSO Framework links IT and business process

The 2013 Framework does not fundamentally alter the key concepts of the original 1992 Framework consisting of five components: control environment, risk assessment, control activities, information and communication, and monitoring. Instead, it clarifies and builds on core strengths by (1) formalizing the concepts embedded within the five components into 17 principles, (2) considering changes in business and operating environments, and (3) expanding the financial reporting objective to address other important forms of reporting2.

The 2013 Framework also includes “points of focus” that describe each principle’s characteristics and help users evaluate whether a principle is present and functioning. Points of focus aren’t explicit requirements. You don’t need a separate evaluation of points of focus in order to demonstrate that a relevant principle is present and functioning. Management may determine that some points of focus are not suitable or relevant; they may also identify and consider others based on company circumstances. Points of focus may be particularly helpful in assisting management and auditors in evaluating principles that weren’t as thoroughly developed in the 1992 Framework, such as those relating to fraud prevention and to the use of IT.

Providing vision and advice for management, boards of directors and audit committees Summer 2014

1 See www.coso.org for more information.

Michael Rose, Partner, Business Advisory Services

In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a joint initiative of private sector organizations dedicated to providing thought leadership on enterprise risk management, internal control and fraud deterrence, issued its updated Internal Control – Integrated Framework1 (2013 Framework). The 2013 Framework is expected to be used by most public companies listed in the United States as well as other companies in various jurisdictions starting Dec. 31, 2014, and possibly earlier, in assessing the effectiveness of their internal control over financial reporting (ICFR) and by auditors in reporting on ICFR when required.

2 CorporateGovernor – Summer 2014


Principle 11 points of focusThe 2013 Framework recognizes the importance of technology in achieving operations and compliance objectives, as well as reporting objectives. Principle 11 and its points of focus address the importance of IT controls.

1. Determines dependency between the use of technology in business processes and technology general controlsManagement must understand the linkages between its business processes, general technology controls and controls that are automated in its control activities. Control activities are the tasks that ensure the existing technology continues to function as originally designed. Technology general controls are also referred to as general computer controls, general controls or IT controls. The overall reliability of technology in business processes, which would include automated controls (controls embedded in an application), will result from an effective design upfront, and then continued execution of general control activities over technology from an operating effectiveness perspective.

Technology general controls operating as designed will support automated controls and ensure that they are functioning properly. An example of an automated control would be the three-way match among purchasing, receiving and invoicing. The technology general controls determine that the correct files are being matched and the process is complete and accurate. In addition, the security control activities make sure that only authorized individuals have access to the files.

The COSO model for technology general controls touches all five components of the 2013 Framework, as evidenced in the following list. The emphasis here is illustrative as it relates to the five components.

Control environment

• Tone from the top, IT governance identifying controls as important

• Technology policies and procedures and information security policies

• Various committees established for technology governance

2 Read more about the new framework and 17 principles in CorporateGovernor Summer 2013. See www.grantthornton.com/issues/library/newsletters/advisory/2013/BAS-GRC-Updated-COSO-Framework.aspx for details.

Principle 11 The organization selects and develops general control activities over technology to support the achievement of objectives.

The following points of focus highlight important characteristics relating to this principle:• Determines dependency between the use of

technology in business processes and technology general controls

• Establishes relevant technology infrastructure control activities

• Establishes relevant security management process control activities

• Establishes relevant technology acquisition, development and maintenance process control activities



Risk assessment

• IT risk assessments link to corporate and business risk assessments

• IT controls determined for high-risk business units and functions

• IT risk assessment for IT information security identifying threats and matching to vulnerabilities

• Risk assessment for business continuity

Control activities

• Approval of IT plans and system architecture

• Committee approval for change management

• Compliance with information and security standards

Information and communication

• IT corporate communications

• Best-practice IT communication

• Review of user access to information and reports

• IT and security training

Monitoring

• Review of periodic technology assessments

• Review of technology organization

• Review of high-risk IT areas

• Review of technology metrics

Additional control activities may be selected or designed to be used in the mitigation of specific risks in the overall use of technology processes.

2. Establishes relevant technology infrastructure control activitiesTechnology general controls include control activities over technology infrastructure, networks, operating systems, data management and applications. They apply to mainframe computers, clients/servers, desktops, end-user computing, portable computers and mobile device technology to operational technology. The control activities over each of these will depend on a number of factors, including risk as it relates to the underlying business processes, complexity of technology and overall outside threats. The technology general controls could be manual or automated. Following are control activities over newer technologies. These are some areas of interest with some control objectives attached, and are not meant to be all-inclusive.

End-user computing (EUC)

• Identification of all EUC as it relates to critical business processes in the organization

• Monitored security and access to where the EUC is located

• Integrity of change management process for changes made, tested, reviewed and approved

• Accuracy and completeness of all information in the EUC

Mobile devices

• Mobile device policies and procedures are in place

• Access control and encryption for mobile devices are in place and provide adequate coverage

• Non-company owned mobile devices are segregated for data in a complete and effective manner

• Mobile device incident management processes and controls are in place and effectively functioning



Cloud

• Prepare a clear governance model to follow, including policies and procedures

• Assess service levels, infrastructure and applications used, and related metrics and outcomes

• Understand cloud vendor management ability, including people’s skills and competencies, processes and technology

• Review cloud security and compliance requirements

• Agree on service-level metrics, outcomes and effectiveness of services

• Identify where risks are present and integrate into existing risk assessment

• Review results criteria periodically, and have a mechanism to document exceptions and gaps and a process to correct issues

3. Establishes relevant security management process control activitiesThe security management process includes all control activities over access to an organization’s technology, including transaction processing, data, operating systems, network applications and physical access. Security controls over access prevent the unauthorized access and use of systems, changes to the system, and changes to data and program integrity from common error or malicious intent. It protects against segregation of duties to eliminate an individual having access to incompatible functions within the system, and it also reduces the likelihood of fraud.

Security risks are both internal and external. External threats can come in many different forms, depend on telecommunication networks and use the Internet. A company has customers, employees, vendors and others using its system. The pervasive use of technology in business operations presents significant threats on a daily basis. Internal threats come from within the organization through former or disgruntled employees who have extensive knowledge of the organization’s security system and are better equipped because of this to succeed. Here are a few preventive actions to consider:

External cybersecurity threats

• Establish cybersecurity governance, including policies and procedures

• Classify all information based on its restriction of privacy

• Determine what applications use highly private information

• Perform a vulnerability analysis on these higher-risk applications

• Identify potential threats to these applications

• Understand vendor access and determine safeguards

• Perform a risk assessment regarding the highest risks based on the above

• Determine where investments are needed to protect private information

• Identify and treat attacks and breaches in a timely and appropriate manner

• Monitor cybersecurity activity and report to senior management00000

00000010010 000010101111

001010111011111 010101111111111



Internal threats

• Develop policies and procedures regarding employees’ access to data and applications and termination of those rights when employees leave the organization

• Identify all employees that have access to incompatible data and applications in high-risk transactions

• When access can’t be changed, provide a monitoring process/review of transactions those employees perform

• Periodically review access rights of employees

4. Establishes relevant technology acquisition, development and maintenance process control activitiesThe technology general controls should support the life cycle of technology throughout acquisition, development and maintenance. Organizations rarely use one methodology for all systems development projects, and they choose a methodology based on factors such as size of the project. The chosen methodology should provide controls over changes to technology: acquiring the appropriate approvals for a change, reviewing the change, testing results and implementing a process to make sure the changes are completed properly. The methodology provides a structure for system design and implementation. It outlines requirements such as documentation, approvals and controls over the technology life cycle.

Organizations need some basic controls that are similar in all systems acquisition and development work.

• User requirements are always documented and results measured.

• A formal process should be followed for system design to determine that user requirements and controls are designed in the system.

• System development is carried out in a formal manner to ensure that design features are included in the final product.

• Testing should include users, the functionality is reviewed and system interfaces operate as intended.

• Maintenance processes should ensure that changes in application systems are controlled and change management has a validation process.

• All outsourced system development work would be reviewed and determined to have a similar set of controls over the entire process.

• All work must be under project management control, whether it’s developed in-house or outsourced.

• A communication and reporting mechanism must be in place to ensure that all projects are completed in a timely manner and on budget.

“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a worldwide partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please visit grantthornton.com for details.

© 2014 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd

Connect with us

grantthornton.com

@grantthorntonus

linkd.in/grantthorntonus

About the newsletterCorporateGovernor is published by Grant Thornton LLP. The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world’s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity.

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, consult a Grant Thornton LLP client service partner or another qualified professional.

ConclusionCOSO recognizes the importance of technology in achieving operations and compliance objectives, and it wrote Principle 11 of the 2013 Framework to link business processes to technology general controls. The points of focus can help users evaluate whether the principle is present and functioning properly. While these points of focus aren’t explicit requirements, use them as a tool to thoroughly address your IT controls. IT controls are pervasive throughout an organization, so it is critical to have a strong control environment across all business units.


ContactMichael RosePartner, Business Advisory ServicesT 215.376.6020E [email protected]

EditorEvangeline Umali HannumE [email protected]