www.eidebailly.com an overview of cosos 2013 update to the internal control – integrated framework...

www.eidebail ly.comwww.eidebail ly.com

An overview of COSO’s 2013 update to the Internal Control – Integrated Framework

COSO changes coming in 2014

January 7, 2014


Agenda

• Overview of updated 2013 COSO Internal Controls – Integrated Framework

• Principles & Points of Focus supporting the Five Components

• Transitioning to the 2013 Framework

• Other Considerations


Overview of COSO IC-IF

Internal Control - Integrated Framework (ICIF)

Originally released in 1992

Updated in May 2013, including three companion documents

Authored by PwC under direction of COSO Board

Committee Of Sponsoring Organizations of the Treadway Commission


COSO 2013 update

Updated Internal Control – Integrated Framework issued on May 14, 2013

Companion documents include:

• Internal Control – Integrated Framework Executive Summary

• Illustrative Tools for Assessing Effectiveness of a System of Internal Controls

• Internal Control over External Financial Reporting: A Compendium of Approaches and Examples

Transition Date: December 15, 2014


2013 update: What’s new?

• Expands operations and reporting objectives

• Codification of 17 principles supporting the five components

• Points of Focus to help identify and evaluate 17 principles

• Addresses increased relevance and dependence on IT

• Expands operations and reporting objectives

• Increased guidance on fraud risk assessment and responses

• Updated for changes in business and operating environments


2013 update: What’s the same?

• Core definition of internal controls

• Objectives: Operations, Reporting & Compliance

• Five components of internal controls: • Control Environment • Risk Assessment • Control Activities• Information & Communication • Monitoring

• Role judgment plays in design, implementation, operation and assessment of internal controls


17 Codified Principles

1.Demonstrates commitment to integrity & ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change10.Selects and develops control activities11.Selects and develops general controls over technology12.Deploys through policies and procedures13.Uses relevant information 14.Communicates internally15.Communicates Externally16.Conducts ongoing and or separate evaluations17.Evaluates and communicates deficiencies

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring


Internal Control Objectives

Operations: “relate to the achievement of an entity’s basic mission and vision operational . . . financial performance, productivity . . . and includes safeguarding of assets against loss” (‘92 framework “effectiveness and efficiency of the entity's operations, including performance and profitability goals and safeguarding resources against loss”)

Reporting: “pertains to the preparation of reports for use by organizations and stakeholders and may relate to financial and non-financial reporting . . . External reporting objectives are driven primarily by regulations and/or standards established by regulators and standard-setting bodies . . .” (‘92 framework was know as Financial Reporting objective “preparation of reliable published financial statements, including prevention of fraudulent public financial reporting”)

Compliance: “conduct activities, and often take specific actions, in accordance with applicable laws and regulations . . . understanding which laws, rules and regulations apply across the entity (‘92 framework “pertains to adherence to laws and regulations to which the entity is subject”)


Principles & Points of Focus: Control Environment

“The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. . . The control environment comprises the integrity and ethical values of the organization . . . enabling the board of directors to carry out its oversight responsibilities . . . structure and assignment of authority and responsibility . . . attracting, developing, and retaining competent individuals . . . rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.”

1. Organization demonstrates a commitment to integrity and ethical values- Tone at the Top- Establishes Standards of Conduct- Evaluates adherence to Standards of Conduct- Addresses deviations in a timely manner.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control

- Establishes oversight responsibilities - Applies relevant expertise - Operates independently- Provides oversight for the system of internal control


Principles & Points of Focus: Control Environment Continued

3. Management establishes, with Board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives

- Considers all structures of the entity - Establishes reporting lines - Defines, assigns and limits authorities and responsibilities

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives

- Establishes policies and practices - Evaluates competence and addresses shortcomings - Attracts, develops and retains individuals - Plans and prepares for succession

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives

- Enforces accountability through structures, authorities, and responsibilities - Establishes performance measures, incentives and rewards - Evaluates performance measures


Principles & Points of Focus: Risk Assessment

“Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.”

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

Operations Objective:

- Reflects Management’s Choices- Considers Tolerances for Risk- Includes Operations and Financial Performance Goals- Forms a Basis for Committing of Resources

Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of five specific objectives:

- Operations Objectives- External Financial Reporting Objectives - External Non-Financial Reporting Objectives - Internal Reporting Objectives - Compliance Objectives


Principles & Points of Focus: Risk Assessment

“Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.”

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

External Financial Reporting Objective:

- Complies with applicable accounting standards- Considers Materiality- Reflects entity activities

Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of five specific objectives:

- Operations Objectives- External Financial Reporting Objectives - External Non-Financial Reporting Objectives - Internal Reporting Objectives - Compliance Objectives


Principles & Points of Focus: Risk Assessment Continued

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed

- Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels- Analyzes Internal and External Factors- Involves Appropriate Levels of Management- Estimates Significance of Risks Identified- Determines How to Respond to Risks

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives

- Considers Various Types of Fraud- Assesses Incentive and Pressures- Assesses Opportunities- Assesses Attitudes and Rationalizations

9. The organization identifies and assesses changes that could significantly impact the system of internal control

- Assesses Changes in the External Environment- Assesses Changes in the Business Model- Assesses Changes in Leadership


Principles & Points of Focus: Control Activities

“Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may . . . encompass a range . . . of activities . . . Where segregation of duties is not practical, management selects and develops alternative control activities.”

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels

- Integrates with Risk Assessment- Considers Entity-Specific Factors- Determines Relevant Business Processes- Evaluates a Mix of Control Activity Types- Considers at What Level Activities Are Applied- Addresses Segregation of Duties


Principles & Points of Focus: Control Activities Continued

11. The organization selects and develops general control activities over technology to support the achievement of objectives

- Determines Dependency between the Use of Technology in Business Processes and Technology General Controls

- Establishes Relevant Technology Infrastructure Control Activities- Establishes Relevant Security Management Process Control Activities- Establishes Relevant Technology Acquisition, Development, and Maintenance

Process Control Activities

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action

- Establishes Policies and Procedures to Support Deployment of Management’s Directives

- Establishes Responsibility and Accountability for Executing Policies and Procedures

- Performs in a Timely Manner- Takes Corrective Action- Performs Using Competent Personnel- Reassesses Policies and Procedures


Principles & Points of Focus: Information & Communication

“Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.

13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control

- Identifies Information Requirements- Captures Internal and External Sources of Data- Processes Relevant Data into Information- Maintains Quality throughout Processing- Considers Costs and Benefits


Principles & Points of Focus: Information & Communication Continued

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control

- Communicates Internal Control Information- Communicates with the Board of Directors- Provides Separate Communication Lines- Selects Relevant Method of Communication

15. The organization communicates with external parties regarding matters affecting the functioning of internal control

- Communicates to External Parties- Enables Inbound Communication- Communicates with the Board of Directors- Provides Separate Communication Lines


Principles & Points of Focus: Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning

- Considers a Mix of Ongoing and Separate Evaluations- Considers Rate of Change- Establishes Baseline Understanding- Uses Knowledgeable Personnel- Integrates with Business Processes- Adjusts Scope and Frequency- Objectively Evaluates

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate

- Assesses Results- Communicates Deficiencies- Monitors Corrective Actions


Transition to 2013 Framework

• Transition to the 2013 Framework, 1992 Framework to be superseded on December 15, 2014

• COSO issued transition document “The 2013 Framework & SOX Compliance – One Approach to An Effective Transition” by Steven McNally, CPA

• SEC implications in transitioning to the 2013 Framework

• Developing a transition plan, documentation & other considerations


COSO Guidanceon Transition

The 2013 COSO Framework & SOX Compliance – One Approach to An Effective Transition

By Stephen McNally, CPA

Develop Awareness, Expertise and AlignmentTimeless concepts, Expanded reporting, Codified principles,

Conduct Preliminary Impact AssessmentEvaluate existing system, leverage existing documentation, identify gaps

Facilitate Broad AwarenessEngage broader organization, educate & build awareness, leverage key

stakeholders

Develop & Execute Transition Plan for SOX ComplianceDocumentation & evaluation, testing, gap remediation, external review &

testing

Drive Continuous ImprovementTone at the top, culture & processes, improve reporting & communication


SEC Reporting Implications

- I understand that COSO intends to supersede their 1992 Framework . . .we expect there will be questions about whether the SEC will provide management with any transition or implementation. . . SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. . . I’ll simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition.

Paul BeswickChief Accountant, SEC

- SEC definition of internal control over financial reporting has NOT changed.

- Material weakness (SEC/PCAOB) vs major deficiency (COSO)

- Disclosures: framework used for assessment and plan for transition


SEC Reporting implications continued

Regulation 13a-15(f) defines internal controls over financial reporting as:

“A process . . . To provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in accordance with GAAP . . .”

Policies and procedures must:- Maintain records in reasonable detail that accurately and fairly reflect the transactions and

dispositions of the assets of the issuer

- Ensure receipts and expenditures of the issuer are made only in accordance with authorizations of management and directors, and

- Provide reasonable assurance regarding prevention of timely detection of the unauthorized acquisition, use or disposition of the issuers assets that could have a material effect on the financial statements.


Transition plan

- High level assessment and implications of adopting 2013 Framework ASAP

- Determine the impact at the Entity, Division, Operating and Functional levels across the organization

- Identify key stakeholders and decision makers associated with the organization Internal Controls (specifically over Financial Reporting)

- Leverage existing processes, procedures and documentation

- Develop a transition plan: - Responsibilities and expectations- Timeline- Reporting and communication- Opportunities and benefits


Documentation

Documentation of the organizations system of internal controls

- Provides evidentiary support regarding design and operating effectiveness

- Allows for ongoing monitoring and communication

- Basis for managements assessment- Support for third parties (Shareholders,

Regulators, External Auditors)

- Responsibility and accountability- Training and consistency


Other Considerations

• Organizational objectives related to risk, operations, controls, and reporting

• Use of third-party service provides and SaaS

• Size and scope of entity, subsidiaries, foreign operations

• Judgment regarding internal controls, specifically over External Financial reporting

• Costs and benefits of internal controls

• Limitations of internal controls


Companion documents

- Executive Summary

- Illustrative Tools for Assessing Effectiveness of a System of Internal Controls- Templates & scenarios- Do not modify existing framework

- Internal Controls over External Financial Reporting: A Compendium of Approaches and Examples- Examples of how principles apply to External Financial

Reporting

- Illustrate design and implementation for any size entity

- Demonstrate how Points of Focus support principles


References & Links

COSO references & linksThe 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf

Executive Summary, 2013 Internal Control – Integrated Frameworkhttp://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdfThe complete updated 2013 IC-IF compendium is available through the AICPA, Ebook member price $216http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990027/PC-990027.jsp

SEC references & linksRemarks at the 32nd Annual SEC and Financial Reporting Institute ConferencePaul Beswick, Chief Accountant, U.S. Securities and Exchange Commissionhttp://www.sec.gov/News/Speech/Detail/Speech/1365171575494

Jeff Lliteras, CPAConsulting Services Manager Eide Bailly LLP877 W. Main Street, Suite 800Boise, ID 83702208.424.3528jlliteras@eidebailly

http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf




http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf

http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf

http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990027/PC-990027.jsp

http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990027/PC-990027.jsp

http://www.sec.gov/News/Speech/Detail/Speech/1365171575494

http://www.sec.gov/News/Speech/Detail/Speech/1365171575494

www.eidebailly.com an overview of cosos 2013 update to the internal control – integrated framework...

Documents

importance of internal

resulting control environment

external financial reporting

external reporting objectives

loss reporting

reporting lines

nonfinancial reporting

financial performance