coso 2013 and the auditor
TRANSCRIPT
COSO 2013 and The Auditor
What the auditor needs to know about COSO 2013 implementations.
Corporate Compliance Seminars
1
Control. Comply. Communicate.
John C. Blackshire, CPA / 479-200-4373 / [email protected]
Property of Corporate Compliance Seminars www.compliance.seminars.com
Accountant, Auditor, IT Projects, Compliance Assessor, Sales Director, Trainer
• The Accountware Group / Corporate Compliance Seminars• Training, system design, implementation, security, customization, support,
documentation, change management
• Walker Interactive Products• Financial system designer, financial system implementation, integration, user
support, sales, training
• Insurance Systems of America• Created and managed internal consulting organization, developed system
implementation methodology, deployed accounting systems.
• KPMG• Financial Auditor of insurance, financial services, manufacturing clients
• Past Meeting Coordinator - IIA International Conference
2Property of Corporate Compliance Seminars www.compliance.seminars.com
“COSO is a bunch of policies and
procedures. It can’t help us.” –
CEO
“We hire great people. They do a great job!”
– HR Director“Our numbers are rock-solid!”
– Internal Audit Director
3Property of Corporate Compliance Seminars www.compliance.seminars.com
“We spent $30M and two years
installing SAP. It has strong
controls” - CIO
4
The SituationSection 1
Why the COSO Committee?
COSO 2013 and The Auditor
Control. Comply. Communicate.
John C. Blackshire, CPAPh: 479-200-4373 / [email protected]
© 2015 Corporate Compliance Seminars
Property of Corporate Compliance Seminarswww.compliance.seminars.com
5
Organization of thePetroleum Exporting
Countries (OPEC)
- General prosperity- Decreased government spending- Tax reductions- Tightened money supply to stem inflation- Increased defense budget- Deregulation: “free market” economy- Oil price controls lifted
Property of Corporate Compliance Seminarswww.compliance.seminars.com
Problems in the 1970’s and 1980’s
• Oil price skyrocketed; high interest rates; overvalued real estate; national debt tripled
• Savings & Loan industry collapse; bribes from US companies
• Business failures: Continental Bank; Crazy Eddie’s Electronics, ZZZZ Best, Inc.
Solutions
1977: Foreign Corrupt Practices Act – anti-bribery and internal control requirements
1985: National Commission on Fraudulent Financial Reporting
aka “Treadway Commission”. Mission: “To identify causal factors that can lead to fraudulent financial reporting.”
1987: Treadway Report
1990: CFO Act – Fiscal control in Federal agencies
1999: Blue Ribbon Committee on Improving theEffectiveness of Corporate Audit Committees
2002: Sarbanes-Oxley Act
6Property of Corporate Compliance Seminars
www.compliance.seminars.com
7
1985 - Committee of Sponsoring Organizations (COSO)of the Treadway Commission was formed “to identify the causal factors
that can lead to fraudulent financial reporting.”
“COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.”
Property of Corporate Compliance Seminarswww.compliance.seminars.com
SEC: “The term internal control over financial reporting is defined as a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
• Pertain to the maintenance of records that in reasonable detail accurately and fairlyreflect the transactions and dispositions of the assets of the issuer;
• Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
• Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.” (Rule 13a-15 (f) )
8Property of Corporate Compliance Seminars
www.compliance.seminars.com
9
1992
2006
2009
2013
Guidance on Monitoring Internal
Control Systems
Internal Control —Integrated Framework
Guidance for Smaller Public
Companies
Internal Control —Integrated Framework
Property of Corporate Compliance Seminarswww.compliance.seminars.com
Property of Corporate Compliance Seminars
www.compliance.seminars.com
Why update the “Internal Control – Integrated Framework”?
• The 1992 framework was extremely poorly documented
• Made significant changes to documentation of the framework to standardize the documentation of its usage
• Codify criteria to use in development and assessment of systems of internal control
• Expanded the business objectives being considered
Property of Corporate Compliance Seminarswww.compliance.seminars.com
What did not change... What changed...
1. Management is responsible for internal control
2. Five components of internal control
3. Three categories of internal control
4. The fundamental criteria used to assess effectiveness of systems of internal control
5. Use of judgment in evaluating the effectiveness of systems of internal control
1. Definition of internal control
2. Codification of principles with universal application for use in developing and evaluating the effectiveness of systems ofinternal control
3. Expanded financial reporting objective to address internal and external, financial and non-financial reporting objectives
4. Increased focus on operations, compliance and non-financial reporting objectives based on user input
“The experienced reader will find much familiar in the updated Framework, which builds on what has proven effective in the original version.”
COSO Update creates “Principles of Control” and “Points of Focus”
COSO 2013 Definition of “Internal Control”
“A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding achievement of objectives related to operations, reporting, and compliance.”
“Internal control is…
• Geared to the achievement of objectives in one or more separate but overlapping categories
• A process consisting of ongoing tasks and activities—it is a means to an end, not an end in itself
• Effected by people—it is not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control
• Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and board of directors
• Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process”
Property of Corporate Compliance Seminarswww.compliance.seminars.com 12
• “Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that:
• Each component and each relevant principle is present and functioning
• The five components are operating together in an integrated manner”
• “Each principle is suitable to all entities…”
• “All principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e.g., governance, technology)”
• “Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies…”
• “A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives…”
Property of Corporate Compliance Seminarswww.compliance.seminars.com
PoF Statements from COSO
• “Points of focus may not be suitable or relevant, and others may be identified”
• “Points of focus may facilitate designing, implementing, and conducting internal control assessments”
• “There is no requirement to separately assess whether points of focus are in place”
Property of Corporate Compliance Seminarswww.compliance.seminars.com
Control Environment Principle of Control 1“The organization demonstrates a commitment to integrity and ethical values.”
Points of Focus:• Sets the Tone at the Top• Establishes Standards of Conduct• Evaluates Adherence to Standards of Conduct• Addresses Deviations in a Timely Manner
• “The Framework does not prescribe controls to be selected, developed, and deployed for effective internal control.”
• “An organization’s selection of controls to effect relevant principles and associated components is a function of management judgment based on factors unique to the entity.”
• “A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles.”
• “However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management’s assessment of whether components and relevant principles are present and functioning.”
Property of Corporate Compliance Seminarswww.compliance.seminars.com
16
The Problems
Section 2
What are the issues within the Marketplace?
COSO 2013 and The Auditor
Control. Comply. Communicate.
John C. Blackshire, CPAPh: 479-200-4373 / [email protected]
© 2015 Corporate Compliance Seminars
Property of Corporate Compliance Seminars www.compliance.seminars.com
Guidance to PCAOB Staff
• “Considerations of Audits of ICFR”
• Issued October 24, 2013
• Based on past three years of inspections
Areas
1. “Risk Assessment and the Audit of Internal Control”
2. “Selecting Controls to Test”
3. “Testing Management Review Controls”
4. “IT Considerations”
5. “Roll Forward of Controls Tested at an Interim Date”
6. “Using the Work of Others”
7. “Evaluating Identified Control Deficiencies”
17
“More than one in threeaudits inspected by the
PCAOB were so deficient the auditors should not have
signed off!”
-CFO Journal January 2014
James R. DotyChairman, PCAOB
Property of Corporate Compliance Seminars www.compliance.seminars.com
18
To Listen
To Interpret
To Hear
What does audit mean??
Property of Corporate Compliance Seminarswww.compliance-seminars.com
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficienciesProperty of Corporate Compliance Seminars
www.compliance.seminars.com
20
COSO 1992 was not suitable to the SEC criteria.
Where are the regulators going?
Does Section 302 and 404 certification work?
Why was COSO 1992 Updated?
Property of Corporate Compliance Seminarswww.compliance-seminars.com
21
Was COSO 1992 free from bias. (36%)
Was COSO 1992 sufficiently complete. (36%)
Did COSO 1992 provide reasonable measurements. (34%)
SEC Criteria under SOX 404
Property of Corporate Compliance Seminarswww.compliance-seminars.com
Was COSO 1992 relevant to evaluation of ICFR (40%)
22
What happened in 2008?
Is audit quality up or down?
Are material weaknesses up or down?
Does Section 302 and 404 certification
work?
Property of Corporate Compliance Seminarswww.compliance-seminars.com
How about investor returns?
23
The Implications
Section 3
What are the conditions we need to address?
COSO 2013 and The Auditor
Control. Comply. Communicate.
John C. Blackshire, CPAPh: 479-200-4373 / [email protected]
© 2015 Corporate Compliance Seminars
Property of Corporate Compliance Seminars www.compliance.seminars.com
24
COSO 2013 the default standard.
Can internal controls prevent or lessen economic issues?
COSO has announced a rewrite of the COSO ERM Framework.
Where are the regulators going?
Property of Corporate Compliance Seminarswww.compliance-seminars.com
1. What is the definition of the risk brands being considered in the client’s internal control assessment?
2. Is the financial information recorded completely, accurately and timely and inagreement with US GAAP?
3. Are the financial accounting, compliance and operating practices documented and understood throughout the organization, including at off-site locations?
4. Are the internal controls adequate to detect and report errors and fraud?
5. Are we, the external auditors, independent and effective to report errors and deviations from GAAP, policies, procedures and internal controls?
6. Is the client’s Audit Committee independent and critically examining financial reports and fraud allegations?
7. Are key performance metrics, risks, controls and compliance activitiesmaintained, monitored and continuously assessed?
Property of Corporate Compliance Seminarswww.compliance.seminars.com 25
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficienciesProperty of Corporate Compliance Seminars
www.compliance.seminars.com
27
• “The use of entity-level control assessment is under-utilized.”
• “Effective entity-level monitoring may eliminate or reduce the need for certain transaction-level controls.”
• “Companies can significantly reduce the testing workload by properly designing robust and effective entity level controls.”
Entity-level controls as % of total key controls
Source: Ernst & Young Survey 2013
Property of Corporate Compliance Seminars www.compliance.seminars.com
The term “Entity-Level Controls” describes the aspects of a system of internal control that have a pervasive effect on the on the entity’s controls, such as:
• controls related to the control environment (ex. management’s philosophy and operating authority and responsibility);
• controls over management override;• the company’s risk assessment process;• centralized processing and controls including shared service environments;• controls to monitor results of operations;• controls to monitor other controls including activities of the internal audit
function, the audit committee, and self-assessment programs;• controls over the period-end financial reporting process; and • policies that address significant business control and risk management practices.
28Property of Corporate Compliance Seminars
www.compliance.seminars.com
29
What Needs To Be Done
Section 4
What is the auditor to do with COSO 2013?
COSO 2013 and The Auditor
Control. Comply. Communicate.
John C. Blackshire, CPAPh: 479-200-4373 / [email protected]
© 2015 Corporate Compliance Seminars
Property of Corporate Compliance Seminars www.compliance.seminars.com
30
21-24. Operations Objectives
25-27. External Financial Reporting Objectives
28-30. External Non-Financial Reporting Objectives
31-33. Internal Reporting Objectives
34-35. Compliance Objectives
Reflects Management’s ChoicesConsiders Tolerances for RiskOperations and Financial Performance GoalsForms a Basis for Committing of Resources
Complies with applicable accounting standardsConsiders MaterialityReflects Entity Activities
Complies with Externally Established Standards and FrameworksConsiders the Required Level of PrecisionReflects Entity Activities
Reflects Management’s ChoicesConsiders the Required Level of PrecisionReflects entity activities
Reflects External Laws and RegulationsConsiders Tolerances for Risk
“The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.”
Points of Focus
Property of Corporate Compliance Seminars www.compliance.seminars.com
31
36. Includes Entity, Subsidiary, Division, Operating Unit
and Functional Levels
37. Analyzes Internal and External Factors
38. Involves Appropriate Levels of Management
39. Estimates Significance of Risks Identified
40. Determines How to Respond to Risks
The organization identifies and assesses risks at the entity, subsidiary, division, operating unit and functional levels relevant to the achievement of objectives.
Risk identification considers both internal and external factors and their impact on the achievement of objectives.
The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management.
Identified risks are analyzed through a process that includes estimating the potential significance of the risk.
Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce or share the risk.
“The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”
Points of Focus
Property of Corporate Compliance Seminars www.compliance.seminars.com
32
41. Considers Various Types of Fraud
42. Assesses Incentives and Pressures
43. Assesses Opportunities
44. Assesses Attitudes and Rationalizations
The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption [and management override of controls] resulting from the various ways that fraud and misconduct can occur
The assessment of fraud risk considers incentives and pressures
The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate act
The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions
“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”
Points of Focus
Property of Corporate Compliance Seminars www.compliance.seminars.com
33
45. Assesses Changes in the External Environment
46. Assesses Changes in the Business Model
47. Assesses Changes in Leadership
The risk identification process considers changes in the regulatory, economic, and physical environment in which the entity operates
The organization considers the potential impact of new business lines, dramatically altered compositions of existing lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies and new technologies
The organization considers changes in the management and respective attitudes and philosophies on the system of internal control
“The organization identifies and assesses changes that could significantly impact the system of internal control.”
Points of Focus
Property of Corporate Compliance Seminars www.compliance.seminars.com
34
Board-Level Actions
Executive-Level Actions
Department Head-Level Actions
Middle Management-Level Actions
Supervisory-Level Actions
Staff-Level Actions
* * * * * GLASS CEILING * * * * *
Entity
Activity
Property of Corporate Compliance Seminars www.compliance.seminars.com
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficienciesProperty of Corporate Compliance Seminars
www.compliance.seminars.com
Property of Corporate Compliance Seminarswww.compliance.seminars.com
How has the company satisfied the COSO Control Components?Are the controls present? Are the controls functioning? - Summary
Risk Assessment – Risk Committee, Risk Model, Annual assessment,
BoD/ AC review of management’s risk responses, etc.
Control Environment – Board of Directors, Audit Committee, Ethics policy and training, Hotline, Policies and Procedures, etc.
Control Activities – Standards for all activities. Selection of key controls, documentation of key controls, testing, remediation, etc.
Information & Communication – Documentation and communication of SOX/ Risk Assessment, Internal Control reports, etc.
Monitoring Activities – Quarterly executive meetings, metrics, presentation to BoD/ AC, etc.
1. Formalize and reassess risks (entity – business process – IT activity)
• Identify material changes in operations
• Determine in-scope and out-of-scope business units
2. Reassess key controls; considering your “control mix”
• Consider financial and non-financial controls
• Consider external and internal reporting controls
• Consider compliance, operational, fraud and IT controls
3. Link SOX program to the COSO 2013 framework
• COSO narrative or spreadsheet
• COSO Illustrative Toolset or other tool
4. Align risks and key controls to the COSO Components, Principles and Points of Focus
• Consider the organization’s objectives and risks
• Use judgment in selecting the POFs
5. Update SOX documentation for COSO 2013
• Control present and functioning
• Aggregate your deficiencies
• Control effectiveness across Components and PrinciplesProperty of Corporate Compliance Seminars
www.compliance.seminars.com 37
“use common sense”
Property of Corporate Compliance Seminarswww.compliance.seminars.com 38
Key Control:
“The Vendor Disbursements Report is reviewed on a daily basis by the AP Manager and on a weekly basis by the Corporate Controller. The report and certifications are obtained as evidence.”
Principle of Control:
#10: Control activities are defined to reduce entity risks.
#16: Management conducts ongoing and separate evaluations of internal controls.
Component of Control:
#3: Control Activities
#5: Monitoring Activities
Point of Focus:
#44: Addresses the segregation of duties
#69: Considers a mix of ongoing and separate evaluations
39
COSO Component / Principle – Primary Relationship
COSO Component / Principle – Secondary Relationship(s)
Entity Level Controls
2015-2016 COSO ELC Mapping
Property of Corporate Compliance Seminars www.compliance.seminars.com
Key Control COSO Control Component
COSO Principle of Control
COSO Point of Control Focus
Evidence
ControlEnvironment
Risk Assessment
The Vendor Disbursements Report is reviewed on a daily basis by the AP Manager and on a weekly basis by the Corporate Controller. The report and certs are obtained as evidence.
Control Activities
#10: Control activities are defined to reduce entity risks.
#44: Addresses the segregation of duties
Observation and Inspection of Disbursements Report review
Info & Communication
AP Manager Dashboard of Disbursements’Internal Audit report of AP
Monitoring Activities
#16: Management conducts ongoing and separate evaluations of internal controls.
#69: Considers a mix of ongoing and separate evaluations
Controller Monitoring;Internal Audit of Accounts Payable
Property of Corporate Compliance Seminarswww.compliance.seminars.com 40
Consider scoping in more Entity Level risks, controls and assessments
• Assessment of Board and Audit Committee effectiveness
• Assessment of Ethics/ Code of Conduct compliance
• Annual employee awareness of policies and procedures
• Effectiveness of “hotline” (process to report fraud)
• Evaluation of Risk Assessment documentation
• Evaluation of Monitoring controls
Re-evaluate the financial statement risks and key controls
• Financial Statement Assertions (Presentation, Existence, Rights/ Obligations, Cut-Off, Valuation)
Re-evaluate the risks and controls over Compliance and Operational activities
• Assessment of non-financial, internal reporting, business processes, IT and fraud
• Assessment of Outsourced Service Providers (OSPs)
41Property of Corporate Compliance Seminars www.compliance.seminars.com
Each of the five COSO Components must be “present and functioning”
• Are they present? - “The determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives.” (“Design”)
• Are they functioning? - “The determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.” (“Operating Effectiveness”)
The five COSO Components must “operate together in an integrated manner” i.e. “the determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective.”
• Management can demonstrate that components operate together when:
• “The components are present and functioning, and
• Internal control deficiencies aggregated across components do not result in the determination that one or more major deficiencies exist.”
42Property of Corporate Compliance Seminars www.compliance.seminars.com
Going ForwardSection 10
Direction and Summary
43
COSO 2013: The Sequel
Control. Comply. Communicate.
Property of Corporate Compliance Seminars www.compliance.seminars.com
• Alphabetic Keyboard – 1860’s
• Qwerty – Solution to jamming
• Dvorak – 1932
• “Touch” keyboards (keyless)
• Virtual keyboards
• No keyboards--voice dictation, etc.
Do we really like to change?
44Property of Corporate Compliance Seminars
www.compliance.seminars.com
Cultural Issue Our Suggestions
1. “Risk Awareness” Don’t force the risk assessment routine to an annual exercise. Assess risks on a “needs” basis…monthly or quarterly. Create triggers for all High and Medium Risks.
2. “Communication” Explain “WHY”. Foster the flow of communications up and down the organization. Hold corporate “town hall meetings”. Encourage the sharing of “best practices”. Whistleblower function.
3. “Incentives” Reward practices and behavior above and beyond expectations.
4. “Training - Mentoring” Reinforce the Compliance programs through e-mails, meetings and webinars. Have formal mentorship programs.
5. “Measure” Quantify and track metrics such as financial, risk factors, quality, customer service and improvements. Have established ranges for all metrics and the “Why’s”
6. “Accountability” Hold managers and staff accountable for controllable events such as errors, over budgets and compliance violations.
7. “Fix” Create an effective Mission-Policy-Procedure stack. Identify the root cause and systemic issues.
8. “Continuous Improvement” Encourage positive and negative feedback for process improvement.
45Property of Corporate Compliance Seminars www.compliance.seminars.com
46Property of Corporate Compliance Seminars
www.compliance.seminars.com
Catastrophic Low Low Medium Risk - 15%
HighestRisks – 5%
Major Low Low Medium Risk - 15%
Medium Risk - 15%
Moderate Low Low Low Low
Minor Low Low Low Low
Insignificant Low Low Low Low
Rare Unlikely Possible Likely
The Pareto’s Principle – The 80 - 20 Rule
Reevaluate Significant Financial Accounts and Cycles
Reevaluate Significant Business Processes & Controls
Key Control Map – Business and IT
Test; Deficiencies
Remediate & Retest
Reassess Risks – F, NF, Internal, External, Fraud, Operations, Compliance, IT
Reevaluate and Map the Entity Control Environment
Monitor & Sustain Compliance
Do
cum
en
tatio
n -
Ev
ide
nce
47Property of Corporate Compliance Seminars
www.compliance.seminars.com
48
© 2015 Corporate Compliance Seminars
Control. Comply. Communicate.
John C. Blackshire, CPA / 479-200-4373 / [email protected]
Property of Corporate Compliance Seminars www.compliance.seminars.com