What s happening at COSO & The importance of Tone at the Top

Transcription

1 What s happening at COSO & The importance of Tone at the Top Doug Prawitt, PhD, CPA McAllister/Deloitte Distinguished Professor of Accountancy Brigham Young University COSO Board Member 0

2 History is Important 1

3 Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM) internal control and fraud deterrence. 7, ,000 10,000 > 700, , ,000 2

4 Mission COSO s Mission is To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations. COSO s Fundamental Principle Good risk management and internal control are necessary for long term success of all organizations 3

5 National Commission on Fraudulent Financial Reporting And Thus Formed in 1985 James C. Treadway, Jr. (former SEC Commissioner and General Counsel, Paine Webber) as its Chairman (became known as the Treadway Commission ) Private-sector initiative, to inspect, analyze, and make recommendations on fraudulent corporate financial reporting. Source: sechistorical.org 4

6 The Internal Control Recommendation All public companies should maintain internal controls that provide reasonable assurance that fraudulent financial reporting will be prevented or subject to early detection - this is a broader concept than internal accounting controls The Commission also recommends that its sponsoring organizations cooperate on developing additional, integrated guidance on internal controls - Treadway Commission report 5

7 A Broad Perspective Internal control is a process, effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Source: COSO 2013 Internal Control- Integrated framework 6

8 Lest We Forget 7

9 Timeline 1987: Treadway Commission Report 1996: Internal Control Issues in Derivatives 2004: Enterprise Risk Management Framework 2016: Fraud Risk Management Guide 2009: Guidance on Monitoring Internal Control Systems : Internal Control Integrated Framework 1999: Fraud Study I - Fraudulent Financial Reporting: : Guidance for Smaller Businesses on Internal Control over Financial Reporting 2013: Revision of 1992 COSO ICIF Framework 2017: Revision of 2004 COSO ERM Framework 8

10 COSO Internal Control Publications

11 In Senator Paul Sarbanes and Congressman Michael Oxley were not yet famous Most of the developments in business and technology that we take for granted today had not been realized the Internet was largely unknown to the public (Al Gore didn t claim credit for inventing it until 1999) Companies were just starting to connect through EDI there were no GUI web browsers Smartphones did not exist (and cell phones were the size of small bricks) Global financial crisis was still many years away China had not yet committed to a modified market economy Large accounting firms maintained lists of controls for their auditors to check off there was no big-picture blueprint, no integrated, conceptual framework! 10

12 2013 update considered changes in business and operating environments Environmental changes... drove the Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition) 11

13 No need to scrap what works... The 1992 Framework was the most widely adopted control framework worldwide. Original Framework COSO s Internal Control Integrated Framework (1992 Edition) Refresh Objectives Reflect changes in business & operating environments Expand operations and reporting objectives Articulate principles to facilitate effective internal control Enhancements Updates Context Broadens Application Clarifies Requirements Updated Framework COSO s Internal Control Integrated Framework (2013 Edition) 12

14 Project deliverable #1 Internal Control-Integrated Framework (2013 Edition) Consists of three volumes: Executive Summary Framework and Appendices Illustrative Tools for Assessing Effectiveness of a System of Internal Control Sets out: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness 13

15 Project deliverable #2 Internal Control over External Financial Reporting: A Compendium... Illustrates approaches and examples of how principles are applied in preparing financial statements Considers changes in business and operating environments during past two decades Provides examples from a variety of entities public, private, not-for-profit, and government Aligns with the updated Framework 14

16 Update intended to increase ease of use and broaden application What did not change... What did change... Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness Changes in business and operating environments considered Reporting objective expanded, Fundamental concepts underlying five components articulated as principles Points of focus for each principle Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added 15

17 Update articulates principles of effective internal control Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops appropriate control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 16

18 A New Title in 2017 on ERM Retitled as Enterprise Risk Management Integrating with Strategy and Performance Recognizes the importance of strategy and entity performance Further delineates enterprise risk management from internal control 17

19 A Key Introduction Our understanding of the nature of risk, the art and science of choice, lies at the core of our modern market economy. Every choice we make in the pursuit of objectives has its risks. From day-to-day operational decisions to the fundamental tradeoffs in the boardroom, dealing with uncertainly in these choices is a part of our organizational lives. 18

20 Decision-making Uncertainty/Certainty Selecting SAP or Oracle Setting the quarterly revenue plan for $16 million Hiring a new VP of Not developing a new product Making a new investment Opening a new office Closing an office 19

21 1) Provides a New Document Structure Framework focused on fewer components (five) Uses focused call-out examples to emphasize key points (> 30) Follows the business model versus an isolated risk management process 20

22 2) Introduces Principles 20 key principles within each of the five components 21

23 3) Incorporates New Graphics/Concepts Graphic has stronger conceptual ties to the business model 22