summary summary summary summary

Transcription

1 summary summary summary summary Making the Transition to COSO s Updated Integrated Framework Learning Objectives: Segment Overview: Field of Study: Course Level: Course Prerequisites: Advance Preparation: Recommended Accreditation: Required Reading (Self-Study): Video Transcript: Running Time: Upon successful completion of this segment, you should be able to: identify the five components of internal control; recognize the significant developments in COSO s new internal control framework; identify points of focus from principle 8 of the COSO Risk Assessment Component; determine the levels of IT controls under COSO Principle 11. After two decades of change in the business environment, COSO has updated its Internal Control Integrated Framework, including an additional focus on how the framework applies to external financial reporting. John McLaughlin, risk advisory services leader for BDO USA LLP, explains what your clients should be considering, and you should start doing, in order to transition to the new guidance. Auditing Update Work experience in financial reporting or auditing, or an introductory course in accounting None 2 hours self-study The 2013 COSO Framework: One Approach to an Effective Transition By J. Stephen McNally, CPA, Campbell Soup Company Reprinted with permission of Strategic Finance For additional info, go to: See page 8. See page minutes 1

2 outline outline outline outline outline Outline I. Internal Control Integrated Framework II. A. Issued by COSO in 1992 B. Accepted as Framework for Attesting to Internal Control A. Significant Changes 1. Reporting objective has expanded 2. Financial reporting is now reporting 3. Seventeen specific principles spread across five main components of internal control B. Effective Internal Control Requirements 1. Seventeen principles need to be present and functioning 2. Components in principles need to be operating in integrated manner C. Points of Focus 1. Describe a characteristic of a principle 2. Demonstrate how principles are in place 3. Not every one needs to be in place C. Five Interrelated Components of Internal Control 1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring activities D. Original Framework Will Become Obsolete Updated Internal Control Integrated Framework III. The ICEFR Compendium A. Key Elements principles similar to framework 2. Points of focus similar to framework 3. Provides approaches (90) and examples (130) D. Judgment Expressed Throughout COSO Framework 1. Components application to objectives 2. Principles application to components 3. Risk assessment 4. Design and implementation of controls 5. Selection of control activities 6. Assessment of deficiencies B. The Appendix Provides 1. Tools that demonstrate components and principles 2. Guidance for determining evidence for points of focus 3. Five scenarios 2

3 outline outline outline outline outline Outline (continued) IV. More on the Updated Internal Control Integrated Framework A. Definitions 1. Control deficiency: a shortcoming in a relevant principle or an associated component that has the potential to adversely affect the ability of the entity to achieve its objectives 2. Major deficiency: where a deficiency or a combination of deficiencies serve enough to adversely affect the likelihood that the entity can achieve its objectives B. Internal Reporting 1. Is part of COSO framework 2. Is where governance failures arise first 3. COSO trying to enhance and emphasize its importance V. Internal Control and Risk A. The Enterprise Risk Management (ERM) Framework 1. Is separate from the internal control framework 2. Not likely to be revised 3. Differences between ERM and internal control framework described in Appendix G VI. Evolution from Old to New A. Evolution of Computing From Original Framework Until Now 1. Main frame 2. Client server 3. ERP systems 4. Cloud/virtualization/software as service/asp/mobile B. Original 1992 COSO Integrated Framework 1. Will be available during transition to 12/15/ Will be considered superseded by 2013 Framework C. Points of Focus from Principle No. 8 of COSO Risk Assessment Component 1. Consider various types of fraud 2. Assess incentives to, and pressures on, individuals 3. Assess various opportunities to commit fraud 4. Assess attitudes and rationalizations D. Levels of IT Controls under COSO Principle No Process, automation and general IT controls 2. Technology controls: completeness, accuracy 3. Security management: access right and roles 4. Systems development life-cycle B. Risk Appetite 1. Amount of risk an organization is willing to take in pursuit of its mission or goals C. The New COSO Internal Control Framework: Timetable 1. Transition date December 15, 2014 D. McLaughlin s Advice 1. Educate different constituents within the organization 2. Diagnose evaluate points of focus E. The New COSO Framework: Opportunity to 1. Reassess controls 2. Reexamine risk 3

4 discussion questions discussion questions Group Dicussion Option Instructions for Segment As the Discussion Leader, you should introduce this video segment with words similar to the following: In this segment, John McLaughlin explains what your clients should be considering, and you should start doing, in order to transition to the updated COSO framework. Show the Segment. The transcript of this video starts on page 17 of this guide. Discussion Questions Making the Transition to COSO s Updated Integrated Framework 1. What are the five interrelated components of internal control? 2. What are the significant developments in COSO s new internal control framework? What is your experience with both the old and new COSO internal control framework? 3. What are points of focus? 4. What are some examples of judgment within the new COSO internal control framework? After playing the video, use the questions provided or ones you have developed to generate discussion. The answers to our discussion questions are on page 5. Additional objective questions are on pages 6 and 7.. You may want to assign these discussion questions to individual participants before viewing the video segment. 5. What is the definition of a control deficiency? A major deficiency? 6. What are the points of focus related to principle 8 of the COSO Risk Assessment component? 7. What are the four levels of IT controls described under principle 11? 4

5 suggested answers to discussion questions Suggested Answers to Discussion Questions Making the Transition to COSO s Updated Integrated Framework 1. What are the five interrelated components of internal control? Control environment Risk assessment Control activities Information and communication Monitoring activities 2. What are the significant developments in COSO s new internal control framework? What is your experience with both the old and new COSO internal control framework? Articulates 17 specific principles spread across 5 main components of internal control Identifies 75 points of focus which describe a characteristic of a principle Includes illustrative tools for assessing the effectiveness of an internal control system Based on participant experience 3. What are points of focus? Points of focus describe a characteristic of a principle There are 75 points of focus identified They demonstrate how principles are in place Not every one needs to be in place 4. What are some examples of judgment within the new COSO internal control framework? Components application to objectives Principles application to components Risk assessment Design and implementation of controls Selection of control activities Assessment of deficiencies 5. What is the definition of a control deficiency? A major deficiency? A shortcoming in a relevant principle or an associated component that has the potential to adversely affect the ability of the entity to achieve its objectives Where a deficiency or a combination of deficiencies serve enough to adversely affect the likelihood that the entity can achieve its objectives 6. What are the points of focus related to principle 8 of the COSO Risk Assessment component? Consider various types of fraud Assess incentives to, and pressures on, individuals Assess various opportunities to commit fraud Assess attitudes and rationalizations 7. What are the four levels of IT controls described under principle 11? Process, automation and general IT controls Technology controls: completeness, accuracy Security management: access right and roles Systems development life-cycle 5

6 objective questions objective questions Objective Questions Making the Transition to COSO s Updated Integrated Framework You may want to use these objective questions to test knowledge and/or to generate further discussion; these questions are only for group discussion purposes. Most of these questions are based on the video segment, a few may be based on the required reading for self-study that starts on page COSO s five sponsoring organizations include all of the following except: a) AAA (American Accounting Association). b) AICPA (American Institute of Certified Public Accountants). c) IMA (Institute of Management Accountants). d) FAF (Financial Accounting Foundation). 2. For management to conclude that its system of internal control is effective, all five components of internal control and all relevant principles must be: a) present and functioning. b) present. c) functioning. d) effective. 3. Of the five steps in the transition process described by McNally, of the steps relate to the subject matter experts: a) one. b) four. c) two. d) three. 4. McLaughlin says that the objective in the new framework has expanded. a) reporting. b) operations. c) compliance with laws. d) controls. 5. Regarding principles and points of focus, there are and, respectively: a) 17 and 17. b) 5 and 50. c) 17 and 75. d) 5 and The compendium issued by COSO: a) has principles similar to those in the framework but no points of focus. b) provides no examples of how to apply the points of focus. c) provides a few examples of how to apply the points of focus. d) is a mirror of the new framework. 7. The appendix of the new framework: a) contains five scenarios to be used as guidance. b) contains 90 examples to be used as guidance. c) is basically the same as in the 1992 framework. d) is geared towards small public companies. 8. The compendium helps companies evaluate: a) effectiveness of control over internal reporting. b) effectiveness of control over external reporting. c) effectiveness of control over operations. d) effectiveness of control over compliance. 6

7 7 objective questions objective questions Objective Questions (continued) 9. The transition period for the new framework: a) ends on June 30, b) ends on December 31, c) ends on December 15, d) begins on December 15, McLaughlin suggests following two steps while transitioning to the new framework, consisting of: a) educate and diagnose. b) read and comment. c) read and assess. d) educate and evaluate.

8 required reading required reading Self-Study Option Instructions for Segment When taking a segment on a self-study basis, an individual earns CPE credit by doing the following: 1. Viewing the video (approximately 25 minutes). The transcript of this video starts on page 17 of this guide. 2. Completing the Required Reading (approximately 20 minutes). The Required Reading for this segment starts below. Required Reading (Self-Study) THE 2013 COSO FRAMEWORK: ONE APPROACH TO AN EFFECTIVE TRANSITION By J. Stephen McNally, CPA, Campbell Soup Company Reprinted with permission of Strategic Finance For additional info, go to: Do you work for a publicly traded company that s subject to Sarbanes-Oxley Act (SOX) Section 404 compliance requirements? If so, odds are high that you re familiar with the Internal Control Integrated Framework that was published in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As you know, SOX 404 requires management at public companies like Campbell Soup to select an internal control framework and then assess and report on the design and operating effectiveness of their internal controls annually. The majority of U.S. publicly traded companies have adopted COSO s 1992 Framework to do this. As a quick reminder, COSO is a voluntary private-sector initiative dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and 3. Completing the online steps (approximately 55 minutes). fraud deterrence. Five nonprofits are its sponsoring organizations: AAA (American Accounting Association), AICPA (American Institute of Certified Public Accountants), FEI (Financial Executives International), IIA (Institute of Internal Auditors), and IMA (Institute of Management Accountants). On May 14, 2013, COSO released an updated version of its Internal Control Integrated Framework. Why was the Framework updated and to what end? Is adoption of the 2013 Framework required for SOX 404 compliance? How can you make an efficient and effective transition from the original 1992 Framework? How soon do you need to complete your transition? This article provides answers to these questions; an overview of COSO s 2013 Framework, authored by PwC; and one approach, including specific steps, on how to transition an entity s SOX compliance program to the updated Framework. 8

9 9 required reading required reading Overview COSO s new Framework is the result of a significant multiyear project including two rounds of public exposure to review, refresh, and modernize the original Framework, ensuring it remains relevant. As we all know, the world has undergone a seismic shift since 1992 that has led to dramatic business and operating environment changes. Markets continue to globalize. Business models have changed significantly, including greater use of shared services and outsourced service providers. The complexity and pace of change in rules, regulations, and standards have intensified demands on companies. Reliance on evolving technology increasingly important in improving business performance, business processes, and decision making continues to grow. Finally, regulators and other stakeholders have higher expectations regarding governance oversight, risk management, and the detection and prevention of fraud. While advances have been made in better connecting risk management and internal control practices in pursuit of organizational strategic goals, the many changes since 1992 have significantly increased business risk, resulting in a much greater need for competence and accountability than ever before. In addition, collectively we have learned lessons in applying the 1992 Framework. First, the original Framework included lengthy discussions of internal control concepts that are now institutional knowledge. Second, although the concept of internal control principles may have been embedded in the original Framework, the principles themselves were hidden within the details. Third, practitioners have used the Framework primarily for internal control over external financial reporting, yet the Framework encompasses three major categories of objectives, including operations, overall reporting, and compliance objectives. Thus, streamlining the original Framework; codifying the underlying principles; increasing focus on operations, non-external financial reporting and compliance objectives; and enhancing usability were additional drivers behind COSO s Internal Control Integrated Framework (ICIF) Refresh Project. The Case for Transition Throughout this multiyear project, the COSO Board has emphasized that the key concepts and principles embedded in the original Framework remain fundamentally sound for designing, implementing, and maintaining systems of internal control and assessing their effectiveness. Therefore, COSO will continue to make the original Framework available through December 15, 2014, at which time the 1992 Framework will be considered superseded. During this transition period today through December 15, 2014 COSO believes continued use of the 1992 Framework is acceptable. Entities leveraging COSO s Internal Control Integrated Framework for external reporting purposes during the transition period, however, should clearly disclose whether they used the 1992 or 2013 version. In the spirit of continuous improvement, companies should periodically reassess their system of internal control over external financial reporting to identify opportunities to improve its efficiency and/or effectiveness. Leveraging COSO s 2013 Framework, which formalizes the principles embedded in the original more explicitly, incorporates business and operating environment changes over the past two decades, and improves the Framework s ease of use and application, is an effective way to do this. The 2013 Framework also makes it easier for management to see what s covered and where gaps may exist in their current SOX 404 compliance program. For example, some companies may not have fully documented their internal control application in line with COSO s 1992 Framework. Others may have misinterpreted or misapplied the narrative in the original, thus falling short of an adequate assessment process with respect to one or more principles, or may have missed a principle outright. The updated Framework develops principles and supporting points of focus within each of the five foundational components of internal control control environment, risk assessment, control activities, information and communication, and monitoring activities. With it,

10 10 required reading required reading management can more successfully diagnose issues and assert effectiveness regarding their internal controls and, for external financial reporting, help avoid material weaknesses or significant deficiencies. For all these reasons, I agree with the COSO Board s recommendation that users complete their transition as soon as is feasible under their particular circumstances. One Transition Approach Considering that COSO s newly released Framework represents an update of the 1992 version and that the principles and requirements of effective internal control articulated in it were encompassed in the original, we expect a relatively smooth transition at Campbell Soup. Assuming we interpreted the original Framework properly in developing our current SOX compliance program, transitioning to the 2013 Framework by December 2014 may be limited to updating the format of several summary SOX reports. We don t expect a significant impact on our underlying SOX compliance methodology, approach, and/or key controls. As co-lead of Campbell Soup Company s original global SOX team in 2003 and 2004, I played a key role in defining Campbell s SOX compliance methodology and approach. Like many companies, we selected the COSO Internal Control Integrated Framework and then used it to assess the design and operating effectiveness of our internal controls over external financial reporting. We trained more than 300 cross-functional associates globally; designated operational and functional subteams to identify, document, and test Campbell s controls; and addressed deficiencies as needed. Historically, Campbell Soup has consistently embraced the importance of maintaining a solid system of internal control. Thus, our primary challenge in was to effectively document and test the controls already in place, including Campbell s control activities related to financial reporting as well as Campbell s company-level controls overall. To address company-level controls, we sifted through COSO s Framework and other guidance and then developed a customized template for Campbell Soup that consisted of key considerations or attributes for each of the five internal control components. Leveraging interviews with senior management and cross-functional experts as well as other evidence we collected, we documented the design and implementation and then assessed the operating effectiveness of these controls. Even though we expect the transition from COSO s 1992 Framework to its 2013 Framework to result in few, if any, changes, we still need to work through it. The following five-step process represents one way to navigate the transition. Step One: Develop Awareness, Expertise, and Alignment In addition to gaining senior leadership alignment and support, the first step in transitioning to COSO s 2013 Framework is to build internal awareness and, ultimately, expertise among the resident COSO/SOX subject matter experts in your company. To do so, you and your team should obtain and review COSO s newly released publications, including the Internal Control Integrated Framework Executive Summary, Framework and Appendices, Illustrative Tools for Assessing Effectiveness of a System of Internal Control, and the Internal Control over External Financial Reporting (ICEFR): A Compendium of Approaches and Examples. See Table 1 for a brief overview of each of these documents. Combined, these COSO publications represent nearly 500 pages of guidance, so you may want to leverage other tools and resources as well. Here are some documents and other resources that will help you navigate the changes introduced in the 2013 Framework and its accompanying guidance. First, in addition to the Executive Summary, recent COSO press releases, a COSO presentation deck, Frequently Asked Questions document, and other materials are available on COSO s website

11 11 required reading required reading ( They will provide an effective overview of COSO s Refresh Project in general and the 2013 Framework in particular. Likewise, the five sponsoring organizations have been supporting COSO in building awareness of the updated Framework, so a review of their respective websites may provide additional insight and perspective. Several of them, as well as other parties, will be hosting a series of webinars and/or in-person seminars, forums, and/or training sessions, many of which will be available free to the public. Also, I m sure numerous articles and editorials over the next year or so will offer various perspectives on applying the Framework, understanding key concepts in the Framework, and transitioning to it. Your external auditor, other public companies, regulatory authorities, and other relevant parties also can be great resources. Finally, networking and building connections with peers at similar companies can benefit you and your team. As you begin developing your awareness, the following concepts and insights may be of particular interest: Timeless Concepts. As noted earlier, COSO s key concepts regarding internal control are timeless. According to COSO, Internal control is a process effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. The 2013 Framework still provides for three categories of objectives operations, reporting, and compliance and still consists of five integrated components of internal control control environment, risk assessment, control activities, information and communication, and monitoring activities. The Framework continues to be adaptable to a given organization s structure, allowing you to consider internal controls from an entity, divisional, operating unit, and/or functional level, such as for a shared services center. Finally, the important role of management judgment in designing, implementing, and maintaining internal control, as well as assessing its effectiveness, is retained. Expanded Reporting Category. Whereas the reporting category of objectives was leveraged primarily for external financial reporting in the past, this category now explicitly and more clearly encompasses both internal and external financial and nonfinancial reporting objectives. COSO s Framework was always intended to address a broader spectrum of business activity, but the passage of SOX Section 404 resulted in a public perception that COSO could support external financial reporting only. The 2013 Framework now explicitly permits use in these other reporting situations, even though they aren t directly relevant from a SOX perspective. Codified Principles. The 1992 Framework conceptually introduced 17 relevant principles associated with the five components of internal control. But these concepts were implicit in the narrative. Because they are essential in assessing that the five components are present and functioning, these concepts are now explicitly articulated in the 17 principles. The COSO Board believes each principle adds value, is suitable to all entities, and, therefore, is presumed relevant. If management determines that a given principle isn t relevant to the organization, it should document the rationalization. See Table 2 for a list of the principles and the associated components of internal control. Requirements of Effective Internal Control. For management to conclude that its system of internal control is effective, all five components of internal control and all relevant principles must be present and functioning. Being present implies a given component or principle exists within the design and implementation of an entity s system of internal control. Functioning implies the component or principle continues to exist in the operation and conduct of the control system. Effective internal control also requires that all five components operate together in an integrated manner. Management can conclude they do if each component is present and functioning and the aggregation of internal control deficiencies across the

12 12 required reading required reading components doesn t result in one or more major deficiencies. Internal Control Deficiencies. According to the 2013 Framework, a major deficiency exists if an internal control deficiency or combination thereof severely reduces the likelihood of an entity achieving its objectives. In other words, if management used its professional judgment to determine that a control objective isn t being met because a relevant principle or associated component isn t present and functioning, or the five components aren t operating together, the entity has a major deficiency. Though the 2013 Framework uses and defines the terms deficiency and major deficiency, management should use relevant criteria as established by regulators, standards-setting bodies, and other relevant third parties for defining the severity of, evaluating, and reporting internal control deficiencies when reporting under those regulations or standards. Points of Focus. COSO s updated Framework describes points of focus to assist management in designing, implementing, and maintaining internal control and in assessing whether the 17 principles are present and functioning. Points of focus represent important characteristics of the respective principles. (See Table 3 for examples.) Points of focus deemed relevant and suitable for a given entity, whether described in the Framework or uniquely identified by management, can help you understand the respective principles. But management isn t required to separately assess whether they are in place. Points of focus are simply enablers; they aren t required in order to have an effective system of internal control. Step Two: Conduct Preliminary Impact Assessment Once you understand COSO s 2013 Framework, you need to assess how transitioning to it will impact your current SOX compliance program. Perhaps the most significant factor affecting your transition from the 1992 version to the 2013 version is how well management implemented the original one. To conduct a preliminary impact assessment, you should map your existing system of internal control against the updated COSO Framework. This will help you determine the degree of work required to complete the transition. While developing your current methodology and approach for SOX compliance, you likely invested significant time up front to define your entity s internal control framework, starting with COSO s 1992 Framework and then customizing it based on your company s specific processes, financial disclosures, and risk history. Does the following scenario sound familiar? First, management probably specified a high-level financial reporting objective and subobjectives related to preparing financial statements and disclosures. In doing so, it identified significant financial statement accounts based on the risk of material misstatement. Then, for each account or disclosure, management identified relevant financial reporting assertions, including existence, completeness, rights and obligations, valuation or allocation, presentation and disclosure, and the like. In addition, management identified underlying transactions, events, and processes supporting the respective accounts and disclosures. The result may have been a mapping of the design of your company s internal control environment, providing evidence that control activities are in place for all relevant financial reporting assertions for all significant accounts and disclosures. If there were any significant gaps, you remediated them accordingly. Assuming you went through such a process in developing your existing SOX compliance program, you can leverage the original mapping to determine the impact of transitioning to COSO s 2013 Framework. Now, however, instead of mapping directly to the five components of internal control, you will first map to the 17 principles that underlie each of the five components. As before, if you determine there are gaps in your internal control design, you ll need to remediate them accordingly.

13 13 required reading required reading Step Three: Facilitate Broad Awareness, Training, and Comprehensive Assessment In Steps One and Two, the effort was limited to the company s SOX compliance subject matter expert(s) and/or core SOX compliance team. Step Three entails engaging the broader organization to build awareness and to pressure-test the preliminary impact assessment conducted in Step Two. Depending on the nature and complexity of your organization, your SOX compliance efforts may occur centrally, or there may be multiple layers of assessment. For example, each business unit or location may prepare its own local-level assessment. Either way, you should facilitate broad awareness of COSO s updated Framework and the potential impact on your SOX compliance program among key stakeholders, including the board of directors/audit committee, senior and operational management, process and control owners, and internal auditors. You should also discuss the impact of COSO s 2013 Framework on your SOX efforts with your company s external auditors. In some cases, providing stakeholders a brief update, via memo or in person, will be sufficient. In other cases, indepth training and work sessions may be needed. In addition to building broad awareness, you should also leverage key stakeholders, such as process/control owners or business unit SOX leads, to pressure-test your preliminary impact assessment, especially in a more decentralized or highly complex environment. In other words, have those who are directly responsible for implementing your company s SOX controls critique the preliminary mapping from Step Two to ensure the analysis is complete and accurate. Step Four: Develop and Execute COSO Transition Plan for SOX Compliance Once you ve built broad awareness regarding the updated COSO Framework, gained senior leadership alignment and support that a timely transition is important, and completed a comprehensive impact assessment, it s time to develop and execute your company s transition plan. As with any well-managed project, the planning phase is usually the most important. During this phase, finalize your company s updated SOX compliance methodology and approach, define project governance and decision rights, develop a detailed project plan with key milestones, identify and assign resources, and complete other necessary planning activities. Most important, be realistic in your expectations and plans. Even those companies with sophisticated SOX compliance programs today who have designed, implemented, and maintain effective systems of internal control will have to expend some effort in the transition. As you execute your transition plan, you will likely pass through three high-level phases: Phase 1: Documentation and Evaluation. During this phase, you may need to update the format and/or flow of your underlying documentation, aligning it to the new mapping created during Step Two. Specifically, for management to conclude that its system of internal control is effective, all five components of internal control and all relevant principles must be present and functioning. The underlying documentation must support management in making such a conclusion. This phase also entails evaluating the design of the underlying controls and enhancing the design as needed. Phase 2: Validation Testing and Gap Remediation. Once you re comfortable that your company s controls around external financial reporting and disclosure are effective in their design, you need to perform SOX validation testing to ensure these controls have been implemented and are operating as expected. If you identify deficiencies as a result of this testing, gap remediation may be required. Phase 3: External Review and Testing. At some point, your external auditor will need to assess and gain comfort with your updated SOX compliance program and supporting documentation.

14 14 required reading required reading Step Five: Drive Continuous Improvement In the true spirit of corporate governance, there s a difference between an adequate and a best-in-class system of internal controls. For a public company, stronger corporate governance should translate into stronger business results and increased shareowner value. Once your company s transition to the 2013 Framework is complete, challenge yourself to drive continuous improvement thereafter with these four practices: Ensure there is appropriate tone at the top. Clearly communicate the company s commitment to integrity and ethical values, the importance of maintaining effective internal control, and the expectation that all employees will fulfill their internal control obligations. Consider leveraging Web-based integrity programs to train employees on the company s standards of conduct and other important issues. Embed internal control responsibility into the fabric of your company s culture, business processes, and procedures. One way to achieve this is to implement a control self-assessment (CSA) program as part of the company s ongoing evaluations within its monitoring activities component. CSA is a sustainable process whereby management periodically validates the operating effectiveness of the company s key controls vs. relying on internal or external auditors to make such an assessment. CSA drives management accountability and increases confidence in management s assessment of the effectiveness of their internal control system. Leverage technology to support other monitoring activities. You can use technology solutions for comparing transaction details against predetermined thresholds, monitoring for trends and patterns, and assessing automated performance indicators and metrics. Improve control reporting and communication. Consider developing dashboards related to key processes, activities, or controls that can alert you to potential anomalies or failures. Enhance your enterprise risk management capability. Integrating your ERM process with your internal controls system will improve your company s ability to achieve its strategic, operational, reporting, and compliance objectives. These are just a few examples of how you can drive continuous improvement of your company s system of internal control. Call to Action One last reminder: Those who currently use COSO s 1992 Framework should complete their transition to the 2013 version no later than December 15, 2014, at which time the original Framework will be considered superseded. Now the onus is on me, you, and others within publicly traded companies subject to SOX Section 404 compliance to build awareness of the 2013 Framework, gain senior management s alignment and support, assess the impact of the Framework on existing SOX compliance activities, and then complete a timely transition. The five-step process outlined here is one approach that could support you and your team in doing so successfully. Table 1: Newly Released COSO Documents Internal Control Integrated Framework Executive Summary. Represents a high-level overview of the 2013 Framework and is intended for the CEO and other senior management, boards of directors, and regulators. Internal Control Integrated Framework and Appendices. This volume, approximately 175 pages, sets out the Framework in detail, defining internal control, describing the components of internal control and underlying principles, and providing direction for all levels of management in designing and implementing internal control and assessing its effectiveness. The appendices to this volume, including a glossary, specific

15 15 required reading required reading considerations for smaller entities, summary of changes vs. the 1992 version, etc., provide additional reference but aren t considered part of the Framework. Internal Control Integrated Framework Illustrative Tools for Assessing Effectiveness of a System of Internal Control. This volume provides templates and scenarios to support management in applying the Framework, specifically in terms of assessing effectiveness. Internal Control over External Financial Reporting: A Compendium of Approaches and Examples. This compendium provides practical approaches and examples illustrating how the components and principles set forth in the Framework can be applied in preparing external financial statements. It is intended to be used as a resource for questions and research on specific principles and components rather than being read from cover-to-cover. Table 2: 17 Principles Here are the titles of the 17 internal control principles by internal control component as presented in COSO s 2013 Framework: CONTROL ENVIRONMENT 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability RISK ASSESSMENT 6. Specifies suitable objectives 7. Identifies and analyzes risk 9. Identifies and analyzes significant change CONTROL ACTIVITIES 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures INFORMATION & COMMUNICATION 13. Uses relevant information 14. Communicates internally 15. Communicates externally MONITORING 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Please see the Framework for the actual principles and related descriptions. Table 3: Example Points of Focus Principle 1. The organization demonstrates a commitment to integrity and ethical values. Supporting Points of Focus: Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in a timely manner 8. Assesses fraud risk

16 16 required reading required reading Table 4: Impact of COSO s 2013 Framework on Prior COSO Documents COSO s newly released 2013 Internal Control Integrated Framework and related documents impact prior COSO publications as follows: COSO will consider the 1992 Internal Control Integrated Framework as having been superseded by the 2013 Framework after 12/15/14. COSO will consider the 2006 Internal Control over Financial Reporting Guidance for Smaller Public Companies as having been superseded by the ICEFR Compendium after 12/15/14. The COSO Board believes internal control is an integral part of enterprise risk management (ERM) but that ERM is broader in scope. As such, COSO s 2004 Enterprise Risk Management Integrated Framework and the newly released Internal Control Integrated Framework are considered complementary. COSO s 2009 Internal Control Integrated Framework, Guidance on Monitoring Internal Control Systems will continue to be relevant and useful material for management.

17 17 video transcript video transcript Video Transcript Making the Transition to COSO s Updated Integrated Framework QUINLAN: An important development in the internal control landscape was recently completed with an update to the so-called integrated framework of the Committee of Sponsoring Organizations of the Treadway Commission. Viewers will recall that, since 1992, COSO s original internal control framework was accepted by the SEC as a framework for attesting to internal control over financial reporting, and has been recognized as the leading guidance for designing, implementing and conducting internal control and assessing its effectiveness. In fact, the SEC s chief accountant has already reiterated that companies would be wise to pay attention to what COSO says about its old framework: that the original 1992 framework will, in fact, be obsolete at the end of The good news is that the same five main components of the original framework control environment, risk assessment, control activities, information and communication, and monitoring activities remain the foundation for the updated framework. But globalization and technology have accelerated at dizzying rates in the past two decades. In a world that is marked by smartphones and cloud computing, it seemed prudent for COSO to update an original framework that was published before cellphones and became common. The most significant development in COSO s new framework is the articulation of 17 specific principles spread across the five main components of internal control. Each principle is accompanied by explicit points of focus designed to help users evaluate whether the principle is present and functioning. Returning to our program is John McLaughlin, a partner as well as the risk advisory services leader for BDO USA, LLP. Thanks for joining us once again, John. It is great to see you, too, Becky. Thank you. Earlier this year the Committee of Sponsoring Organizations of the Treadway Commission replaced the original 1992 internal control framework with an updated version. But please remind me: if that original framework was so successful and stood the test of time, why was it updated? Was there an outcry for revision? Becky, I am not sure I would say there was an outcry, but if you look at what was created in 1992, which was the original framework, it was created on the heels of the banking crisis of the late 1980s, so Charles Keating is a name your viewers may remember, is it was created in a different world. So if you look at the way the world is now, compared to back then, with globalization, outsourcing, companies operating with multiple currencies, obviously in multiple countries, so you ve got cultures and mores, you have more regulations, and compliance that is required.

18 18 video transcript video transcript Certainly, technology has changed dramatically. So, business has transformed, Becky. COSO itself has seen a need for transformation. Companies are going through a reexamination of the way they conduct business to make it more efficient, to recognize the changes in the business environment. We, too, as an organization, as BDO, are helping our clients go through this transformation exercise. COSO needed to go through a transformation exercise itself, just like many organizations going through that today. So many changes and so little time. So, let me go back to basics. They re not going to change the COSO cube, are they? The cube will remain relatively unchanged, in that you still have the five components of internal control, those being one, the control environment, two, risk assessment, there, control activities, four, information and communication, and five, monitoring activities. There are a number of changes, but a significant one is that the objective relating to reporting has expanded. You ll recall there are three objectives in that cube, operations, reporting, and compliance with laws and regulation. This objective has expanded beyond what in 1992 they called financial reporting, and now it s reporting. I suppose giving the original COSO guidance an update or a makeover might be a good idea. It was difficult enough to remember the three core objectives and the five framework components. Are we really going to have to learn 17 new principles, John? Well, bluntly, Becky, the answer is yes, and then some. I can t remember the 17 principles, or at least not yet. I can t even remember the names of my kids sometimes. I have four children and I get them mixed up. But the 17 principles are fundamental to this in that COSO is articulating that for internal control to be effective, the principles need to be present and functioning and the components in the principles need to be operating in an integrated manner. Those two concepts are key to this. Users will see 17 principles laid across the five components. If memory serves me right, five principles relate to the control environment, four relate to risk assessment, three relate to control activities, another three relate to information and communication, and there are two that relate to monitoring activities. It s not just new principles, is it, John? Isn t there also something called points of focus? Are there really 75 of them? Becky, there are 75 points of focus and the points of focus are very important in that they describe a characteristic of a principle. COSO says that essentially these points of focus need to demonstrate how these principles are in place. COSO, though, is indicating that not every point of focus necessarily needs to be in place or that a separate evaluation be made of the 75 points of focus. They recognize, for instance, that in a particular industry something that is unique to your company may not give rise to the points of focus that are within the framework. But the bottom line is that points of focus are very important in helping companies establish the presence and functioning of principles. The reality is that if you have got one point of focus demonstrating one principle, it s probably not a good place to be in terms of demonstrating compliance with Sarbanes-Oxley. There is safety in numbers.

19 19 video transcript video transcript On one hand, the framework is more granular. But, on the other hand, there s still an opportunity for subjective judgment, isn t there? That s a great question. Becky. Judgment is expressed throughout this framework. COSO has given a good deal of granularity to the updated framework compared to where we were in 1992 and that should be very helpful. It should be very helpful actually in utilizing judgment, and COSO talks about the use of judgment. If you can visualize the cube again, we have objectives and components, and the application of component against those objectives requires judgment. The application of principles as it relates to components requires judgment. There are approaches and examples as well. The use of risk assessment or the application of risk assessment requires judgment. Designing and implementing controls and selecting control activities all require judgment. Ultimately the assessment of whether deficiencies exist within the control framework requires judgment. COSO says that judgment is used throughout this framework. This added granularity should help management apply better judgment to their control environment. Besides revising the framework itself, COSO also issued two new companion tools. Let me ask you first, John, about the so-called compendium. I ve heard it referred to as the ICEFR compendium. What exactly does that mean? ICEFR is another acronym: internal controls over external financial reporting. COSO recognized that the framework has to address reporting of all kinds, as we talked about in connection with the cube. It involves internal reporting and external reporting. The compendium, though, is really designed to help all accountants and their companies establish a system of internal control for the attestation of external reporting as under section 404 of Sarbanes-Oxley. Again, it s not going to alter or modify the framework itself, is it? The framework will continue to be the framework. The compendium mirrors the framework. The users of the framework and the compendium will recognize that the 17 principles are very similar in the compendium to those in the framework. Incidentally, the points of focus are also similar in the compendium and the framework. One other thing about the compendium is that it provides approaches and examples, and if memory serves me right, there is something like 90 approaches and about 130 or so examples in there. The purpose of those is to help readers or the users of the compendium to understand the application of things that are conceptual like points of focus. The approaches describe the overall concept; the examples actually provide illustrative examples of how these points of focus are put in place. So the users of the compendium will see something different there and something very helpful, in their achieving their assessment of the effectiveness of internal control. That makes sense, John. So, let me ask you about the second piece of companion guidance: illustrative tools for assessing the effectiveness of an internal control system. Up until now, we really haven t had much focus from COSO on the effectiveness of controls, have we?

20 20 video transcript video transcript That s a great question because as you recall several years ago, Becky, you and I were talking about the guidance for smaller public companies in 2006, and there they had tools that helped a company to demonstrate their internal control process. To your question, the updated framework really helps companies assess the effectiveness of their internal control environment. The tools that exist within the framework, or as an appendix to the framework, help a company to demonstrate not only the components but the principles, and then lay out the evidence for each of these points of focus that lie beneath each of these principles. The other thing that COSO provides in this framework or in the appendix to the framework is a number of scenarios. There are five scenarios where basically they are trying to help an organization determine whether a principle is present and functioning and whether the components are operating in an integrated way with the principles. Deficiencies are evaluated across several organizations within an entity so there are five scenarios in there that really help the users to pull this together and assess the effectiveness of their control environment. Since you re an auditor, John, let me ask you: if an enterprise has a major deficiency, does that mean that you can t conclude on the effectiveness of controls overall? This is a big question, Becky. Actually, it s a question that will get bigger because I am getting this question from clients even now. Why am I getting this question? It s because COSO basically describes what constitutes a deficiency. Let me read this definition of control deficiencies. It s a shortcoming in a relevant principle or an associated component that has the potential to adversely affect the ability of the entity to achieve its objectives. A major deficiency is where a deficiency or a combination of deficiencies serves enough to adversely affect the likelihood that the entity can achieve its objectives. To state it even more simply is, if a principle is not present and functioning, you have a deficiency. But COSO emphasizes the importance of judgment. For instance, they refer to the cost versus benefit of controls, the fact that management has to go through a risk assessment and determine the relative importance of certain controls over others. They provide the definitions of deficiencies and major deficiency, but they are also saying, utilize judgment in making this evaluation. Naturally, many of our viewers still think of the COSO framework in connection with management s assertion relating to internal control over financial reporting. To what extent, John, does the COSO framework only involve INTERNAL FINANCIAL reporting? The compendium evaluates or helps companies evaluate the effectiveness of their control over external financial reporting. COSO, though, is designed to address all kinds of reporting. The concept of internal reporting is within the framework itself and the importance of internal reporting is emphasized. For instance if you look back at the governance failures that have occurred over the past decade or so, and probably beyond that, the question is where did the issue arise? The issue probably arose in the