2013 New COSO 2013 Framework and Current Trends in Risk Management

Transcription

1

2 2013 New COSO 2013 Framework and Current Trends in Risk Management Session 105 IASA 86 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

3 Agenda COSO 2013 framework Overview Why the update? What has been updated and what has remained the same? Codification of 17 principles and points-of-focus Key Areas of Focus Transition and impact Impact on Audits & Financial Exams Our point of view Next steps Applying the new COSO 2013 framework Risk management considerations How does COSO 2013 impact my organization Questions Page 3

4 Overview Originally issued in 1992, COSO s Internal Control Integrated Framework (the 1992 Framework ) became one of the most widely accepted internal control frameworks in the world. In order to address the significant changes to business and operating environments that have taken place over the past 20 years, on May 14, 2013, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated 2013 Internal Control-Integrated Framework to supersede the 1992 Framework on December 15, 2014 Page 4

5 Update driven by input of stakeholders: Do stakeholders understand the components of effective internal control? Risk Assessment Information & Communication Control Environment Monitoring Control Activities 0% 20% 40% 60% 80% 100% Difficult to interpret Somewhat difficult to interpret Moderately easy to interpret Generally easy to interpret Easy to interpret Source - COSO s survey of users and stakeholders, worldwide January to September 2011 Page 5

6 Update expected to increase ease of use and broaden application What is not changing... What is changing... Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring activities) are required for effective internal control Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness Changes in business and operating environments considered Operations and reporting objectives expanded Fundamental concepts underlying five components articulated as 17 principles Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added Page 6

7 Update considers changes in business and operating environments Environments changes... Have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition) Page 7

8 Why the update? Business and operating environments have changed dramatically, becoming increasingly complex, technologically driven and global in scope. Stakeholders are more engaged, seeking greater transparency and accountability for the integrity of systems of internal controls that support business decisions and governance. ICIF works well today COSO s Internal Control Integrated Framework (1992 Edition) Refresh objectives Address significant changes to the business environment and associated risks Codify criteria to use in the development and assessment of systems of internal control Increase focus on operations, compliance and non-financial reporting objectives Enhancements Updated, enhanced and clarified framework Principles Points of focus Expanded internal and nonfinancial reporting guidance ICIF will work better tomorrow COSO s Internal Control Integrated Framework (2013 Edition) Page 8

9 Update clarifies requirements for effective internal control 5 Components 17 Principles Points of Focus Internal Controls Effective Internal Control provides reasonable assurance that each component and supporting principle is present and functioning and the five components are integrated effectively Principles are suitable and presumed relevant for all entities Principles can support achievement of single, multiple, or overlapping objectives Applying principles provides a basis for evaluation of internal control effectiveness across an organization Page 9

10 Update articulates 17 principles of effective internal control Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Page 10

11 Updated Framework: Describes important characteristics of each principle For Example: Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. Points of focus: Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in a timely manner Points of focus may not be suitable or relevant, and others may be identified. Points of focus may facilitate designing, implementing, and conducting internal control. There is no requirement to separately assess whether points of focus are in place. Page 11

12 2013 Framework and Guidance Key Areas of Focus Risk Assessment More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may be managed, and linkage between risk assessment and control activities. Considering the potential for fraud risks to the achievement of an organization s objectives. Outsources Service Providers (OSPs) Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles. Requires management to specifically consider how OSPs are monitored. Information Technology (IT) Considerations related to IT are included in 14 out of 17 principles. Discussion of using IT to assist in continuous monitoring within the system of internal control (i.e., use of data analytics). Requirements for ensuring quality of information (i.e., data integrity). Page 12

13 Transition & Impact Users are encouraged to transition applications and related documentation to the updated Framework as soon as feasible Updated Framework will supersede original Framework at the end of the transition period (i.e., December 15, 2014) During the transition period, external reporting should disclose whether the original or updated version of the Framework was used Impact of adopting the updated Framework will vary by organization Does the system of internal control need to address changes in business? Does the system of internal control need to be updated to address all principles? Does the organization apply and interpret the original framework in the same manner as COSO? Is the organization considering new opportunities to apply internal control to cover additional objectives? Page 13

14 Transition & Impact (continued) The principles-based approach provides flexibility in applying the Framework to multiple, overlapping objectives across the entity Easier to see what is covered and what is missing Focus on principles may reduce likelihood of considering something that s irrelevant Understanding the importance of specifying suitable objectives focuses on those risks and controls most important to achieving these objectives. Focusing on areas of risk that exceed acceptance levels or need to be managed across the entity may reduce efforts spent mitigating risks in areas of lesser significance. Coordinating efforts for identifying and assessing risks across multiple, overlapping objectives may reduce the number of discrete risks assessed and mitigated. Page 14

15 Transition & Impact (continued) Selecting, developing, and deploying controls to effect multiple principles may also reduce the number of discrete, layered-on controls. Applying an integrated approach to internal control - encompassing operations, reporting, and compliance may lessen complexity. In assessing severity of internal control deficiencies, use only the relevant classification criteria as set out in the Framework or by regulators, standard-setting bodies, and other relevant third parties, as appropriate. Page 15

16 Our Point of view- Overview Helps increase transparency. The structure and rigor presented in this framework around 17 principles and point of focus helps establish transparency and accountability in an organization s process of designing and implementing its system of internal control. Strengthened governance. For companies utilizing COSO, the new framework will also aid in strengthening the governance and oversight on internal control in an organization. Maintain an optimum balance. COSO 2013 framework does not necessarily warrant redesigning the organization s system of internal control. Management must ensure that their approach for transitioning is effective and efficient. Implementation of new COSO 2013 framework. While the fundamental elements of the new COSO framework remain the same, it is important to update existing documentation to support that the system of internal control considers the 17 principles. Page 16

17 Our Point of view- Impact on External Audits More defined guidance = Better sources of Information for testing. Does not mean more testing. In fact, it might require less testing if companies implement the updated COSO Framework effectively Aligns with greater emphasis and specific measures on corporate governance Better synergy with ERM and related controls design. A Strong ERM Framework ties is well with the new COSO Framework Better defines the role of technology into risk management and controls Page 17

18 Impact on External Audits Examining Internal Controls Over Financial Reporting (ICoFR) System of Internal Control must be examined 5 components are supported by 17 principles, which include: Commitment to integrity and ethical values; Exercises oversight responsibility; Demonstrates a commitment to competence; Assesses fraud risk. What is the burden of proof? Moreover, what constitutes solid audit evidence? Page 18

19 Impact on External Audits Increased focus on the following: Electronic Audit Evidence Increased focus on validating information» Tying out of balances does not suffice;» Report parameters and illustrative screenshots required;» Only in scope applications can be relied upon; Review Controls THAT its reviewed is not enough: WHO, WHAT, HOW» Who is performing the review?» What is their review process? Evaluating the Impact of Deficiencies What is the impact of a deficiency? Inherent risk vs. residual risk» How does a failure or a failure rate impact residual risk index;» What is the effect of all failures identified:» Cumulative impact;» Synergistic do multiple failures exacerbate individual risks? Page 19

20 Our Point of view- Impact on Financial Examinations New framework provides greater focus on the linking between risks, strategy and controls Updated documentation will provide greater insight and reliability into existing documentation and testing performed by Internal and external auditors Less testing if fully implemented; better aligns with a risk focused exam, including mapping of controls related to key risks and the reasoning behind those controls, especially when it comes to soft areas like corporate governance and strategy Examiners should look for implementation of the 17 criteria during their evaluation of the IT framework, including gaps in existing documentation Page 20

21 Next Steps Companies should consider COSO s 4 step approach transition guidance for purposes of complying with Section 404 of the Sarbanes-Oxley Act which include: 1. Read COSO s updated Framework and illustrative documents 2. Initiate a discussion with senior management and the audit committee on the new COSO framework, highlighting its key changes and implications to the system of internal control at the organization 3. Review and establish a process for identifying and assessing necessary changes in controls (if any) and related documentation 4. Document your approach toward the application of the new COSO framework and transition plan, including changes in controls and related documentation Given the integral role management, the audit committee, internal audit and other risk management functions all play in an effective system of internal control, a coordinated approach to address the key changes in the new COSO framework is essential. Page 21

22 Next Steps Understand and educate Communicate Client considerations and next steps: The four-step approach Assess Plan and implement Page 22

23 Applying the new COSO 2013 framework- Steps to Implementation A B C D E F Review existing internal control assessment results and perform an overall assessment with respect to the five components and supporting 17 principles Evaluate each of the five components individually and collectively, and document (in summary) whether the relevant principles are present and functioning For each component, formally evaluate whether each of the 17 principles (to the extent they are relevant) is present and functioning and document the summarized assessment, including any deficiencies/gaps Create a detailed mapping of all internal controls to each of the five components and related principles and document (may not be required if A,B and C above can be adequately supported) Identify additional controls (if any) that may be relevant to fully support a component and/or principle to be present and functioning in the design and implementation of the system of internal control Update overall internal control documentation to reflect changes in the new COSO framework, including but not limited to: financial and non-financial reporting (both internal and external), documenting whether the 17 principles are present and functioning, and clarifying the objectives: a) effectiveness and efficiency of operations, b) compliance with regulatory requirements and c) reporting Page 23

24 Applying the new COSO 2013 framework for management Steps to Implementation- Cont d G H Update management s control self-assessment process to include the three objectives (as part of risk assessment) and five components and 17 principles (as part of self-assessment questionnaires) Update risk assessment methodology (as applicable) and documentation to include evaluation of the three objectives, five components and 17 underlying principles APPLYING THE NEW COSO FRAMEWORK 2013 FOR INTERNAL AUDIT FOR AN INTERNAL AUDIT DEPARTMENT: I J Revise the IA risk assessment methodology to address the seventeen principles supporting the five components for achievement of the three objectives Include reference of the 17 principles in assurance reviews performed by internal audit and its communication to senior management and the audit committee Page 24

25 Risk management considerations to help management achieve business objectives Building upon the COSO 2013 internal control framework, internal audit and other assurance providers should consider the following opportunities to help organizations achieve their business objectives. Opportunity Solution Objective setting process should be reviewed as part of risk assessment Ownership of risk and coordination of risk management activities should be encouraged Enterprise Risk Assessment Methodology Risk Coverage Combined Assurance Model; Risk & Control Framework Assessment Methodology Risk assessment and evaluation criteria should be formalized Cost benefit analysis on risk mitigation activities should be performed Risk assessment, evaluation and quantification tools Cost of controls and Risk Enabled Performance Management (REPM) Page 25

26 How does this impact my organization? ERM/ORSA Model Audit Rule Internal Audit and Regulators Action Steps in Implementation Impact of COSO 2013 on External Audit Page 26

27 ERM & ORSA Differences: Strategy-Setting, Strategic Objectives and Risk Appetite aspects of ERM, not Internal Control Framework Identification of emerging risks, and application of risk tolerance Create a Governance / Risk Framework: integrate across business units and departments: Risk Assessment Control Activities Monitoring and Reporting Enhance documentation, communication and transparency Page 27

28 MAR Transition Considerations Companies applying the 1992 version of the Framework in conjunction with their SOX / MAR compliance process and for other purposes have to consider the following : How do we evaluate the effectiveness of internal control? When and how do we transition to the New Framework? What do we communicate to the certifying officers regarding the New Framework? What do we communicate to the audit committee regarding the New Framework? What are the Sarbanes-Oxley / MAR implications in transitioning to the New Framework? What do we do now? Deadline for use in financial reporting Year End 12/31/2014 Page 28

29 Internal Audit and Regulators Relying more and more on governance, risk and compliance processes The 2 nd Line of Defense ERM / ORSA framework and reporting Used in planning Internal Controls Enhanced documentation and risk mitigation strategies creates value reduced effort, more effective audits / exams, improved performance and reporting) Page 29

30 Clarity of Roles and Responsibilities Structured into Three Lines of Defense Board / Audit Committee Senior Management 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense Management Controls Internal Control Measures Financial Control Security Risk Management Quality Legal Compliance Internal Audit External Auditor / Regulators Page 30

31 Action Steps in Implementation Learn what has changed and develop a transition plan Communicate changes to stakeholders, implications to the organization and execute plan Evaluate and enhance your system of internal controls, including operating practices, process improvement and documentation Utilize and apply strategy to operations and technology Enhance Data Analytics and Information / Reporting Page 31

32 Questions and Comments

33 THANK YOU!!!! Our Contact Information Jerry Ravi, Partner EisnerAmper Consulting / ERM Services Jerry.Ravi@eisneramper.com Dianne Batistoni, Partner EisnerAmper Regulatory Audit and Consulting Services Dianne.Batistoni@eisneramper.com Prashant Panavalli, Senior Manager EisnerAmper Consulting / ERM Services Prashant.Panavalli@eisneramper.com Page 33

34 Please Complete the Session Evaluation Form on the Conference App and Include Your Conference Registration ID# to be Included in a Drawing for a Free Conference Registration for the 2014 Annual Conference! NOTE: Your Conference Registration ID# is Located at the Bottom Left Hand Corner of Your Badge. IASA 86 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW