COSO Updates and Expectations. IIA San Diego Chapter January 8, 2014

Similar documents
Heads Up. Control Integrated Framework. COSO Enhances Its Internal. In This Issue: Enhancements in the 2013 Framework

COSO 2013: Updated internal control framework

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

Present and functioning: Fine-tuning your ICFR using the COSO update

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

Evaluating Internal Controls

[RELEASE NOS ; ; FR-77; File No. S ]

A Discussion About Internal Controls February 2016

The New COSO Framework: Avoiding Deficiencies and Driving Change

FREQUENTLY ASKED QUESTIONS ABOUT INTERNAL CONTROL OVER FINANCIAL REPORTING

COSO Internal Control Integrated Framework Proposed Update

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

2013 COSO Internal Control Framework Update. September 5, 2013

Speech by SEC Staff: Remarks before the 2007 AICPA National Conference on Current SEC and PCAOB Developments

Internal Control Integrated Framework. May 2013

Minimizing fraud exposure with effective ERP segregation of duties controls

Quality Assessments what you need to know

Report on Inspection of KPMG AG Wirtschaftspruefungsgesellschaft (Headquartered in Berlin, Federal Republic of Germany)

Proposed Attestation Requirements for FR Y-14A/Q/M reports. Overview and Implications for Banking Institutions

Internal Control Questionnaire and Assessment

Report on Inspection of PricewaterhouseCoopers Audit (Headquartered in Neuilly-Sur-Seine, French Republic)

Report on Inspection of K. R. Margetson Ltd. (Headquartered in Vancouver, Canada) Public Company Accounting Oversight Board

Report on Inspection of Deloitte LLP (Headquartered in Toronto, Canada) Public Company Accounting Oversight Board

FRAUD RISK FACTORS CHECKLIST (Source: New AU Section 240, Appendix A)

Comparison of the PCAOB s Auditing Standards No. 5 and No. 2 (Certain key differences are highlighted by underlining)

Auditing Standards and Practices Council

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Internal Control Questionnaire and Assessment

Effective implementation of COSO s new anti-fraud guidance

Corporate Governor. Providing vision and advice for management, boards of directors and audit committees Winter 2015

SARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017

International Finance Corporation

Report on Inspection of KPMG Auditores Consultores Ltda. (Headquartered in Santiago, Republic of Chile)

REPORT 2016/033 INTERNAL AUDIT DIVISION

Reliable Financial Reporting. Evaluating Deficiencies in Internal Control Over Financial Reporting

US U.S. AAM vs. DTTL AAM A Refresher Deloitte Touche Tohmatsu

International Forum of Independent Audit Regulators Report on 2013 Survey of Inspection Findings April 10, 2014

US Inspection Findings and Internal Control Methodology Changes

SAS Teleconference

AUDITING. Auditing PAGE 1

Managing Fraud Risk: New Professional Guidance

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

AUDIT RISK ASSESSMENT AND RESPONSES TO ASSESSED RISK BY Geoffrey Byamugisha Partner, Ernst & Young. Lessons on Audit Risk. Responding to fraud risk

Joint IIA/ ISACA/ ACFE Spring Fraud Conference: Fraud & the External Auditor, and You

Public Company Accounting Oversight Board

Auditing Standards and Practices Council

FINANCIAL INSTITUTIONS AUDIT COMMITTEE GUIDE FOR FINANCIAL INSTITUTIONS

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

Internal Controls: Need Them, Have Them, Love Them

Report on. Issued by the. Public Company Accounting Oversight Board. June 16, 2016 THIS IS A PUBLIC VERSION OF A PCAOB INSPECTION REPORT

Audit Committee Performance Evaluation

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks

Report on Inspection of Deloitte & Associes (Headquartered in Neuilly-sur-Seine, French Republic) Public Company Accounting Oversight Board

2016 INSPECTION OF BHARAT PARIKH & ASSOCIATES CHARTERED ACCOUNTANTS. Preface

Internal Financial Controls (IFC) - An Overview

Audit Committee Resource Guide

Assessment of the Design Effectiveness of Entity Level Controls. Office of the Chief Audit Executive

Information Technology Risks in Today s Environment

McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

BUSINESS CPA EXAM REVIEW V 3.0. For Exams Scheduled After March 31, 2017

Report on Inspection of KAP Purwantono, Sungkoro & Surja (Headquartered in Jakarta, Republic of Indonesia)

Internal Financial Controls New perspectives as per Companies Act 2013 and CARO 2016

See your auditor clearly. Transparency report: How we perform quality audit engagements

Managing the Risk of Fraud in the Conversion to IFRS

Pre-Engagement Activities and Audit Planning By: Tariq Mahmood FCA, ACMA

EFFICIENT USE OF AUDIT COMMITTEES

Checklist for Higher Education

The Auditor s Responses to Assessed Risks

CHAPTER 7. Internal Control. Review Questions

Internal Controls Integrating COSO

September 19, 2007 San Francisco Chapter

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

The New 404 Balancing Act

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

Four faces of the CFO

White Paper. Effective and Practical Deployment of COSO: Entity Level Control and Lessons Learned. July 10, 2008 THE ROBERTS COMPANY, LLC

Review of Duke Energy Florida, LLC Internal Audit Function

Key Elements of Antifraud Programs and Controls

S12 - Guidelines for Planning an IS Audit Christopher Chung

4. Organic documents. Please provide an English translation of the company s charter, by-laws and other organic documents.

Corporate Governance Update. SOX 404 and Internal Controls

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

What does an external auditor look for in SAP R/3 during SOX 404 Audits? Ram Bapu, CISSP, CISM Sandra Keigwin, CISSP

Auditor Objectivity and Skepticism What s Next?

Short, engaging headline

Remediation of Material Weaknesses Related to Employee Compensation

CGMA Competency Framework

Audit Committee Member Roles and Responsibilities

SEMINAR ON INTERNAL FINANCIAL CONTROLS. Oct 31, 2015 at ISACA Pune Chapter Nov 1, 2015 at Pune Branch of WIRC of ICAI

Report on Inspection of Grant Thornton Auditores Independentes (Headquartered in Sao Paulo, Federative Republic of Brazil)

Report on Inspection of Deloitte, S.L. (Headquartered in Madrid, Kingdom of Spain) Public Company Accounting Oversight Board

Bearing the Bad News Reporting to the Board on Internal Corruption. Peter Dent, National Leader Deloitte Forensics September 11, 2013

International Standard on Auditing (Ireland) 500 Audit Evidence

Auditing Application Controls

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Nonprofit Organizations

CONTROLS TESTING VS SUBSTANTIVE TESTING: A PRACTICAL APPROACH CPA MADHAV BHANDARI MANAGING PARTNER AT BAKER TILLY MERALI S NOVEMBER 2017

SOX FOR NPO S Focus on Control. Stephen L. Kuptz, CPA

Scope of this SA Effective Date Objective Definitions Sufficient Appropriate Audit Evidence... 6

Transcription:

COSO Updates and Expectations IIA San Diego Chapter January 8, 2014

Agenda Overview of 2013 Internal Control-Integrated Framework and Companion Guidance 2013 Framework General Enhancements by Component Transition Considerations and Next Steps Internal Control Hot Topics Appendix A Risk Assessment (principles 7, 8, 9) Information & Communication (principle 13) Outsourced Service Providers (principles 10, 16) 1

2013 Framework and Guidance Components Control Environment Risk Assessment Summarized Principles 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies relevant objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Control Activities 10.Selects and develops control activities 11.Selects and develops general controls over technology 12.Deploys through policies and procedures Information & Communication 13.Uses relevant information 14.Communicates internally 15.Communicates externally Monitoring Activities 16.Conducts ongoing and/or separate evaluations 17.Evaluates and communicates deficiencies 2

2013 Framework and Guidance (cont.) Specific significant enhancements to the 1992 Framework that may pose challenges to management: Risk Assessment More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may be managed, and linkage between risk assessment and control activities Considering the potential for fraud risk when assessing risks to the achievement of an organization s objectives Outsources Service Providers (OSPs) Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles Requires management to specifically consider how OSP s are monitored Information Technology (IT) Considerations related to IT are included in 14 of 17 principles Discussion of using IT to assist in continuous monitoring Requirements for ensuring quality of information (data integrity) 3

2013 Framework and Guidance Control environment Risk assessment Control activities Information and communication Monitoring activities Use of principles to describe components Component Control environment Principles 1. Demonstrates commitment to integrity and ethical values 2. Board demonstrates independence and exercises oversight 3. Management establishes structure, authority, and responsibility 4. Organization demonstrates commitment to competence 5. Enforces accountability Enhancements Include Setting expectations for standards of conduct (with employees and outsourced service providers), evaluating adherence to such standards, and addressing deviations in a timely manner Matters related to board independence, skills and expertise Importance of accountability for internal control Planning and preparing for succession for those roles important to the effectiveness of internal control Aligning incentives and rewards with internal control responsibilities 4

2013 Framework and Guidance (cont.) Control environment Risk assessment Control activities Information and communication Monitoring activities Use of principles to describe components Component Risk assessment Principles 6. Specifies relevant objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Enhancements Include 5 Explains that the risk assessment process includes risk identification, analysis, and response Considers velocity and persistence of risk (in addition to impact and likelihood) Includes fraud risk assessment as a principle Incorporates considerations of outsourced service providers Importance of evaluating changes in the external environment, business model, operations, technology, relationships with outsourced service providers, leadership and how such changes impact internal control

2013 Framework and Guidance (cont.) Control environment Risk assessment Control activities Information and communication Monitoring activities Use of principles to describe components Component Control activities Principles 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures Enhancements Include Emphasis on the linkage between risk assessment and control activities The types of control activities applied (including considering preventative vs. detective controls) Incorporates updated technology concepts, including those related to technology infrastructure, security, acquisition, development, maintenance, and use of OSPs Establishing responsibility and accountability for executing policies and procedures Reassessing policies and procedures on a periodic basis to determine their continued relevance and if revisions are needed 6

2013 Framework and Guidance (cont.) Control environment Risk assessment Control activities Information and communication Monitoring activities Use of principles to describe components Component Information and communication Principles 13. Uses relevant and quality information 14. Communicates internally 15. Communicates externally Enhancements Include Identifying information requirements, verifying sources of data, processing relevant data, maintaining quality through processing, and using OSPs Considering reliability and protection of data Reevaluating information needs Considering how information supports the functioning of internal control Providing separate channels of communication for anonymous or confidential communication when normal communication channels are inoperative of ineffective (e.g., through whistle-blower hotlines) 7

2013 Framework and Guidance (cont.) Control environment Risk assessment Control activities Information and communication Monitoring activities Use of principles to describe components Component Monitoring activities Principles 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Enhancements Include Considerations of the rate of change when developing monitoring activities Using a baseline of understanding to establish plans for ongoing and separate evaluations Considerations related to monitoring at different levels of an organization and monitoring of OSPs Using technology in the context of monitoring Communicating deficiencies Monitoring corrective actions 8

2013 Framework Effective system of internal control Per COSO, an effective system of internal control requires: Each of the five components of internal control and relevant principles are present and functioning The five components are operating together in an integrated manner If a major deficiency (or material weakness) exists, can not conclude that the system of internal control is effective For purposes of complying with requirements of the Sarbanes- Oxley Act of 2002, internal control deficiency classification criteria established by the SEC and PCAOB must be used. 9

Illustrative Tools What are they? Intended to assist entities when assessing effectiveness of internal control The Illustrative Tools can help management assess whether: Each of the five components and relevant principles are present and functioning The five components are operating together in an integrated manner Organized in three sections: Introduction Templates Scenarios 10

ICEFR Compendium What is it? Illustrates how entities can apply the 2013 Framework to design, implement, and conduct a system of ICEFR Provides examples and approaches for applying the 17 principles Approaches describe how organizations may apply the principles within their system of ICEFR Examples provide specific illustrations to users on the application of each principle 11

Transition COSO transition guidance 2013 Internal Control-Integrated Framework (the 2013 Framework ) and illustrative documents issued: May 14, 2013 Transition period as announced by COSO: May 14, 2013 December 15, 2014 COSO will consider the 1992 Framework superseded after December 15, 2014 If applying and referencing COSO s Internal Control Integrated Framework for external reporting purposes: Annual external reporting should clearly disclose whether the 1992 or 2013 Framework was utilized 12

Considerations and Next Steps

Considerations and Next Steps Understand and Educate Assess Plan and Implement Communicate Read 2013 Framework Identify new concepts and changes Consider training and education needs Assess and evaluate needs regarding control objectives for operations, compliance, and non-financial reporting Determine impacts on the entity s design and evaluation of ICFR Assess coverage of the principles and consider points of focus Assess current processes, activities, and available documentation regarding meeting the principles Identify any gaps Identify the steps that need to be performed to transition to the 2013 Framework Formulate a plan to transition by December 15, 2014 Take appropriate steps to implement plan Communicate internally with all groups responsible for implementing, monitoring, and reporting on the organization s internal control Discuss and coordinate activities with internal audit (if applicable) and the external auditor 14

Opportunities for Companies Implementation of the 2013 Framework provides a good opportunity to create value for organizations and refresh internal control systems, regardless of maturity level of an internal control system. Synergies and simplifications may be available May also identify gaps in design and operating effectiveness to be addressed E.g., fraud risk assessment programs, IT controls, and monitoring of outsourced service providers May also identify gaps in documentation and evidentiary support for evaluating the effectiveness of internal control under the 2013 Framework Opportunities to improve operations, compliance, and reporting 15

Internal Control Hot Topics

2013 Framework and Guidance Hot Topics and Areas of Focus for Management 1 Risk assessment process to identify: The likely sources of misstatement (supported by sufficiently detailed process descriptions/flow diagrams) The relevant controls (documented in sufficient detail to communicate expectations, enable effective monitoring) Significant changes that result in new risks that require new or modified controls 2 Fraud risk assessment, including audit committee oversight of risk of management override 3 Effectiveness of control environment The entity s commitment to integrity and ethical values The audit committee Appropriateness of segregation of duties Principles 7, 9, and 12 Principle 8 Principles 1-5 17

2013 Framework and Guidance Hot Topics and Areas of Focus for Management 4 Controls over outsourced service providers and specialists Throughout 5 Precision of management review controls, including mitigation of bias in the decision-making 6 Controls over accuracy and completeness of reports or data: Produced by the entity, both system and non-system generated reports (e.g. excel spreadsheets) From service organizations From third parties 7 Controls over: One-time transactions, significant unusual transactions Disclosures Cash flow statement Principle 10 Principle 13 Principles 10 and 12 18

2013 Framework and Guidance Hot Topics and Areas of Focus for Management 8 Information Technology Controls: Linkage of financial reporting data, automated controls and IPE to relevant IT applications and infrastructure Consideration of IT risks related to interfaces, data warehouses, and third parties Concluding IT risks and their effect on financial reporting 9 Deficiencies: Basis for concluding on severity, including consideration of root causes Aggregation of deficiencies Effectiveness of remediation process Concluding on IT deficiencies 10 Monitoring activities: Alignment with the detailed risk assessment Obtaining persuasive evidence of effectiveness, not just occurrence Approach to insignificant components, particularly in emerging markets Principle 11 Principle 17 Principle 17 19

Top 10 Internal Control Issues Top 10 Internal Control Adverse Opinions Accounting Personnel / Competence / Training Segregation of Duties Nonroutine Inadequate Disclosure Controls IT Accounting personnel / Competence Material / Numerous YE Adjustments Ineffective / Understaffed Audit Committee Inadequate Disclosure Controls Audit Committee Issues Numerous YE Adjustments Segregation of Duties Non-routine Transaction Control Issues IT Software, Security, Access Issue Untimely or Inadequate Account Reconciliations Restatement / Non-reliance of Company Filings Insufficient Non-Existent IA Function 20 Source: Audit Analytics SOX 404 Dashboard

Resources Resources: Deloitte Heads Up www.deloitte.com New guidance available for purchase through link on COSO website: Contact Info: Cecile Galvez www.coso.org cegalvez@deloitte.com 619-237-6870 John Giakouminakis jgiakouminakis@deloitte.com 213-688-3384 21

Appendix A Focus on: Risk Assessment (7, 8, 9) Information & Communication (13) Outsourced Service Providers (10, 16)

Risk Assessment Principle 7 Identifies, Analyzes and Responds to Risk The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed Identifying and analyzing risks is an ongoing iterative process Management considers risks at all levels of the entity and takes the necessary actions to respond Points of Focus Includes entity, subsidiary, division, operating unit, and functional levels Identify Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified Analyze Determines how to respond to risk Respond 23

Risk Assessment Principle 7 Identifies, Analyzes and Responds to Risk Enhanced Aspects of Principle 7: Details that risk assessment includes identification, analysis, and response. Incorporates the concepts of inherent risk. Expands discussion regarding risk tolerance and how risk may be managed, including through acceptance, avoidance, reducing, and sharing risk. Considers velocity and persistence of risk (in addition to impact and likelihood). Incorporates consideration of outsourced service providers. 24

ICEFR Compendium Principle 7: Identifies, Analyzes, Responds to Risk ICEFR Approaches Applying a Risk Identification Process ICEFR Examples Analyzing Risk Across Functions Assessing Risks to Significant Financial Statement Accounts Meeting with Entity Personnel Assessing Risks to Significant Financial Statement Accounts Using Risk Ratings Analyzing Risk for Information Technology Assessing the Likelihood and Significance of Identified Risks Identifying and Responding to Risk Using Benchmark Data to Asses Significance and Response to Risk 25 Considering Internal and External Factors Evaluating Risk Responses Analyzing Risks from External Factors Considering Changes in Information Systems Considering Risk Response in a Revenue Process

ICEFR Compendium Example: Analyzing Risk Across Functions The CFO holds a working session of department leaders from marketing, production, IT, HR, and administration to perform a risk analysis by department. Risks are rated from 1 (least risk) to 5 (most risk) based on potential impact on financial reporting and likelihood of occurrence. After the discussion sessions, the participants document the results in a table that outlines each specific risk together with the rating and factors contributing to the rating. For example, revenue recognition was rated as 4 (medium-high). Contributing to this assessment was consideration of the likelihood and impact of the organization failing to: Transfer ownership on specific sales in accordance with revenue recognition accounting standards for goods sold on consignment. Account for complex sales promotions and discounts completely and accurately Update IT systems to account for complex revenue transactions that could lead to inappropriate recognition of revenue 26

Risk Assessment Principle 8 Assesses Fraud Risk The organization considers the potential for fraud in assessing risks to the achievement of objectives Points of Focus: Considers various types of fraud Assesses incentive and pressures Assesses opportunities Assesses attitudes and rationalization Enhanced Aspects of Principle 8: Incorporates the concept of fraud risk assessment. Considerations related to various types of fraud, including fraudulent financial reporting, fraudulent non-financial reporting, misappropriation of assets, management override, safeguarding of assets, and corruption. Evaluating incentives and pressures, opportunities, and attitudes and rationalizations. Incorporates considerations related to outsourced service providers. 27

Risk Assessment Principle 8 Assesses Fraud Risk As part of the risk assessment process, organizations should identify the various ways that fraudulent financial reporting can occur, considering: Management bias, for instance in selecting accounting principles Degree of estimates and judgments in external reporting Fraud schemes and scenarios common to the industry sectors and markets in which the entity operates Geographic regions where the entity does business Incentives that may motivate fraudulent behavior Nature of technology and management s ability to manipulate information Unusual or complex transactions subject to significant management influence Vulnerability to management override and potential schemes to circumvent existing control activities 28

ICEFR Compendium Principle 8: Assesses Fraud Risk ICEFR Approaches ICEFR Examples Conducting Fraud Risk Assessments Assessing Fraud Risk Considering Approaches to Circumvent or Override Controls Considering Fraud Risk in the Internal Audit Plan Reviewing Incentives and Pressures Related to Compensation Programs Maintaining Oversight Identifying and Analyzing Risk of Material Omission and Misstatement Due to Fraud Analyzing Compensation Structure Additional Resources: Management Override of Internal Controls: The Achilles Heel of Fraud Prevention Management Antifraud Programs and Controls: Guidance to Help Prevent, Deter, and Detect Fraud 29

ICEFR Compendium Example: Assessing Fraud Risk The chief compliance officer at a global retail operation, annually conducts a fraud risk assessment. In doing so, he interviews management at all the international locations about fraud issues. He analyzes: Historical fraud, including theft of inventory and the processes in place to identify and record such theft The methodology used for recording and calculating inventory and shrinkage Whistle-blower reports The number of manual entries vs. automated entries recorded The number of late entries due to subjective estimates With this information, the chief compliance officer: Forms a preliminary view of the potential fraud activities, which he discusses with management of each jurisdiction in order to consider implications and what control activities can reduce the risk of fraud. Has discussions with human resources personnel and reviews information in the staff files. Uses his historical knowledge and staff information to assess the attitude of the local management toward the tolerance of fraud and to determine whether local management may rationalize fraudulent activities, including corruption. Once complete, submits a report to the audit committee for its consideration. 30

ICEFR Compendium Example: Maintaining Oversight The audit committee of a medical supply company takes the issue of management override of controls very seriously. Consequently, every quarter the committee reviews the fraud risk assessment process. In doing so, the members of the audit committee: Maintain an appropriate level of skepticism Discuss management s assessment of fraud risks Use the code of conduct to assess financial reporting culture Ensure the entity has a robust whistle-blower program Develop a broad information and feedback network In addition, the audit committee asks the chief audit executive about: What fraud risks are being monitored by the internal audit team on a periodic or regular basis What specific procedures internal audit performs to address management override of internal controls Whether anything has occurred that would lead internal audit to change its assessment of the risk of management override of internal controls. With this information in hand, the audit committee discusses with the full board and senior management any concerns that need added management focus. 31

Challenge Your Fraud Risk Assessment Instances of Material Frauds 32 Source: Deloitte Forensic Center

Risk Assessment Principle 9 Identifies and Analyzes Significant Changes The organization identifies and assesses changes that could significantly impact the system of internal control Points of Focus Assesses changes in the external environment Assesses changes in the business model Assesses changes in leadership Enhanced Aspects of Principle 9 Importance of assessing changes in the external environment, business model, operations, technology, and leadership and how such changes may impact internal control. 33

ICEFR Compendium Principle 9: Identifies and Analyzes Significant Changes ICEFR Approaches Assessing Change in the External Environment Conducting Risk Assessments Relating to Significant Change Considering Change through Succession Considering CEO and Senior Executive Changes ICEFR Examples Reacting to Significant Change Caused by External Factors Updating Risk Assessments For a New CEO Responding to Significant Change Due to International Exposure Responding to Significant Change from an Acquisition Planning for Executive Transition Preparing for a Change in CEO 34

ICEFR Compendium Example: Responding to Significant Change Due to International Exposure Consecutive Corp., a multi-billion-dollar technology equipment manufacturer that has historically focused on sales in the United States, has decided to expand internationally with both sales and manufacturing. As part of the expansion plans, Consecutive has assessed several factors: Incremental revenue opportunities Competition in the marketplace Cultural dynamics of the targeted international location Different laws and regulations, including those that would affect the company s ability to defend its patents Risk of increased fraud from theft and corruption Each of these factors presents incremental risks to financial reporting and processes that need to be managed. Therefore, Consecutive s corporate controller is performing a risk assessment with the finance teams in the international locations to ensure these new risks are identified and to help management determine how best to respond. 35

Information & Communication Principle 13 Uses Relevant Information The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. Points of Focus Identifies information requirements Captures internal and external sources of data Processes relevant data into information Maintains quality throughout processing Considers costs and benefits Enhanced Aspects of Principle 13 Identifying information requirements, processing relevant data, maintaining quality through processing Verifying the sources of data and considering the reliability and protection of data Considering the costs and benefits of information, impact of technology, and use of outsourced service providers Considering how information supports the functioning of internal control. Reevaluating information needs 36

ICEFR Compendium Principle 13: Uses Relevant Information ICEFR Approaches ICEFR Examples Creating an Inventory of Information Requirements Obtaining Information from External Sources Obtaining Information from Non- Finance Management Creating and Maintaining Information Repositories Evaluating Business Activities to Identify Information Requirements Maintaining Data Flow Diagrams, Flowcharts, Narratives, and Procedures Manuals Gathering Information from External Sources Capturing Information through Electronic Data Interchange Conducting Quarterly Interviews of Operations and Other Management Obtaining Operating Information for Financial Reporting Using a Data Warehouse to Facilitate Access to Information 37

ICEFR Compendium Principle 13: Uses Relevant Information ICEFR Approaches ICEFR Examples Using an Application to Process Data into Information Data Capture and Processing for the Purchasing and Payables Cycle Enhancing Information Quality through a Data Governance Program Validating Data and Information Identifying, Securing, and Retaining Financial Data and Information Identifying and Protecting Financial Data and Information Identifying and Classifying Data for Financial Reporting 38

ICEFR Compendium Example: Using a Data Warehouse to Facilitate Access to Information A food distributor has recently completed an enterprise-reporting project to identify and inventory information used across the company for external financial reporting and related internal control. The results of the project were used by the chief information officer and chief financial officer to design a company-wide data warehouse and reporting tools that would support a single source for financially relevant information. The first phase of the project involved creating an inventory of the existing reports identifying relevant sources and eliminating non-critical and redundant reports. The second phase involved designing and implementing the functional and technical capabilities needed to capture and store data used to generate relevant information. This includes the consideration of automated control activities around completeness, accuracy, restricted access, and validity of the data and information generated. The third phase involved training and users on techniques for effective input and extraction of information and reports from the data warehouse using reporting tools. The final phase involved designing and implementing operating procedures and control activities over the data warehouse and reporting tools to ensure completeness, accuracy, restricted access, and validity of the data and information input and reports generated. As a result of the project, the food distributor has a well-defined inventory of reports, improved data, and a more efficient process for capturing and using information for external financial reporting. 39

ICEFR Compendium Example: Data Capture and Processing for Purchasing and Payables Cycle A publishing company recently implemented the purchasing and payables module of its existing ERP system. The key goals were to improve data quality, reduce manual handoffs through automation, and improve information flow/visibility into purchasing transactions. The implementation project team was lead by the controller, and supported by employees involved in the purchase to payables process. Workshops were held to confirm the current end to end process and identify important information about sources of transactions, key data requirements, risks to financial reporting, and information required for accounting and reporting. The project team used the results from these workshops to review the ERP module s capabilities for automating tasks and controls such as: Checking that data input was valid, complete, and accurate Passing data between related transactions to minimize data entry and improve data consistency Automatically recording the accounting transaction upon data input Automatically reconciling the payables subsidiary ledger to the general ledger Generating exception and analytical reports The result was access to more accurate, complete, and timely information for internal control purposes. 40

ICEFR Compendium Approach: Enhancing Information Quality through a Data Governance Program Senior management establishes a data governance program to support the company s objectives of ensuring reliability of information used in support of internal controls and external financial reporting. Senior management formalizes policies, procedures, and responsibilities for data and information management considering the volume, complexity, and demand for rapid capture and dissemination from multiple sources. The data governance program includes policies and procedures for: Assigning roles and responsibilities between a central data management group, business functions, and IT Validating sources of information Establishing data-quality requirements before accepting sources into the information system Accessing rights to underlying data and related information produced through processing Protecting data during transmission and storage 41

Control Activities Principle 10: Selects and Develops Control Activities The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Points of Focus: Integrates with Risk Assessment Considers Entity-Specific Factors Determines Relevant Business Processes Evaluates a Mix of Control Activity Types Considers at What Level Control Activities are Applied Addresses Segregation of Duties Enhanced Aspects of Principle 10: Linkage between risk assessment and control activities Consideration of the level at which control activities are applied The types of controls applied (considering preventative vs. detective controls) Differentiates between business process control activities and transaction control activities 42

ICEFR Compendium Principle 10: Selects and Develops Control Activities ICEFR Approaches ICEFR Examples Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to Control Activities Implementing or Assessing Control Activities When Outsourcing to a Third Party Using Workshops to Map Identified Risks to Control Activities Using a Risk and Controls Matrix to Map Risks to Control Activities Using an Inventory of Risks and Control Activities Obtaining a Report on Controls from a Service Payroll Provider Implementing or Assessing Control Activities when a Report on Controls at a Service Provider is Not Available Considering the Types of Control Activities Balancing the Types of Control Activities Evaluating Preventative vs. Detective Control Activities Setting the Threshold for Business Process Reviews Controlling Significant Accounting Estimates Automating Balance Sheet Reconciliations 43

ICEFR Compendium Principle 10: Selects and Develops Control Activities ICEFR Approaches ICEFR Examples Considering Alternative Control Activities to the Segregation of Duties Using Alternative Control Activities when Access to Purchasing Transactions Are Not Segregated Identifying Incompatible Functions Manually Assessing Incompatible Functions Across an Entity Using Automated Tools to Enforce the Segregation of Incompatible Functions 44

ICEFR Compendium Approach: Implementing or Assessing Control Activities When Outsourcing to a Third Party The organization outsources some of its operations to a third party. Management obtains an understanding of the service organization s activities and whether those activities impact significant classes of transactions, accounts, or disclosures in the company s reporting process. In doing so, the entity considers: Significance of transactions or information processed in relation to the F/S Risk of material omission and misstatement associated with assertions affected Nature and complexity of the services provided and whether highly standardized and used extensively Extent to which entity s processes and control activities interact with those of the service organization Entity s control activities applied to the transactions affected Terms of the contract with the service provider If management determines service organization s processes are significant to ICEFR, then it: Identifies the specific control activities performed by the OSP Selects and develops control activities internally over activities of OSP 45

Monitoring Activities Principle 16 Conducts Ongoing and/or Separate Evaluations The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning Points of Focus: Considers a mix of ongoing and separate evaluations Considers rate of change Establishes baseline understanding Uses knowledgeable personnel Integrates with business processes Adjusts scope and frequency Objectively evaluates 46

Monitoring Activities Principle 16 Conducts Ongoing and/or Separate Evaluations Enhanced Aspects of Principle 16: Considering the rate of change when developing monitoring activities Using a baseline of understanding of internal control to establish plans for ongoing and separate evaluations Considerations regarding monitoring at different levels of an organization and monitoring of outsourced service providers Using technology in the context of monitoring 47

ICEFR Compendium Principle 16: Conducts Ongoing and/or Separate Evaluations ICEFR Approaches ICEFR Examples Periodically Reviewing the Mix of Monitoring Activities Changes in Business Operations Changing the Internal Audit Plan Establishing a Baseline Establishing a Baseline Identifying and Using Metrics Using Metrics to Monitor Payroll Using Built-in Operating Measures and Key Control Indicators Designing and Implementing a Dashboard Using Dashboards to Relate Operating Information 48

ICEFR Compendium Principle 16: Conducts Ongoing and/or Separate Evaluations ICEFR Approaches Using Technology to Support Monitoring Activities ICEFR Examples Using Continuous Monitoring Using Technology to Identify Trends Conducting Separate Evaluations Using Internal Audit to Conduct Separate Evaluations Understanding Controls at an Outsourced Service Provider Investigating and Reporting Whistle-blower Allegations Identifying and Protecting Sensitive Financial Data and Information Conducting Senior Financial Officer Visits Using Self- Assessments Identifying and Analyzing Risk of Material Omission of Misstatement Due to Fraud Internal Audit Conducting Separate Evaluations Reviewing Service Auditor s Report for Changes in Controls 49

ICEFR Compendium Approach: Understanding Controls at an OSP Management obtains and reviews periodic information from outsourced service providers to detect any changes in activities that impact the entity s system of internal control over external financial reporting. Information obtained may include: The outsourced service provider s applicable control objectives Details about which of the outsourced service provider s internal control have been examined and included in any report The details and results from any independent audit testing performed Special considerations for the outsourced service provider that impacts the report To determine what impact any identified changes may have on the entity s system of internal control over external financial reporting, the following may also be assessed: Known changes in business processes Whether any exceptions were noted that may trigger further review Whether management is satisfied with the independence and objectivity of the report Based on management s review and findings, it may be necessary to reassess the separate evaluation activities over the outsourced service provider. 50

ICEFR Compendium Example: Reviewing the Service Auditor s Report for Changes in Controls A supplies materials company has outsourced its payroll activities for a number of years to reputable payroll service provider. The chief audit executive obtains an annual service auditor s report detailing the internal controls at the service provider and compares the current report to past reports to determine if there are changes in relevant controls that could impact judgments made on planned monitoring activities over the payroll process. The current report indicates some key changes in the payroll service provider s software and several negative test results in priority risk areas. As a result, the CAE has the internal audit department perform a reconciliation of the payroll service provider s processing results to evaluate if additional separate evaluations of the payroll service provider may be necessary. 51

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Member of Deloitte Touche Tohmatsu Limited

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback