EQR – Commercial Lines
Download
Report
Transcript EQR – Commercial Lines
CNA – 2013 COSO Framework
Chicagoland IASA Spring Conference
CNA Insurance
2013 COSO Framework
April 17, 2014
1
NOT for distribution.
CNA – 2013 COSO Framework
Today’s Goals
The goals of today’s presentation are to help you better understand:
• The updates to the COSO Framework, including the 17 principles required to be in place and functioning
within the 5 components of internal control
• Key steps for transitioning to the new framework
• Lessons learned from CNA’s adoption efforts
2
NOT for distribution.
CNA – 2013 COSO Framework
Agenda
• COSO Framework:
- Overview & Background
- 2013 Update
• CNA’s Approach:
- Project Plan
- Initial Gap Analysis
- Lessons Learned
• Questions / Discussion
3
NOT for distribution.
CNA – 2013 COSO Framework
COSO Overview & Background
4
NOT for distribution.
CNA – 2013 COSO Framework
What is COSO?
•
Committee of Sponsoring Organizations (COSO) of the Treadway Commission
•
Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (aka the Treadway
Commission)
•
Joint initiative of five private sector organizations
– American Accounting Association (AAA)
– American Institute of Certified Public Accountants (AICPA)
– Financial Executives International (FEI)
– Institute of Management Accountants (IMA)
– The Institute of Internal Auditors (IIA)
•
COSO established Framework over Internal Control (IC) in 1992
Source: COSO
5
NOT for distribution.
CNA – 2013 COSO Framework
1992 Framework
5 Components of Internal Control:
• Control Environment- tone at the top; integrity and
ethical values of the organization.
• Risk Assessment- identifying and analyzing risks within
the organization.
• Control Activities- policies and procedures to mitigate
risk.
• Information & Communication- information required to
carry out IC activities.
• Monitoring Activities- on-going evaluation to assess IC.
COSO Cube
Source: COSO
NOT for distribution.
6
CNA – 2013 COSO Framework
ICFR Attestation
• 1992 Framework is widely used today to comply with Section 404 of Sarbanes Oxley
Act of 2002 in the certification of internal control over financial reporting.
7
NOT for distribution.
CNA – 2013 COSO Framework
2013 Update to Framework
8
NOT for distribution.
CNA – 2013 COSO Framework
What is changing
Source: COSO
NOT for distribution.
9
CNA – 2013 COSO Framework
1992 vs. 2013 Framework
1992 Framework
2013 Framework
10
NOT for distribution.
CNA – 2013 COSO Framework
Seventeen Principles
Source: COSO
NOT for distribution.
11
CNA – 2013 COSO Framework
Effective Systems of Internal Control
For effective internal control:
• Each of the 5 components and 17 principles must be
present and functioning.
– Present is defined as “the determination that components and
relevant principles exist in the design and implementation of the
system of internal control to achieve specified objectives.”
– Functioning is defined as “the determination that components
and relevant principles continue to exist in the conduct of the
system of internal control to achieve specified objectives.”
• The five components must operate together in an
integrated manner to reduce risk to an acceptable level.
12
NOT for distribution.
Control Monitoring Information and
Risk
Control
Activities Activities Communication Assessment Environment
CO SO 's
Components of Internal Control
Indirect / D irect (4)
Indirect / D irect (3)
Indirect / D irect (2)
NOT for distribution.
General IT Controls
Assertion Coverage
Higher Level and Transaction Level Controls
Entity Level Controls
Control Breakout
CNA – 2013 COSO Framework
Control Type
Indirect (5)
D irect (3)
13
CNA – 2013 COSO Framework
Points of Focus
• For each principle COSO has identified points of focus to assist management in
designing, implementing, and maintaining internal control.
• The points of focus may (or may not) be relevant and there is no requirement to
perform a separate evaluation. Presumption is for a sophisticated organization that
most would be relevant.
14
NOT for distribution.
COSO/AICPA Reference
Materials
CNA – 2013 COSO Framework
Project deliverable #1 – Internal Control-Integrated Framework (2013 Edition)
• Consists of three volumes:
– Executive Summary
– Framework and Appendices
– Illustrative Tools for Assessing Effectiveness of a
System of Internal Control
• Sets out:
– Definition of internal control
– Categories of objectives
– Components and principles of internal control
– Requirements for effectiveness
Source: COSO
NOT for distribution.
15
COSO/AICPA Reference
Materials
CNA – 2013 COSO Framework
Project deliverable #2 – Internal Control over External Financial Reporting: A Compendium....
• Illustrates approaches and examples of how
principles are applied in preparing financial
statements
• Considers changes in business and operating
environments during past two decades
• Provides examples from a variety of entities –
public, private, not-for-profit, and government
• Aligns with the updated framework
Source: COSO
NOT for distribution.
16
CNA – 2013 COSO Framework
Transition
• Transition period ending December 15, 2014.
• After which time COSO will consider the 1992 Framework to be superseded.
• Any reporting between now and the end of the transition period should disclose which version of the
Framework is being used.
17
NOT for distribution.
CNA – 2013 COSO Framework
CNA’s Project Plan
18
NOT for distribution.
CNA – 2013 COSO Framework
CNA’s Project Plan
• Step 1
Develop Awareness, Expertise, and Alignment
• Step 2
Conduct Preliminary Impact Assessment
• Step 3
Facilitate Broad Awareness, Training, and Comprehensive Assessment
• Step 4
Develop and Execute COSO Transition Plan for SOX Compliance / Best Practice
• Step 5
Drive Continuous Improvement
19
NOT for distribution.
CNA – 2013 COSO Framework
CNA’s Project Plan
Step 1
Develop Awareness, Expertise, and Alignment
• Gain senior leadership and board alignment and support
• Build awareness and expertise
• Educate management
• Map principles to existing controls
• Identify opportunities to expand applications of internal control
20
NOT for distribution.
CNA – 2013 COSO Framework
CNA’s Project Plan
Step 2
Conduct Initial Analysis
• Evaluate the existing framework
• Leverage the original mapping of components to controls
• Identify key business owners
• Identify COSO updates which may impact your framework
• Identify gaps / opportunities for improvement
21
NOT for distribution.
CNA – 2013 COSO Framework
CNA’s Project Plan
Step 3
Facilitate Broad Awareness, Training, and Comprehensive Assessment
• Identify potential gaps and/or documentation enhancement opportunities
• Engage business to enhance existing controls and/or add new controls to meet the
update’s requirements
22
NOT for distribution.
CNA – 2013 COSO Framework
CNA’s Project Plan
Step 4
Develop and Execute COSO Transition Plan for SOX Compliance
• Phase 1: Formalize Framework (Documentation & Evaluation)
• Phase 2: Validation: Business Acceptance and Auditor Acceptance
• Phase 3: Establish Test Plan for 2014
• Phase 4: Testing of 2014 Framework and External Review
23
NOT for distribution.
CNA – 2013 COSO Framework
CNA’s Project Plan
Step 5
Drive Continuous Improvement
• There is a difference between an adequate and a best-in-class system of internal control
24
NOT for distribution.
CNA – 2013 COSO Framework
CNA’s GAP Analysis
25
NOT for distribution.
CNA – 2013 COSO Framework
CNA’s Gap Analysis
Principle Points of Focus
Sets the Tone at the Top
Demonstrates
Commitment to
integrity and
ethical values
Control Environment
1
Points of Focus Detail
B of D and Mgmt at all levels of the entity demonstrate through
their directives, actions, and behavior the importance of
integrity and ethical values to support the functioning of the
system of IC.
The expectations of the board of directors and senior mgmt
concerning integrity and ethical values are defined in the
Establishes Standards of Conduct entity's standards of conduct and understood at all levels of the
organization and by outsourced service providers and business
partners.
Processes are in place to evaluate the performance of
Evaluates adherence to Standards of
individuals and teams against the entity's expected standards
Conduct
of conduct.
Addresses deviations in a timely
Deviations from the entity's expected standards of conduct are
manner
identified and remedied in a timely and consistent manner.
CNA Reference
List #
COSO Principle
Description
COSO Principle
Control
Component
Preliminary Control Mapping
38
Committee / Control / Document
Code of Business Conduct and Ethics
39
43
42
45
37
63
38
Commitment to Professional Conduct
Corporate Governance Guidelines
Conflict of Interest - Letter from CEO
Our Commitment to Professional Conduct (11CNA Taking Tough Action Against Internal
Human Resources Policy Manual
Code of Business Conduct and Ethics
B of D identifies and accepts its oversight responsibilities in
relation to established requirements and expectations.
62
Exercises
oversight and
responsibility
Applies relevant expertise
Operates independently
B of D defines, maintains, and periodically evaluates the skills
and expertise needed among its members to enable them to
ask probing questions of senior mgmt and take commensurate
actions.
B of D has sufficient members who are independent from mgmt
and objective in evaluations and decision making.
62
Performance Management and Talent Review
HR
41
29
41
34
43
29
Provides oversight for the system of
B of D retains oversight responsibility for mgmt's design,
internal control
implementation, and conduct of IC: (All 5 Control Components).
Performance Management and Talent Review
HR
34
43
43
2
Corp Secretary
Corp Secretary
29
Establishes oversight responsibilities
Focus Point - Subject Matter
Expert (Department, Team or
Indvidual)
1
43
Audit Committee (Committee Charter, Meeting
Minutes, and Resolutions)
Compensation Committee (Committee Charter,
Meeting Minutes, and Resolutions)
BofD Minutes, resolutions or annual
Corporate Governance Guidelines
Corporate Governance Guidelines
Audit Committee (Committee Charter, Meeting
Minutes, and Resolutions)
Compensation Committee (Committee Charter,
Meeting Minutes, and Resolutions)
BofD Minutes, resolutions or annual
Corporate Governance Guidelines
Audit Committee (Committee Charter, Meeting
Minutes, and Resolutions)
Audit Committee Pack
Corporate Governance Guidelines
Corp Secretary
Corp Secretary
Corp Secretary
Corp Secretary
ACI
Corp Secretary
Gap
Research & Investigation
Pending Review & Business Acceptance
26
Done & Completed/ Accepted by Business
NOT for distribution.
CNA – 2013 COSO Framework
Lessons Learned
• Limited Gaps
– Refinement and Enhancement of Documentation
• Non-SOX Participants
– Education of IC and Attestation Process
– Need Business to be Owners of the Process
• No “Requirement” for Compliance and Operational Risks (Best Practice)
– Financial Reporting Requirement from SOX
27
NOT for distribution.
CNA – 2013 COSO Framework
Questions?
28
NOT for distribution.