Transcript Document

NASACT ANNUAL CONFERENCE – AUGUST 2013
The NEW 2013 COSO Framework:
"Transition Moves Forward To Dec. 15, 2014"
111
Key Project Players Managing the Transition
COSO
Board of Directors
PwC Author &
Project Leader
COSO Advisory Council
•
•
•
•
•
•
•
AICPA
AAA
FEI
IIA
IMA
Public Accounting Firms
Regulatory observers (SEC, GAO, FDIC,
PCAOB)
• Others (IFAC, ISACA, others)
Source: www.coso.org
Stakeholders
• Over 700 stakeholders in Framework
responded to global survey during 2011
• Over 200 stakeholders publically commented
on proposed updates to Framework during
first quarter of 2012
• Over 50 stakeholders publically commented on
proposed updates in last quarter of 2012
222
Internal Control Structure – The Original COSO
 First published 1992
 Gained wide acceptance
following financial control
failures of early 2000's
 Most widely used
framework in the U.S.
 Also, widely used around
the world
Source: www.coso.org
333
Update Intends to Ease Use and Application
How has the framework changed?
What has not changed...
What has changed...
 Retains the core definition of
internal control
 Retains the five components of
internal control
 Retains the requirement of five
components for an effective of
system of internal control
 Retains important role of judgment
in designing, implementing, and
conducting internal control, and in
assessing effectiveness of internal
control
 Formalizes fundamental concepts
underlying the five components as
principles
 Considers changes in business,
operating, and regulatory
environments
 Expands financial reporting
objective to include other important
forms of reporting
 Provides additional approaches
and examples relevant to
operations, compliance, and nonfinancial reporting objectives
Source: www.coso.org
444
Reasons for Updating the COSO Framework
Summary of Conditions Driving Change
Ever-changing conditions...
Drive updates to the Framework...
 Expectations for governance oversight
 Globalization of markets and
operations
 Changes in business model
 Demands and complexity of rules,
regulations and standards
 Expectations for competencies and
accountabilities
 Use and reliance on evolving
technology
 Expectations for preventing and
detecting fraud
Source: www.coso.org
Updated COSO Cube
555
Internal Control – The New Integrated Framework
 Deliverable consists of three
volumes:
• Executive
• Framework and Appendices
• Illustrative Tools for
Assessing Effectiveness of a
System of Internal Control
 Sets out:
• Definition of internal control
• Categories of objectives
• Components and principles
of internal control
• Requirements for
effectiveness
Source: www.coso.org
666
Internal Control over External Financial Reporting –
A Compendium of Approaches and Examples.
Deliverable achieves the following:
 Illustrates approaches and examples
of how principles are applied in
preparing financial statements.
 Considers changes in business and
operating environments during past
two decades.
 Provides examples from a variety of
entities – public, private, not-for-profit,
and government.
 Aligns with the Updated Framework.
Source: www.coso.org
777
2013 Framework Articulates 17 Principles Embedded in the
Original Framework
Source: www.coso.org
888
Update Articulates Principles of Effective
Internal Control
Control Environment
 The organization demonstrates a commitment to integrity and ethical values.
 The board of directors demonstrates independence from management and
exercises oversight of the development and performance of internal control.
 Management establishes, with board oversight, structures, reporting lines,
and appropriate authorities and responsibilities in the pursuit of objectives.
 The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
 The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
Source: www.coso.org
999
An Example of How Update Describes Impact of
Various Controls On Principles
Component
Principle
Controls
embedded in
other
components
may effect
this principle
Control Environment
 The organization demonstrates a commitment to integrity and
ethical values.
Human Resources
review employees’
confirmations to
assess whether
standards of
conduct are
understood and
adhered to by staff
across the entity.
Control
Environment
Source: www.coso.org
Management obtains
and reviews data
and information
underlying potential
deviations captured
in whistleblower hotline to assess quality
of information.
Internal Audit
separately evaluates
Control
Environment,
considering
employee behaviors
and whistleblower
hotline results and
reports thereon.
Information &
Communication
Monitoring
Activities
10
10
10
Update Articulates Principles of Effective
Internal Control
Risk Assessment
 The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives.
 The organization identifies risks to the achievement of its objectives across
the entity and analyzes risks as a basis for determining how the risks
should be managed.
 The organization considers the potential for fraud in assessing risks to the
achievement of objectives.
 The organization identifies and assesses changes that could significantly
impact the system of internal control.
Source: www.coso.org
11
11
11
Update Articulates Principles of Effective
Internal Control
Control Activities
 The organization selects and develops control activities that contribute to
the mitigation of risks to the achievement of objectives to acceptable
levels.
 The organization selects and develops general control activities over
technology to support the achievement of objectives.
 The organization deploys control activities through policies that establish
what is expected and procedures that put policies into place.
Source: www.coso.org
12
12
12
Update Articulates Principles of Effective
Internal Control
Information & Communication
 The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
 The organization internally communicates information, including objectives
and responsibilities for internal control, necessary to support the
functioning of internal control.
 The organization communicates with external parties regarding matters
affecting the functioning of internal control.
Source: www.coso.org
13
13
13
Update Articulates Principles of Effective
Internal Control
Monitoring Activities
 The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are
present and functioning.
 The organization evaluates and communicates internal control deficiencies
in a timely manner to those parties responsible for taking corrective action,
including senior management and the board of directors, as appropriate.
Source: www.coso.org
14
14
14
Update Clarifies Requirements for Effective Internal Control
 Effective internal control provides reasonable assurance regarding
the achievement of objectives and requires that:
• Each component and each relevant principle is present and functioning, and
• The five components are operating together in an integrated manner.
 Each principle is suitable to all entities; all principles are presumed
relevant except in rare situations where management determines that
a principle is not relevant to a component (e.g., governance,
technology.)
 Components operate together when all components are present and
functioning and internal control deficiencies aggregated across
components do not result in one or more major deficiencies.
 A major deficiency represents an internal control deficiency or
combination thereof that severely reduces the likelihood that an entity can
achieve its objectives.
Source: www.coso.org
15
15
15
Update Describes the Role of Controls to Effect Principles
 The Framework does not prescribe controls to be selected, developed, and
deployed for effective internal control.
 An organization’s selection of controls to effect relevant principles and
associated components is a function of management judgment based on
factors unique to the entity.
 A major deficiency in a component or principle cannot be mitigated to an
acceptable level by the presence and functioning of other components and
principles.
 However, understanding and considering how controls effect multiple
principles can provide persuasive evidence supporting management’s
assessment of whether components and relevant principles are present and
functioning.
Source: www.coso.org
16
16
16