1

OVERVIEW COSO 2013

Lynn Fountain, CGMA, CRMA
www.lynnfountain.net
2

Your Facilitator
• Past CAE and current consultant
and trainer in aspects of Internal
Audit, SOX, ERM, Fraud,
Governance and Compliance.
• Over 30 years experience in the
accounting, finance and
compliance industries.
• Recognized author, trainer and
speaker.
• www.lynnfountain.net
• fountainlynn1@gmail.com
3

Introduction
• In today’s business world, the term,
internal control, is assumed a well-
known and understood concept.
• Companies utilizing COSO framework
should have transitioned from the
1992 original framework to the
updated 2013 framework.
4

Introduction
• This transition should have resulted
in a re-evaluation of internal
controls.
• This includes evaluation of how
roles and responsibilities for
controls are deployed through the
organization.
5

Agenda
• Explore the definition of IC and its
importance in today’s business.
• Examine the basic tenants of IC.
• Explore reason for COSO update and
dissect key changes.
• Examine the keys to the COSO 17
principles.
• Explore how to perform a needs
impact assessment and compliance
plan.
 6

DEFINITION AND
BENEFITS OF IC
7

Internal Control
• Key definition: A means by
which an organization's
resources are directed,
monitored, and measured.
• Plays an important role in
preventing and detecting fraud
and protecting the organization's
resources, both physical and
intangible.
8

Internal Control
• IC is a process affected by an
organization's structure, work
and authority flows, people and
information systems
• Designed to help the
organization accomplish
specific goals or objectives.
• Concepts date back to Egyptian
times and the process of tax
collection.
9

… A good thing?
• Internal control IS a good thing.
• How does your organization view IC?
• Is it considered as a necessary evil?
• Do you know management’s view?
• Are control findings aligned with
management tolerances?
• How do you communicate with
management related to IC importance?
• How much does your management and
the Board really know about the COSO
internal control framework?
10

Advantages
• Leads to a more efficiently run
organization.
• Ensures a company's resources are
utilized only for their intended
purposes.
• Minimizes the risk of resource misuse.
• Prevents financial irregularities by
detecting them quickly.
• Prevents employees from being
accused of any irregularities or
misappropriations of funds.
11

Disadvantages
• Poorly designed/executed controls can
create employee frustration/ apathy.
• System too rigidly designed to allow for
adaptation may be difficult to sustain.
• Design may cause auditor’s to become
over-dependent on the internal control
system.
• May lead to relaxation on measures of
checking for fraud.
 12

IC BASIC TENETS
13

IC Basics
• Difficulty with IC concepts is one
person’s view of IC may be different
than another’s.
• Consider how we learn about a new
topic?
• How are we taught?
• Personal beliefs and values impact
what is taught.
• Will a professional will do the right
thing when no one is looking?
14

IC Basics
• Psychological components impact
how people view ICs and their
perception of the “so called” black
and white line.
• COSO 2013 attempts to provide a
clearer definition of IC through the
listing of principles and points of
focus.
• It requires a more stringent focus
when thinking about ICs.
15

Responsibility
• Internal control is management’s
responsibility.
• The five components are discussed in
the context of the management of the
entity.
• A board that comprises directors with
sufficient independence is part of IC.
• The process of IC highlights two
important components:
• Specify
• Use
16

IC Process
• Specify
• ICs should be specific, measurable,
observable, attainable, relevant and
time-based objectives.
• The suitability of ICs must be based
on the organizations objectives,
facts surrounding the process and
established laws, rules.
• ICs must be specifically
communicated along with
objectives through the entity.
17

IC Process
• Use
• Use specified objectives as a
measure to determine level of
risk assessment.
• Consider how your organization
identifies or specifies the need
for an IC.
• A board that comprises directors
with sufficient independence is
part of IC.
18

Control Identification
• If you asked an employee to name
the control within their process,
what would they say?
• Would they recite process steps?
• Could they differentiate between
steps and controls? Example:
• Invoices are received by the
receptionist, opened and
passed to the controller.
• Is this a process step in a task or
a control?
 19

COSO 2013 BENEFITS

AND CHALLENGES
20

Benefits
• Benefits
• Updates will help strengthen
systems of internal control.
• Provides important considerations
of effective IC through
formalization of concepts
introduced in the original
framework.
• Appropriately expands the
reporting objective.
21

Challenges
• Challenges
• Sets a higher threshold for
attaining effective IC.
• May impose additional burden
on entities’ reporting on IC.
• Should incorporate aspects of
ERM.
 22

BASIC FRAMEWORK
23

1992 Framework
• COSO formed in 1985 to sponsor the National
Commission on Fraudulent Financial
reporting (Treadway Commission).
• A joint initiative of five private sector
organizations:
• American Accounting Association (AAA)
• American Institute of Certified Public
Accountants (AICPA)
• Financial Executives International (FEI)
• Institute of Internal Auditors (IIA)
• Institute of Management Accountants
(IMA)
24

1992 Framework
• Framework developed in response to
need for effective ways to control
enterprises and to help ensure
objectives are achieved related to:
• Operations
• Financial reporting
• Compliance
• Provided principles-based guidance
for designing and implementing
effective ICs.
25

1992 Key Concepts

• Framework formally defined IC.
• “A process, effected by an entity's
board of directors, management
and other personnel, designed to
provide "reasonable assurance"
regarding the achievement of
objectives in the following
categories:
26

1992 Key Concepts

• Effectiveness and efficiency of
operations.
• Reliability of financial reporting.
• Compliance with applicable laws
and regulations.
• Safeguarding of assets.
27

1992 Key Concepts

• IC is a process.
• It is a means to an end, not an
end in itself.
• IC is affected by people.
• Not merely policy, manuals, and
forms, but people at every level.
• IC can be expected to provide
reasonable assurance, not
absolute assurance.
• IC is geared to the achievement of
objectives.
28

1992 Components
• Includes-five interrelated
components derived from how
management runs a business.
• Control environment: sets the
tone of an organization,
influencing the control
consciousness of its people.
• The foundation for all other
components.
29

1992 Components
• Risk assessment: Every entity
faces a variety of risks that must be
assessed.
• RA is the identification and analysis
of relevant risks to the
achievement of assigned
objectives.
• Prerequisite for determining
how risks should be managed.
30

1992 Components
• Control activities:
Policies/procedures that help
ensure management directives are
carried out.
• Occur throughout the
organization, at all levels and in
all functions.
• Must be identified separate
from daily tasks.
31

1992 Components
• Includes a range of activities:
• Approvals
• Authorizations
• Verification controls
• Reconciliations
• Reviews of operating
performance
• Security of assets
• Segregation of duties
32

1992 Components
• Information and communication:
Systems produce reports that make
it possible to run and control the
business.
• Effective communication must
ensure information flows down,
across and up the organization and
include external parties.
33

1992 Components
• Monitoring: assesses quality of
system's performance over time.
• Accomplished through ongoing
activities or separate evaluations.
• Deficiencies detected should be
reported and corrective actions
taken to ensure continuous
improvement of the system.
 34

COSO UPDATE AND

KEY CHANGES
35

COSO Update
• It has been 20 years since the original
COS0.
• Business has changed dramatically.
• Stakeholders more engaged, seek
greater transparency/accountability for
the integrity of internal control.
• Key aspects have been added to mandate:
• Knowledge of business strategy.
• Understanding of regulatory changes.
• Increased focus on information
technology controls.
• Control attributes must work in synergy.
 36

Changes to Reporting
Philosophy
COSO 1992

COSO 2013

Where’s Waldo???? Can you identify the changes in the cube?

37

Concepts That Did Not

Change
• Core definition of Internal control.
• Five components of Internal
control.
• Important role of judgment in:
• Designing
• Implementing
• Conducting internal control
• Assessing effectiveness
38

New Concepts
• Formalizes fundamental concepts
underlying five components of
internal control as principles.
• Clarifies role of objective-setting as
a pre-condition to internal control.
• Reflects the increased relevance of
technology.
• Enhanced governance concepts and
anti-fraud expectations.
39

New Concepts
• Considers changes in business,
operating, regulatory
environments.
• Expands financial reporting
objective to include other
important forms of reporting.
• Provides additional approaches
relevant to compliance, financial
and non-financial reporting
objectives.
40

Operating Environment
• Updated framework considers
changes in business, operating, and
regulatory environments:
• Expectations for governance
oversight
• Globalization of markets and
operations
• Changes in business models
41

Operating Environment
• Demands/complexity in laws,
rules, regulations and
standards,
• Expectations for competencies
and accountabilities,
• Expectations for preventing
and detecting fraud.
42

Clarifies Deficiencies
• Control Deficiency: shortcoming in
component(s) and relevant
principle(s) that reduces likelihood
that the entity can achieve
objectives.
• If a deficiency in control is
identified - management must
assess severity of impact.
43

Clarifies Deficiencies
• Major deficiency in internal control:
precludes effective internal control.
• Points of focus (POF), formerly
attributes, are important
considerations to determine whether
a principle is present and functioning.
44

Working Together
• Effective IC requires each of the 5
components.
• Principles must be present, functioning,
operating together.
• Present is about effective design and
implementation
• Function is about effective operation.
45

Working Together
• Present - Components and relevant
principles exist in the design and
implementation of IC.
• Functioning – Requires
determination that all five
components collectively reduce, to
an acceptable level, the risk of not
achieving objectives.
 46

KEYS TO COSO 17
PRINCIPLES
47

Principles
• Attributes under categories are
“formalized” into 17 various
principles.
• Framework views all principles are
suitable to all entities.
• A principle is a law /rule that
should be followed.
• Effective operation would be
impossible if any one of the
principles was to be ignored.
48

Points of Focus
• POF may assist in evaluating IC and
determining whether principles are
present/ functioning.
• Not required for assessing
effectiveness of IC.
• Management may determine that
some POF are not suitable and may
identify and consider others.
49

Points of Focus
• COSO uses “points of focus” (POF)
as important characteristics of the
principles.
• “Focus” – formal definition: a
central point of attraction,
attention, or activity.
 50

CONTROL
ENVIRONMENT
51

Control Environment
• The set of standards and processes
that provide the basis for carrying
out IC.
• Principle 1: Organization
demonstrates a commitment to
integrity and ethical values.
• Principle 2: Board demonstrates
independence from management
and exercises oversight of IC.
52

Control Environment
• Principle 3: Management establishes,
with board oversight, structures,
reporting lines, and appropriate
authorities and responsibilities.
• Principle 4: Organization
demonstrates commitment to attract,
develop, and retain competent
individuals.
• Principle 5: Organization holds
individuals accountable for their IC
responsibilities.
53

Control Environment
• What things are in place to
Establish a sound “control
structure” ?
• Policies and procedures
• Management philosophy and
operating style
• Tone at the top
• HR policies
• Segregation of duties
• Ethics controls, code of conduct
 54

RISK ASSESSMENT
55

Risk Assessment
• RA involves a dynamic and iterative
process.
• Considers changes in the external
environment/business model that
may impede achievement of
objectives.
• Framework includes four principles
under the RA component.
56

Risk Assessment
• Principle 6: Objectives stated with
sufficient clarity to enable the
identification/assessment of risks.
• Principle 7: Identify/analyze risks to
determine how to manage.
• Principle 8: Management assesses the
potential for fraud related to
achievement of objectives.
• Principle 9: Identify and assesses
changes that could significantly impact
the system of IC.
57

Risk Assessment
• What occurs within processes to
continually assess and evaluate
inherent risks?
• KPIs
• Business objectives
• Goals and strategies
• Emerging risk assessment
• Assessment of changing business
environment
 58

CONTROL ACTIVITIES
59

Control Activities
• CA are actions established by
policies/procedures to help
ensure that management
directives to mitigate risks are
carried out.
• CA are performed at all levels of
the entity and at various stages.
• Includes three separate
principles.
60

Control Activities
• Principle 10: Select and develops
control activities.
• Principle 11: Select and develops
general controls over technology.
• Principle 12: Deploy through
policies and procedures.
61

Control Activities
• What specific CA occur to ensure
proper execution of the process and
keep the “bad thing” from
happening.
• Check and balances/reconciliations
• Sign-offs/tie outs
• Receipting/purchase orders
• Inventory/cash counts
• Estimate and judgments
• Procedure compliance
 62

INFORMATION AND
COMMUNICATION
63

I&C
• Necessary for the entity to carry
out IC responsibilities.
• Occurs both internally/externally.
• Enables personnel to understand
IC responsibilities.
• Informs external parties regarding
the organization’s position on IC.
64

I&C
• Principle 13: Obtain or generate/use
relevant, information to support the
functioning of IC.
• Principle 14: Internally
communicate information, including
objectives and responsibilities for IC.
• Principle 15: Communicate with
external parties matters affecting
the functioning of IC.
65

I&C
• How is information in the
organization communicated through
systems and personnel?
• What focus is placed on IT general
and application controls?
• How does the company
communicate ICs with investors and
employees?
 66

MONITORING
67

Monitoring
• Principle 16: Ongoing evaluations,
separate evaluations, or some
combination of the two are used to
ascertain whether each of the five
components of IC are working.
• Principle 17: Findings are evaluated
and deficiencies are communicated in
a timely manner.
• Serious matters reported to senior
management and to the board.
68

Monitoring
• Monitoring involves both internal
and external monitoring.
• It does not mean that all monitoring
is the responsibility of the auditors.
• Management must establish
appropriate procedures to monitor
their own activities.
69

Monitoring
• What processes are in place to
evaluate overall effectiveness?
• Who owns the task of monitoring
effective processing?
• Does management take
responsibility or do they wait for the
checks and balances?
 70

FRAMEWORK
APPLICATION
71

Application
• COSO recommends:
• Document responses for each
“principle”.
• Responses should support
managements conclusions that
controls actually exist and are
effectively functioning.
72

Application
• Response should generally not
be a “yes” or a “no”
• Should address specific
internal control and what
the entity does to address
the point of focus.
73

Application
• Management should conclude to
effectiveness of controls for each
of the five attributes.
• The responses must provide
information with respect to the COSO Template

points of focus and support

management’s conclusions on the
attributes.
74

Application
• An overall conclusion should be
reached with respect to each COSO
component.
• The conclusion is supported by the
collective weight of the individual
conclusions of the relevant attributes.
• Management formulates a conclusion
as to the effectiveness of the control
environment.
75

Application
• A response of “ineffective” or
“requires improvement” for a given
attribute does not necessarily
warrant a conclusion that the
related component is ineffective at
the entity level.
• There may be compensating
controls in other areas.
 76

NEEDS IMPACT AND

COMPLIANCE PLAN
77

Needs Impact
• Impact of COSO and
requirements for efforts will vary
for each organization.
• What should your organization
do?
• Are you a publically traded
entity?
• Does your company utilize
COSO for its IC framework?
78

Needs Impact
• Is your company considering an IPO?
• How have your past SOX efforts
been managed?
• What is the company history with
significant deficiencies and material
weakness?
• How robust has your program of
evaluation of the control
environment elements been?
• Does your company which to reflect
compliance with COSO regardless of
SEC filing status?
79

Needs Impact
• Companies should continually
assess their individual maturity
related to COSO compliance.
• Compliance with COSO 2013 will
continue to evolve and transition as
organizations further evaluate the
principles and POF.
• Company’s mapping processes and
diligence varies.
• Will it matter?
 80

COMPLIANCE
81

Compliance
• Focus on all five COSO components and
related principles.
• 17 principles will require focus on
importance of components above ICFR.
• Consider:
• Manner in which other components
are being tested.
• Who performs the testing.
• Level of evidence/ documentation
required to conclude that each
principle/ component is present/
functioning.
82

Compliance
• Examine impact on board and AC.
• Framework contains more
prescriptive expectations on
governance.
• Boards/ committees should
consider POF and how their
current governance policies,
procedures and documentation
demonstrate the related
principles are
present/functioning.
83

Compliance
• Align RA and CA. Consider:
• Who, how and when is the RA
performed and how are
external/internal changes
impacting FR identified?
• RA should include understanding
processes from transaction
initiation to FS recognition.
• How do you know when a
process has/should change?
84

Compliance
• Ensure CA’s activities are
responsive to the assessed risk?
• Documentation should support
assertion that controls are
operating effectively and at the
appropriate level.
85

Compliance
• Apply the framework to meet
other objectives
• Assertions related to disclosure
controls and procedures.
• Regulatory assertions.
• Sustainability measures and
reporting.
86

Compliance
• Principle Mapping
• COSO suggests beginning with the
principle and determining if controls
exist that meet the principle.
• POF can be utilized in assessing
controls.
• Fresh look beginning with principles
will assist in re-evaluation of
efficiency/sufficiency of certain
controls.
87

Compliance
• Involve key stakeholders
• Active participation of operational,
compliance and finance functions
will be critical to ongoing success.
• Communicate and train
• Actively communicate the
framework and its intent and
importance.
88

Compliance
• Assess the risk of fraud continually,
both at an entity level and at the
transaction level.
• Consider opportunity for
management to override internal
controls without being detected.

•
89

Compliance
• Fraud transition considerations:
• Ensure proper personnel
performing fraud risk
assessments and evaluating
risk of management override.
• Ensure AC oversees assessment
and challenges management.
90

Compliance
• Fraud transition considerations:
• Validate procedures to
detect/deter fraud are
responsive to the CE and the
assessed risk.
• Ensure controls considered
important to detection
/deterrence of fraud are
monitored frequently and
robustly.
 91

SUMMARY
92

Summary Overview
• Framework is not new!
• There are critical enhancements.
• Adequate ongoing compliance will
require focus and dedication.
• Management must understand
principles and POF.
• Audit Committee and board
understanding and involvement as
well as buy-in is critical.
• All organizations should have a basic
understanding of COSO.
93

Summary Overview
• Overall impact of the updated
framework may be dependent on
many variables.
• Remember the intent of the
framework update.
• Ongoing enhancement of internal
controls in all areas of business.