The document discusses COSO 2013 and what auditors need to know about COSO 2013 implementations. It provides background on COSO and why the framework was updated in 2013. It also discusses problems in the marketplace related to internal controls and financial reporting, such as deficiencies found in many audits. The implications are that auditors need to properly evaluate client's risk assessments, internal controls, financial reporting practices, and monitoring activities to issue an unqualified opinion.
RSA Conference Exhibitor List 2024 - Exhibitors Data
COSO 2013 and The Auditor
1. COSO 2013 and The
Auditor
What the auditor needs to know about COSO 2013
implementations.
Corporate Compliance Seminars
1
Control. Comply. Communicate.
John C. Blackshire, CPA / 479-200-4373 / jblackshire@compliance-seminars.net
Property of Corporate Compliance Seminars
www.compliance.seminars.com
2. Accountant, Auditor, IT Projects, Compliance Assessor, Sales Director, Trainer
• The Accountware Group / Corporate Compliance Seminars
• Training, system design, implementation, security, customization, support,
documentation, change management
• Walker Interactive Products
• Financial system designer, financial system implementation, integration, user
support, sales, training
• Insurance Systems of America
• Created and managed internal consulting organization, developed system
implementation methodology, deployed accounting systems.
• KPMG
• Financial Auditor of insurance, financial services, manufacturing clients
• Past Meeting Coordinator - IIA International Conference
2Property of Corporate Compliance Seminars
www.compliance.seminars.com
3. “COSO is a bunch of policies and
procedures. It can’t help us.” –
CEO
“We hire great people.
They do a great job!”
– HR Director“Our numbers are rock-solid!”
– Internal Audit Director
3Property of Corporate Compliance Seminars
www.compliance.seminars.com
“We spent $30M and two years
installing SAP. It has strong
controls” - CIO
5. 5
Organization of the
Petroleum Exporting
Countries (OPEC)
- General prosperity
- Decreased government spending
- Tax reductions
- Tightened money supply to stem inflation
- Increased defense budget
- Deregulation: “free market” economy
- Oil price controls lifted
Property of Corporate Compliance Seminars
www.compliance.seminars.com
6. Problems in the 1970’s and 1980’s
• Oil price skyrocketed; high interest rates; overvalued real estate; national debt tripled
• Savings & Loan industry collapse; bribes from US companies
• Business failures: Continental Bank; Crazy Eddie’s Electronics, ZZZZ Best, Inc.
Solutions
1977: Foreign Corrupt Practices Act – anti-bribery and internal control requirements
1985: National Commission on Fraudulent Financial Reporting
aka “Treadway Commission”. Mission: “To identify causal factors that can lead to fraudulent financial
reporting.”
1987: Treadway Report
1990: CFO Act – Fiscal control in Federal agencies
1999: Blue Ribbon Committee on Improving the
Effectiveness of Corporate Audit Committees
2002: Sarbanes-Oxley Act
6
Property of Corporate Compliance Seminars
www.compliance.seminars.com
7. 7
1985 - Committee of Sponsoring Organizations (COSO)
of the Treadway Commission was formed “to identify the causal factors
that can lead to fraudulent financial reporting.”
“COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management,
internal control and fraud deterrence.”
Property of Corporate Compliance Seminars
www.compliance.seminars.com
8. SEC: “The term internal control over financial reporting is defined as a process designed by,
or under the supervision of, the issuer's principal executive and principal financial officers,
or persons performing similar functions, and effected by the issuer's board of directors,
management and other personnel, to provide reasonable assurance regarding the reliability of
financial reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles and includes those policies and
procedures that:
• Pertain to the maintenance of records that in reasonable detail accurately and fairly
reflect the transactions and dispositions of the assets of the issuer;
• Provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the issuer are being made only in
accordance with authorizations of management and directors of the issuer; and
• Provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use or disposition of the issuer's assets that could have a
material effect on the financial statements.” (Rule 13a-15 (f) )
8
Property of Corporate Compliance Seminars
www.compliance.seminars.com
9. 9
1992
2006
2009
2013
Guidance on
Monitoring Internal
Control Systems
Internal Control —
Integrated Framework
Guidance for
Smaller Public
Companies
Internal Control —
Integrated Framework
Property of Corporate Compliance Seminars
www.compliance.seminars.com
10. Property of Corporate Compliance Seminars
www.compliance.seminars.com
Why update the “Internal Control – Integrated Framework”?
• The 1992 framework was extremely poorly documented
• Made significant changes to documentation of the framework to standardize the
documentation of its usage
• Codify criteria to use in development and assessment of systems of internal
control
• Expanded the business objectives being considered
11. Property of Corporate Compliance Seminars
www.compliance.seminars.com
What did not change... What changed...
1. Management is responsible for internal
control
2. Five components of internal control
3. Three categories of internal control
4. The fundamental criteria used to assess
effectiveness of systems of internal
control
5. Use of judgment in evaluating the
effectiveness of systems of internal
control
1. Definition of internal control
2. Codification of principles with universal
application for use in developing and
evaluating the effectiveness of systems of
internal control
3. Expanded financial reporting objective to
address internal and external, financial
and non-financial reporting objectives
4. Increased focus on operations,
compliance and non-financial reporting
objectives based on user input
“The experienced reader will find much familiar in the updated Framework,
which builds on what has proven effective in the original version.”
COSO Update creates “Principles of Control” and “Points of Focus”
12. COSO 2013 Definition of “Internal Control”
“A process, effected by an entity’s board of directors, management, and other personnel, designed to
provide reasonable assurance regarding achievement of objectives related to operations, reporting,
and compliance.”
“Internal control is…
• Geared to the achievement of objectives in one or more separate but overlapping categories
• A process consisting of ongoing tasks and activities—it is a means to an end, not an end in itself
• Effected by people—it is not merely about policy and procedure manuals, systems, and forms, but
about people and the actions they take at every level of an organization to effect internal control
• Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management
and board of directors
• Adaptable to the entity structure—flexible in application for the entire entity or for a particular
subsidiary, division, operating unit, or business process”
Property of Corporate Compliance Seminars
www.compliance.seminars.com 12
13. • “Effective internal control provides reasonable assurance regarding the achievement of objectives and
requires that:
• Each component and each relevant principle is present and functioning
• The five components are operating together in an integrated manner”
• “Each principle is suitable to all entities…”
• “All principles are presumed relevant except in rare situations where management determines that a
principle is not relevant to a component (e.g., governance, technology)”
• “Components operate together when all components are present and functioning and internal control
deficiencies aggregated across components do not result in one or more major deficiencies…”
• “A major deficiency represents an internal control deficiency or combination thereof that severely
reduces the likelihood that an entity can achieve its objectives…”
Property of Corporate Compliance Seminars
www.compliance.seminars.com
14. PoF Statements from COSO
• “Points of focus may not be suitable or relevant, and others may be identified”
• “Points of focus may facilitate designing, implementing, and conducting internal control assessments”
• “There is no requirement to separately assess whether points of focus are in place”
Property of Corporate Compliance Seminars
www.compliance.seminars.com
Control Environment Principle of Control 1
“The organization demonstrates a commitment to
integrity and ethical values.”
Points of Focus:
• Sets the Tone at the Top
• Establishes Standards of Conduct
• Evaluates Adherence to Standards of Conduct
• Addresses Deviations in a Timely Manner
15. • “The Framework does not prescribe controls to be selected, developed,
and deployed for effective internal control.”
• “An organization’s selection of controls to effect relevant principles and
associated components is a function of management judgment based on
factors unique to the entity.”
• “A major deficiency in a component or principle cannot be mitigated to
an acceptable level by the presence and functioning of other components
and principles.”
• “However, understanding and considering how controls effect multiple
principles can provide persuasive evidence supporting management’s
assessment of whether components and relevant principles are present
and functioning.”
Property of Corporate Compliance Seminars
www.compliance.seminars.com
17. Guidance to PCAOB Staff
• “Considerations of Audits of ICFR”
• Issued October 24, 2013
• Based on past three years of inspections
Areas
1. “Risk Assessment and the Audit of Internal Control”
2. “Selecting Controls to Test”
3. “Testing Management Review Controls”
4. “IT Considerations”
5. “Roll Forward of Controls Tested at an Interim Date”
6. “Using the Work of Others”
7. “Evaluating Identified Control Deficiencies”
17
“More than one in three
audits inspected by the
PCAOB were so deficient the
auditors should not have
signed off!”
-CFO Journal January
2014
James R. Doty
Chairman, PCAOB
Property of Corporate Compliance Seminars
www.compliance.seminars.com
18. 18
To Listen
To Interpret
To Hear
What does audit mean??
Property of Corporate Compliance Seminars
www.compliance-seminars.com
19. Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Property of Corporate Compliance Seminars
www.compliance.seminars.com
20. 20
COSO 1992 was not suitable to the SEC criteria.
Where are the regulators going?
Does Section 302 and 404 certification work?
Why was COSO 1992 Updated?
Property of Corporate Compliance Seminars
www.compliance-seminars.com
21. 21
Was COSO 1992 free from bias. (36%)
Was COSO 1992 sufficiently complete. (36%)
Did COSO 1992 provide reasonable measurements. (34%)
SEC Criteria under SOX 404
Property of Corporate Compliance Seminars
www.compliance-seminars.com
Was COSO 1992 relevant to evaluation of ICFR (40%)
22. 22
What happened in 2008?
Is audit quality up or down?
Are material weaknesses up or down?
Does Section 302 and 404 certification
work?
Property of Corporate Compliance Seminars
www.compliance-seminars.com
How about investor returns?
24. 24
COSO 2013 the default standard.
Can internal controls prevent or lessen economic issues?
COSO has announced a rewrite of the COSO ERM Framework.
Where are the regulators going?
Property of Corporate Compliance Seminars
www.compliance-seminars.com
25. 1. What is the definition of the risk brands being considered in the client’s
internal control assessment?
2. Is the financial information recorded completely, accurately and timely and in
agreement with US GAAP?
3. Are the financial accounting, compliance and operating practices documented
and understood throughout the organization, including at off-site locations?
4. Are the internal controls adequate to detect and report errors and fraud?
5. Are we, the external auditors, independent and effective to report errors and
deviations from GAAP, policies, procedures and internal controls?
6. Is the client’s Audit Committee independent and critically examining financial
reports and fraud allegations?
7. Are key performance metrics, risks, controls and compliance activities
maintained, monitored and continuously assessed?
Property of Corporate Compliance Seminars
www.compliance.seminars.com 25
26. Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Property of Corporate Compliance Seminars
www.compliance.seminars.com
27. 27
• “The use of entity-level control
assessment is under-utilized.”
• “Effective entity-level monitoring
may eliminate or reduce the need for
certain transaction-level controls.”
• “Companies can significantly reduce
the testing workload by properly
designing robust and effective entity
level controls.”
Entity-level controls as % of total key controls
Source: Ernst & Young Survey 2013
Property of Corporate Compliance Seminars
www.compliance.seminars.com
28. The term “Entity-Level Controls” describes the aspects of a system of
internal control that have a pervasive effect on the on the entity’s
controls, such as:
• controls related to the control environment (ex. management’s philosophy
and operating authority and responsibility);
• controls over management override;
• the company’s risk assessment process;
• centralized processing and controls including shared service environments;
• controls to monitor results of operations;
• controls to monitor other controls including activities of the internal audit
function, the audit committee, and self-assessment programs;
• controls over the period-end financial reporting process; and
• policies that address significant business control and risk management practices.
28Property of Corporate Compliance Seminars
www.compliance.seminars.com
30. 30
21-24. Operations Objectives
25-27. External Financial Reporting Objectives
28-30. External Non-Financial Reporting Objectives
31-33. Internal Reporting Objectives
34-35. Compliance Objectives
Reflects Management’s Choices
Considers Tolerances for Risk
Operations and Financial Performance Goals
Forms a Basis for Committing of Resources
Complies with applicable accounting standards
Considers Materiality
Reflects Entity Activities
Complies with Externally Established Standards and
Frameworks
Considers the Required Level of Precision
Reflects Entity Activities
Reflects Management’s Choices
Considers the Required Level of Precision
Reflects entity activities
Reflects External Laws and Regulations
Considers Tolerances for Risk
“The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks
relating to objectives.”
Points of Focus
Property of Corporate Compliance Seminars
www.compliance.seminars.com
31. 31
36. Includes Entity, Subsidiary,
Division, Operating Unit
and Functional Levels
37. Analyzes Internal
and External Factors
38. Involves Appropriate
Levels of Management
39. Estimates Significance
of Risks Identified
40. Determines How
to Respond to Risks
The organization identifies and assesses risks at the entity, subsidiary,
division, operating unit and functional levels relevant to the achievement of
objectives.
Risk identification considers both internal and external factors and their
impact on the achievement of objectives.
The organization puts into place effective risk assessment mechanisms that
involve appropriate levels of management.
Identified risks are analyzed through a process that includes estimating the
potential significance of the risk.
Risk assessment includes considering how the risk should be managed and
whether to accept, avoid, reduce or share the risk.
“The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for
determining how the risks should be managed.”
Points of Focus
Property of Corporate Compliance Seminars
www.compliance.seminars.com
32. 32
41. Considers Various
Types of Fraud
42. Assesses Incentives
and Pressures
43. Assesses Opportunities
44. Assesses Attitudes
and Rationalizations
The assessment of fraud considers fraudulent reporting, possible loss of
assets, and corruption [and management override of controls] resulting
from the various ways that fraud and misconduct can occur
The assessment of fraud risk considers incentives and pressures
The assessment of fraud risk considers opportunities for unauthorized
acquisition, use, or disposal of assets, altering of the entity’s reporting
records, or committing other inappropriate act
The assessment of fraud risk considers how management and other
personnel might engage in or justify inappropriate actions
“The organization considers the potential for fraud in assessing risks to the achievement of
objectives.”
Points of Focus
Property of Corporate Compliance Seminars
www.compliance.seminars.com
33. 33
45. Assesses Changes in
the External Environment
46. Assesses Changes
in the Business Model
47. Assesses Changes
in Leadership
The risk identification process considers changes in the regulatory,
economic, and physical environment in which the entity operates
The organization considers the potential impact of new business lines,
dramatically altered compositions of existing lines, acquired or divested
business operations on the system of internal control, rapid growth,
changing reliance on foreign geographies and new technologies
The organization considers changes in the management and respective
attitudes and philosophies on the system of internal control
“The organization identifies and assesses changes that could significantly impact
the system of internal control.”
Points of Focus
Property of Corporate Compliance Seminars
www.compliance.seminars.com
35. Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Property of Corporate Compliance Seminars
www.compliance.seminars.com
36. Property of Corporate Compliance Seminars
www.compliance.seminars.com
How has the company satisfied the COSO Control Components?
Are the controls present? Are the controls functioning? - Summary
Risk Assessment – Risk Committee, Risk Model, Annual assessment,
BoD/ AC review of management’s risk responses, etc.
Control Environment – Board of Directors, Audit Committee, Ethics
policy and training, Hotline, Policies and Procedures, etc.
Control Activities – Standards for all activities. Selection of key
controls, documentation of key controls, testing, remediation, etc.
Information & Communication – Documentation and communication
of SOX/ Risk Assessment, Internal Control reports, etc.
Monitoring Activities – Quarterly executive meetings, metrics,
presentation to BoD/ AC, etc.
37. 1. Formalize and reassess risks (entity – business process – IT activity)
• Identify material changes in operations
• Determine in-scope and out-of-scope business units
2. Reassess key controls; considering your “control mix”
• Consider financial and non-financial controls
• Consider external and internal reporting controls
• Consider compliance, operational, fraud and IT controls
3. Link SOX program to the COSO 2013 framework
• COSO narrative or spreadsheet
• COSO Illustrative Toolset or other tool
4. Align risks and key controls to the COSO Components, Principles and Points of Focus
• Consider the organization’s objectives and risks
• Use judgment in selecting the POFs
5. Update SOX documentation for COSO 2013
• Control present and functioning
• Aggregate your deficiencies
• Control effectiveness across Components and Principles
Property of Corporate Compliance Seminars
www.compliance.seminars.com 37
“use common sense”
38. Property of Corporate Compliance Seminars
www.compliance.seminars.com 38
Key Control:
“The Vendor Disbursements Report
is reviewed on a daily basis by the
AP Manager and on a weekly basis
by the Corporate Controller. The
report and certifications are
obtained as evidence.”
Principle of Control:
#10: Control activities are
defined to reduce entity risks.
#16: Management conducts
ongoing and separate
evaluations of internal
controls.
Component of Control:
#3: Control Activities
#5: Monitoring Activities
Point of Focus:
#44: Addresses the
segregation of duties
#69: Considers a mix of
ongoing and separate
evaluations
40. Key Control COSO
Control
Component
COSO Principle of
Control
COSO Point of Control
Focus
Evidence
Control
Environment
Risk
Assessment
The Vendor
Disbursements Report is
reviewed on a daily basis
by the AP Manager and
on a weekly basis by the
Corporate Controller.
The report and certs are
obtained as evidence.
Control
Activities
#10: Control activities
are defined to reduce
entity risks.
#44: Addresses the
segregation of duties
Observation and
Inspection of
Disbursements
Report review
Info &
Communicati
on
AP Manager
Dashboard of
Disbursements’
Internal Audit report
of AP
Monitoring
Activities
#16: Management
conducts ongoing and
separate evaluations of
internal controls.
#69: Considers a mix of
ongoing and separate
evaluations
Controller
Monitoring;
Internal Audit of
Accounts Payable
Property of Corporate Compliance Seminars
www.compliance.seminars.com 40
41. Consider scoping in more Entity Level risks, controls and assessments
• Assessment of Board and Audit Committee effectiveness
• Assessment of Ethics/ Code of Conduct compliance
• Annual employee awareness of policies and procedures
• Effectiveness of “hotline” (process to report fraud)
• Evaluation of Risk Assessment documentation
• Evaluation of Monitoring controls
Re-evaluate the financial statement risks and key controls
• Financial Statement Assertions (Presentation, Existence, Rights/ Obligations,
Cut-Off, Valuation)
Re-evaluate the risks and controls over Compliance and Operational activities
• Assessment of non-financial, internal reporting, business processes, IT and fraud
• Assessment of Outsourced Service Providers (OSPs)
41Property of Corporate Compliance Seminars
www.compliance.seminars.com
42. Each of the five COSO Components must be “present and functioning”
• Are they present? - “The determination that components and relevant principles exist in
the design and implementation of the system of internal control to achieve specified
objectives.” (“Design”)
• Are they functioning? - “The determination that components and relevant principles
continue to exist in the conduct of the system of internal control to achieve specified
objectives.” (“Operating Effectiveness”)
The five COSO Components must “operate together in an integrated manner” i.e. “the
determination that all five components collectively reduce, to an acceptable level, the risk of not achieving
an objective.”
• Management can demonstrate that components operate together when:
• “The components are present and functioning, and
• Internal control deficiencies aggregated across components do not result in the
determination that one or more major deficiencies exist.”
42Property of Corporate Compliance Seminars
www.compliance.seminars.com
43. Going Forward
Section 10
Direction and Summary
43
COSO 2013: The Sequel
Control. Comply. Communicate.
Property of Corporate Compliance Seminars
www.compliance.seminars.com
44. • Alphabetic Keyboard – 1860’s
• Qwerty – Solution to jamming
• Dvorak – 1932
• “Touch” keyboards (keyless)
• Virtual keyboards
• No keyboards--voice dictation, etc.
Do we really like to change?
44
Property of Corporate Compliance Seminars
www.compliance.seminars.com
45. Cultural Issue Our Suggestions
1. “Risk Awareness” Don’t force the risk assessment routine to an annual exercise.
Assess risks on a “needs” basis…monthly or quarterly. Create
triggers for all High and Medium Risks.
2. “Communication” Explain “WHY”. Foster the flow of communications up and down
the organization. Hold corporate “town hall meetings”.
Encourage the sharing of “best practices”. Whistleblower function.
3. “Incentives” Reward practices and behavior above and beyond expectations.
4. “Training - Mentoring” Reinforce the Compliance programs through e-mails, meetings and
webinars. Have formal mentorship programs.
5. “Measure” Quantify and track metrics such as financial, risk factors, quality,
customer service and improvements. Have established ranges for
all metrics and the “Why’s”
6. “Accountability” Hold managers and staff accountable for controllable events such
as errors, over budgets and compliance violations.
7. “Fix” Create an effective Mission-Policy-Procedure stack. Identify the
root cause and systemic issues.
8. “Continuous Improvement” Encourage positive and negative feedback for process
improvement.
45Property of Corporate Compliance Seminars
www.compliance.seminars.com
46. 46
Property of Corporate Compliance Seminars
www.compliance.seminars.com
Catastrophic Low Low Medium
Risk - 15%
Highest
Risks – 5%
Major Low Low Medium
Risk - 15%
Medium
Risk - 15%
Moderate Low Low Low Low
Minor Low Low Low Low
Insignificant Low Low Low Low
Rare Unlikely Possible Likely
The Pareto’s Principle – The 80 - 20 Rule
47. Reevaluate Significant Financial Accounts and Cycles
Reevaluate Significant Business Processes & Controls
Key Control Map – Business and IT
Test; Deficiencies
Remediate & Retest
Reassess Risks – F, NF, Internal, External, Fraud, Operations, Compliance, IT
Reevaluate and Map the Entity Control Environment
Monitor & Sustain
Compliance
Documentation-Evidence
47
Property of Corporate Compliance Seminars
www.compliance.seminars.com