Corporate Compliance Seminars provides educational seminars and consulting services on internal controls, regulatory compliance, corporate governance, IT security, and fraud prevention. The document discusses the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which issued an updated Internal Control - Integrated Framework in 2013. The update codified principles and points of focus to help organizations develop and assess the effectiveness of their internal control systems. It expanded the focus to include operations, compliance and non-financial reporting objectives in addition to financial reporting. Organizations are encouraged to transition to applying the updated framework by December 15, 2014.
Introduction to COSO 2013 - Corporate Compliance Seminars
1. Property of Corporate Compliance Seminars
www.compliance.seminars.com 1
David S. Marshall, MBA, CISA, CFE, CFS
Ph: 708-205-2366 / dmarshall@infotech-global.com
John C. Blackshire, Jr., CPA
Ph: 479-200-4373/ jblackshire@compliance-seminars.net
COSO 2013
Overview of the Framework
A Practical Implementation of the COSO Update for Management and Auditors
Corporate Compliance Seminars
2. http://www.compliance-seminars.com
Corporate Compliance Seminars provides educational seminars and consulting services
to businesses of all sizes.
Our mission is to promote the awareness of internal controls, regulatory compliance,
corporate governance, IT security, and fraud prevention and detection to improve
business profitability.
Each faculty member has over 20 years of work experience within the subject matter.
Corporate Compliance Seminars has been presenting
practical, informative and entertaining seminars since 2004.
We are a proud sponsor of NASBA.
Property of Corporate Compliance Seminars
www.compliance-seminars.com 2
Corporate Compliance Seminars
3. Problems
• Foreign Corrupt Practices Act of 1977 - Violations
• Real Estate boon; inflation; high interest rates; Savings and Loan deregulation
• Business Failures: Penn Square Bank, Continental Bank; Crazy Eddie’s Electronics
• S & L Crisis: Over 700 failures - many from fraud; overvalued real estate; lack of
internal controls; lending out far too much money than was prudent
Solutions
1985: National Commission on Fraudulent Financial Reporting
aka “Treadway Commission”
Mission: “To identify causal factors that
can lead to fraudulent financial reporting.”
1999: Blue Ribbon Committee on
Improving the Effectiveness of
Corporate Audit Committees
3
Property of Corporate Compliance Seminars
www.compliance-seminars.com
4. Property of Corporate Compliance Seminars
www.compliance.seminars.com 4
1985 - Committee of Sponsoring Organizations (COSO)
of the Treadway Commission was formed
“COSO is a joint initiative of five private sector organizations and is dedicated to providing
thought leadership through the development of frameworks and guidance on enterprise risk
management, internal control and fraud deterrence.”
5. The term internal control over financial reporting is defined as a process designed by, or
under the supervision of, the issuer's principal executive and principal financial officers, or
persons performing similar functions, and effected by the issuer's board of directors,
management and other personnel, to provide reasonable assurance regarding the reliability of
financial reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles and includes those policies and
procedures that:
• Pertain to the maintenance of records that in reasonable detail accurately and fairly
reflect the transactions and dispositions of the assets of the issuer;
• Provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the issuer are being made only in
accordance with authorizations of management and directors of the issuer; and
• Provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use or disposition of the issuer's assets that could have a
material effect on the financial statements.” (Rule 13a-15 (f) )
Property of Corporate Compliance Seminars
www.compliance.seminars.com 5
6. “A process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding achievement of
objectives in the following categories:
• Effectiveness and efficiency of operations,
• Reliability of financial reporting, and
• Compliance with applicable laws and regulations.”
Property of Corporate Compliance Seminars
www.compliance.seminars.com 6
Components of
Internal Control
Definition of
Internal Control
Layers of
Internal Control
7. www.compliance-seminars.com 7
COSO - Board of Directors
COSO Advisory Council
AICPA, AAA, IIA, FEI, IMA
Regulatory Observers
Public Accounting Firms
Others (IFAC, GAVI Alliance, ISACA)
PwC - Contracted Author
Stakeholders
Over 700 stakeholders and users were
surveyed and others submitted
comments during the draft review
period
Douglas F. Prawitt
AAA
Charles Landes
AICPA
Marie N. Hollein
FEI
Sandra Richtermeyer
IMA
Richard F. Chambers,
IIA
Robert B. Hirth, Jr.
Chairman
8. Why update the “Internal Control – Integrated Framework”?
• Address significant changes to business environment and associated risks
• Codify criteria to us in development and assessment of systems of internal control
• Increase focus on operations, compliance and non-financial reporting objectives.
Property of Corporate Compliance Seminars
www.compliance.seminars.com
9. A changing business environment... Drives updates to the Framework...
Expectations for governance oversight
Globalization of markets and operations
Changes in business models
Demands and complexity of rules, regulations and
standards
Expectations for competencies and accountabilities
Use and reliance on evolving technology
Expectations for preventing and detecting fraud
www.compliance-seminars.com 9
Why Change?
Benefits…
- Improve governance
- Expand use beyond financial reporting
- Improve quality of risk assessment
- Strengthen anti-fraud efforts
- Adapt controls to changing business needs
- Greater applicability for various business models
10. What did not change... What changed...
1. Definition of internal control
2. Five components of internal control
3. The fundamental criteria used to assess
effectiveness of systems of internal
control
4. Use of judgment in evaluating the
effectiveness of systems of internal
control
1. Codification of principles with universal
application for use in developing and
evaluating the effectiveness of systems of
internal control
2. Expanded financial reporting objective to
address internal and external, financial
and non-financial reporting objectives
3. Increased focus on operations,
compliance and non-financial reporting
objectives based on user input
“The experienced reader will find much familiar in the updated Framework, which
builds on what has proven effective in the original version.”
Property of Corporate Compliance Seminars
www.compliance.seminars.com
COSO Update created “Principles of Control” (PoCs) and “Points of Focus” (PoFs)
11. Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
12. • “Effective internal control provides reasonable assurance regarding the achievement of objectives and
requires that:
• Each component and each relevant principle is present and functioning
• The five components are operating together in an integrated manner”
• “Each principle is suitable to all entities…”
• “All principles are presumed relevant except in rare situations where management determines that a
principle is not relevant to a component (e.g., governance, technology)”
• “Components operate together when all components are present and functioning and internal control
deficiencies aggregated across components do not result in one or more major deficiencies…”
• “A major deficiency represents an internal control deficiency or combination thereof that severely
reduces the likelihood that an entity can achieve its objectives…”
13. PoF Statements from COSO
• “Points of focus may not be suitable or relevant, and others may be identified”
• “Points of focus may facilitate designing, implementing, and conducting internal control”
• “There is no requirement to separately assess whether points of focus are in place”
Control Environment Principle of Control 1:
“The organization demonstrates a commitment to
integrity and ethical values.”
Points of Focus:
• Sets the Tone at the Top
• Establishes Standards of Conduct
• Evaluates Adherence to Standards of Conduct
• Addresses Deviations in a Timely Manner
14. • “The Framework does not prescribe controls to be selected, developed,
and deployed for effective internal control.”
• “An organization’s selection of controls to effect relevant principles and
associated components is a function of management judgment based on
factors unique to the entity.”
• “A major deficiency in a component or principle cannot be mitigated to
an acceptable level by the presence and functioning of other components
and principles.”
• “However, understanding and considering how controls effect multiple
principles can provide persuasive evidence supporting management’s
assessment of whether components and relevant principles are present
and functioning.”
15. 10. No statement of the problems with COSO 1992
9. Management by Objectives (MBO) based
8. COSO is not ERM – financial statement risks
7. No Study of the utility of the COSO Framework
6. No integration of other disciplines
Property of Corporate Compliance Seminars
15
16. 5. It is not a dynamic framework nor organization
4. No study of “What Went Wrong Post-SOX”
3. Linear control representation
2. “Concept of Culture”
Property of Corporate Compliance Seminars
16
1. Is COSO independent and objective?
17. • “Users are encouraged to transition applications and related documentation to the updated
Framework as soon as feasible”
• Due date is December 15, 2014, when the New Framework will supersede the
current one
• The transition period starts now
• During the transition period, external reports (issued by management to regulators-SEC)
should disclose whether the original or updated version of the Framework was used
• “Adopting the updated Framework will vary by organization…”
Does your system of internal control need to address changes in operations – structure,
products, services?
Should your system of internal control be updated to address all 17 Principles?
Should your system of internal control be updated to address all 79 Points of Focus?
18. Property of Corporate Compliance Seminars
www.compliance.seminars.com 18
Five COSO Components: CE, RA, CA, I&C, MA
17 Principles Imbedded in the Components
Focus on the pervasive controls that set the overall tone of the organization
and the key controls to prevent and detect material misstatements
The fundamental concepts associated with, and drawn directly
from, the five components of the Framework
87 Points of Focus Imbedded in the Principles
Supporting each principle are “Points of Focus” to
assist management in determining whether the
associated principle is present and functioning
19. Property of Corporate Compliance Seminars
www.compliance.seminars.com 19
• Understand the COSO updated Framework and
its impact on your organization
• Communicate the Update to your Compliance team,
internal auditors, executives, Board/ Audit
Committee, and operations management
• Assess and apply changes in controls and supporting
documentation, and map to five COSO Components and
applicable Principles of Control and Points of Focus
• Implement by December 31, 2014 for external reporting
20. The principles-based approach provides flexibility in applying
the Framework to multiple, overlapping objectives across the entity
• Easier to see what is covered and what is missing
• Focus on principles may reduce likelihood of considering
something that’s irrelevant
Understand the importance of specifying suitable objectives focuses on
those risks and controls most important to achieving these objectives
Focus on areas of risk that exceed acceptance levels or need to be
managed across the entity may reduce efforts spent mitigating risks
in areas of lesser significance
Coordinate efforts for identifying and assessing risks across multiple,
overlapping objectives may reduce the number of discrete risks
assessed and mitigated
Improved Controls = Less Risk = Achieving Organization Objectives
21. - This is an excerpt from our COSO Update seminars -
David S. Marshall, MBA, CISA, CFE, CFS
Corporate Compliance Seminars/ Infotech Global
708-205-2366/ dmarshall@infotech-global.com
John C. Blackshire, Jr., CPA
Corporate Compliance Seminars/ The AccountWare Group
479-200-4373/ jblackshire@compliance-seminars.net
www.compliance-seminars.com
Property of Corporate Compliance Seminars
www.compliance.seminars.com 21
Corporate Compliance Seminars