In this webinar, Bob Hirth, COSO Chair, will provide a brief overview of the new COSO Framework, followed by an interactive discussion around the December 15 deadline set by COSO and what this means for companies that have – and have not yet – implemented the updated framework.
In addition, participants will hear what is required under the new COSO Framework, and how those requirements relate to SEC rules for determining if the system of internal controls over financial reporting is “effective,” specifically for purposes of Sarbanes-Oxley reporting.
In this session we will discuss:
- Best practices and lessons learned working with clients as they transition to the new COSO Framework along with industry adoption rates
- How adoption of COSO 2013 provides an opportunity for companies to review and potentially improve internal controls
- How financial management software can streamline the mapping, documenting, and testing activities relating to COSO 2013
2. CPE credits and supplemental
information
We are issuing 1 CPE credit
To be eligible for CPE credit, please answer three (3) out of the four
(4) polling questions throughout the duration of this webinar.
An email with a link to the CPE Course Evaluation Form will be
emailed after the webinar.
3. 3
Today’s Speakers
Robert Hirth
Chairman
Committee of Sponsoring Organizations of the Treadway Commission
Susan Parcells
Director, Finance Transformation & Product Expert
BlackLine
Michael P Rose
Partner, Northeast Region Advisory Services
Grant Thornton
4. Agenda
4
COSO Overview
Why the new Framework
Transition Timeline and Reporting Implications
Leading Practices and Lessons Learned
Learn how the BlackLine Task Product can be used
to help companies organize and manage the work around
complying with the new COSO Framework
5. Polling Question #1
What type of organization do you work for?
A. Public, US listed
B. Private
C. Not for Profit
D. Other
6. Agenda
6
COSO Overview
Why the new Framework
Transition Timeline and Reporting Implications
Leading Practices and Lessons Learned
Learn how the BlackLine Task Product can be used
to help companies organize and manage the work around
complying with the new COSO Framework
8. 8
15,000 > 600,000
Originally formed in 1985, COSO is a joint initiative of five private sector
organizations and is dedicated to providing thought leadership through
the development of frameworks and guidance on enterprise risk
management (ERM) internal control and fraud deterrence.
9,300
386,000
67,000
180,000
9. 9
Mission
COSO’s Mission is “To provide thought leadership
through the development of comprehensive frameworks
and guidance on enterprise risk management, internal
control and fraud deterrence designed to improve
organizational performance and governance and to reduce
the extent of fraud in organizations.”
COSO’s Fundamental Principle
Good risk management and internal control are necessary
for long term success of all organizations
11. 11
And Thus…
National Commission on Fraudulent Financial Reporting
formed with James C. Treadway, Jr., former SEC
Commissioner and General Counsel, Paine Webber as its
Chairman – becoming known as the “Treadway
Commission” a private-sector initiative, was formed in 1985
to inspect, analyze, and make recommendations on
fraudulent corporate financial reporting.
Source: sechistorical.org
12. 12
The Internal Control Recommendation
All public companies should maintain internal
controls that provide reasonable assurance that
fraudulent financial reporting will be prevented or
subject to early detection - this is a broader
concept than internal accounting controls…
…The Commission also recommends that
its sponsoring organizations cooperate on
developing additional, integrated guidance on
internal controls…
- Treadway Commission report
13. Agenda
13
COSO Overview
Why the new Framework
Transition Timeline and Reporting Implications
Leading Practices and Lessons Learned
Learn how the BlackLine Task Product can be used
to help companies organize and manage the work around
complying with the new COSO Framework
14. 14
W
hy Make Changes?
In the twenty years since the inception of the
original framework, business and operating
environments have changed dramatically,
becoming increasingly complex,
technologically driven, and global.
At the same time, stakeholders are more
engaged, seeking greater transparency and
accountability for the integrity of systems of
internal control that support business
decisions and governance of the
organizationSource: COSO September 2012
15. 15
Environmental changes... …have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules, regulations, and
standards
Expectations for competencies and accountabilities
Use of, and reliance on, evolving
technologies
Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition)
Update considers changes in business and operating
environments…
16. 16
Original
Framework
COSO’s Internal Control–Integrated Framework (1992 Edition)
Refresh
Objectives
Updated
Framework COSO’s Internal Control–Integrated Framework (2013 Edition)
Broadens Application Clarifies Requirements
Articulate principles to
facilitate effective
internal control
Why update what works – The Framework has become the most
widely adopted control framework worldwide.
Updates
Context
Enhancements
Reflect changes in
business & operating
environments
Expand operations and
reporting objectives
17. 17
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
Update articulates principles of effective internal control
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
18. 18
Update describes important characteristics of principles, e.g.,
• Points of focus may not be suitable or relevant, and others may be identified
• Points of focus may facilitate designing, implementing, and conducting internal
control
• There is no requirement to separately assess whether points of focus are in
place
Control Environment 1. The organization demonstrates a commitment to
integrity and ethical values.
Points of Focus:
• Sets the Tone at the Top
• Establishes Standards of Conduct
• Evaluates Adherence to Standards of Conduct
• Addresses Deviations in a Timely Manner
19. 19
Update describes how various controls effect principles, e.g.,
Control Environment
1. The organization demonstrates a commitment to integrity and ethical
values.
Component
Principle
Controls
embedded in
other
components
may effect this
principle
Human Resources
review employees’
confirmations to
assess whether
standards of conduct
are understood and
adhered to by staff
across the entity
Control Environment
Management obtains
and reviews data and
information underlying
potential deviations
captured in
whistleblower hot-line
to assess quality of
information
Information &
Communication
Internal Audit
separately evaluates
Control Environment,
considering employee
behaviors and
whistleblower hotline
results and reports
thereon
Monitoring Activities
20. 20
There is no Magic 17 Principles
Control Checklist …
• The Framework does not prescribe controls to be
selected, developed, and deployed for effective
internal control
• Selection of controls is a function of management
judgment based on factors unique to the entity
• How controls effect multiple principles can provide
persuasive evidence
21. Polling Question #2
What industry are you in?
A. Financial Services
B. Distribution, Manufacturing
C. Services
D. Technology
E. Energy and Utilities
F. Other
22. Agenda
22
COSO Overview
Why the new Framework
Transition Timeline and Reporting Implications
Leading Practices and Lessons Learned
Learn how the BlackLine Task Product can be used
to help companies organize and manage the work around
complying with the new COSO Framework
23. 23
Transition & Impact
• Users are encouraged to transition applications and
related documentation to the updated Framework as
soon as feasible
• Updated Framework will supersede original Framework
at the end of the transition period (i.e., December 15,
2014)
• During the transition period, external reporting should
disclose whether the original or updated version of the
Framework was used
24. 24
Mostly Smooth Sailing for Early Adopters of
COSO Framework Update (?)
“Early adopters of the updated COSO framework
say they're finding their existing internal controls
map rather well to the newly articulated principles
contained in the updated framework, although they
need to bring more controls into the scope of their
internal control evaluation and audit to show it.”
April 8, 2014
25. 25
Microsoft Example
• Nearly complete with its implementation of the COSO update, mapping the
new framework to its existing control environment and updating its controls.
• Increased the number of entity-level controls that are scoped into its
Sarbanes-Oxley compliance exercise from 45 to 58 as a result of the
refresh to the updated framework.
• Found its coverage was adequate, but some of the controls that met the
COSO principles were not scoped into the internal control assessment and
audit.
• Meant streamlining and identifying activities already doing that met the
requirements, then documenting them and bringing them into scope for
walkthroughs and testing.
Source: Compliance Week
26. 26
Microsoft Example, Continued
• Devoted a few hundred staff hours to the project,
• Finalizing its control design with input from its audit firm, Deloitte.
• “There are still a couple of open questions we are working on with them
that may result in a few more changes, but it's not substantial at this point,”
• Throughout the implementation the audit firm has targeted areas that the
Public Company Accounting Oversight Board has called on auditors to pay
closer attention through its inspection process, he says. They are looking
more closely, for example, at risk assessments, outsourcing, and reports
that are generated and relied on internally.
Source: Compliance Week
27. 27
Don’t Rush it ? A
Risk-free Decision?
• “If the company isn’t well into the process already and doesn’t have
the resources in place to make the transition in 2014, don’t rush it.
• The SEC has stated that it doesn’t intend to challenge companies—
at least in the near-term—that don’t transition by December 15,
2014.)
• Disclose use of 1992 or 2013 Framework; explanation regarding
why transition is delayed but not required in 2014. (revised)
• COSO 2013 is “an important opportunity to improve the efficiency
and effectiveness of the business.”
30. Polling Question #3
What is your current status for transitioning to the 2013 COSO
Framework?
A. Basically done and did just fine
B. Basically done but it was hard
C. Still in process and doing just fine
D. Still in process and struggling with the amount of work
E. 12/31 year-end but deferring to 2015
F. Not a 12/31 year-end
31. Agenda
31
COSO Overview
Why the new Framework
Transition Timeline and Reporting Implications
Leading Practices and Lessons Learned
Learn how the BlackLine Task Product can be used
to help companies organize and manage the work around
complying with the new COSO Framework
41. Agenda
41
COSO Overview
Why the new Framework
Transition Timeline and Reporting Implications
Leading Practices and Lessons Learned
Learn how the BlackLine Task Product can be used
to help companies organize and manage the work around
complying with the new COSO Framework
44. COMMON CHALLENGES
AROUND THE NEW
COSO FRAMEWORK
Documenting your controls
Mapping your controls to the applicable Points of Focus/Principles
Organizing the supporting documentation
Assigning roles and responsibilities
Providing evidence of managements’ testing of internal controls
45. COSO Framework:
5 Components & 17 Principles
CONTROL ENVIRONMENT
1. Demonstrates commitment to integrity and
ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority, and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
RISK ASSESSMENT
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
CONTROL ACTIVITIES
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
INFORMATION & COMMUNICATION
13. Uses relevant information
14. Communicates internally
15. Communicates externally
MONITORING
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Optional: COSO
Points of Focus
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
Public Company
Internal Control Activities
Map them
to COSO
Framework
Department Control # Control Activity
Accounts Payable CA 053 All postings to the General Ledger are run
and validated to ensure that the GL and
subledger are in balance.
Systems CA 054 Segregation of Duties is maintained
throughout all systems and all roles and
responsibilities are reviewed by
management on an annual basis
Systems CA 055 Requests for access to systems and
associated responsibilities/functionality is
reviewed and approved by management.
General Ledger CA 056 All balance sheet reconciliations are
prepared and reviewed by management
on a monthly basis. All reconciliation
exceptions are addressed on a timely
basis.
General Ledger CA 057 All reconciliations deemed as critical (as
per Corp. Policy 146) are completed and
approved by workday 6.
Step2:
Step1: Map Control Activities
Add additional control activities
Remediate any exceptions/deficiencies
Annually assess
Step3:
Evaluate and assess compliance of
Internal Control Activities to COSO
Framework
46. Polling Question #4
What tools are you using to currently manage your SOX
compliance documentation?
A. Using spreadsheets, flowcharts
B. Using internally developed software
C. Using a third party software
49. Task
Dependency
Use the task dependency functionality to align those control activities
with either the Points of Focus and/or the Principles as appropriate
Use the COSO import template to bring in just the 17 COSO Principles or the
Principles and the 87 Points of Focus into the BlackLine Task Module (can also
bring in approximately 90 basic control activities) and two certification checklists
COSO
Import
Template
Features
50. Control
Activities
Add your own control activities as additional tasks
Create a certification checklist around internal controls at the COSO principle
level and/or the individual points of focus which includes the necessary
documentation of overall analysis and any acceptable level of risk.
Certification
Checklist
Features
51. Certification checklist to indicate:
The Principle is present
The Principle is functioning
Major deficiencies exist
Add documentation to provide:
• Summary of Controls for Points of Focus/Principles
• Evaluation of Deficiencies within the Principle
Add comments to indicate:
• Any identified deficiencies
• Compensating controls for the deficiencies
• Impact on any of the other Principles
Additional
Features
52. Manage COSO Compliance Costs:
Track time spent at the individual control
points and at the COSO principle levels
Certification Details:
Full audit trail tracks and timestamps all
certification events for all control point
assessments and COSO reviews
Built-In Workflow:
• Ensure that there is clear ownership
around the control activities
Real-time Reporting and Dashboards:
• Management can easily report on
their COSO compliance activities
Additional
Features
54. QUESTIONS?
54
Robert B. Hirth, Jr.
Chairman
Committee of Sponsoring Organizations of the Treadway Commission
Office: 415.402.3621
www.coso.org
Susan Parcells, CPA, CGMA
Director, Finance Transformation & Product Expert
BlackLine
Office: 818.223.9008
https://www.blackline.com
Michael P. Rose
Partner, Northeast Region Advisory Services
Grant Thornton
Office:
http://www.grantthornton.com
FEI
http://www.financialexecutives.org