Proposed Revisions to the COSO Framework

8/2/2019 Proposed Revisions to the COSO Framework

1/41

www.theiia.org

Click to edit Master subtitle style

www.theiia.org

COSO: Outlook for the NewInternal Controls Framework

Richard F. Chambers CIA, CGAP, CCSA, CRMAPresident and CEO, The Institute of Internal Auditorsand COSO Board Member


2/41

www.theiia.org

I. About COSO

II. About the Update Process

III. About the Framework

IV. About the Proposed Changes

V. Path Forward


3/41

www.theiia.org

I. About COSO


4/41

www.theiia.org

About COSO


5/41

www.theiia.org

About COSO


6/41

www.theiia.org

A History of Thought Leadership

National Commission Report on Financial Fraud (1987)

Internal Control Integrated Framework (1992)

Internal Control Issues in Derivatives Usage (1996)

Fraudulent Financial Reporting: 1987-1997 (1999) Enterprise Risk Management Integrated Framework (2004)

Internal Control over Financial Reporting Guidance forSmaller Public Companies (2006)

Guidance on Monitoring Internal Control Systems (2009)

Fraudulent Financial Reporting: 1998-2007 (2010)


7/41

www.theiia.org

External Developments

Affecting the Mission SOX 404 requirement public reporting on

internal control effectiveness

Recent financial crisis focus on riskmanagement inadequacies pressure onboards to become more involved in riskmanagement

Ongoing concerns about fraudulent financialreporting


8/41

www.theiia.org

II.About the Update Processfor the Internal Control

Integrated Framework


9/41

www.theiia.org

Why Update What Works?

ICIF workswell today

Refreshobjectives

Enhancements

ICIF willworkbettertomorrow

COSOs Internal Control Integrated Framework(1992 Edition)

COSOs Internal Control Integrated Framework(Draft, 2012 Edition)

Address significantchanges to the

business environmentand associated risks

Updated, enhancedand clarifiedFramework

Increase focus onoperations,

compliance andnon-financial

reporting objectives

Expanded internal andnon-financial

reporting guidance

Codify criteria to use inthe development

and assessment ofsystems of internal

control

Principles

Attributes


10/41

www.theiia.org

COSO Advisory Council(nominated by the COSO Board)

AICPA AAA IIA FEI IMA Regulatory Observers Public Accounting Firms Others

Project TeamPricewaterhouseCoopers

Companies and OtherStakeholders

Industry Associations Academia Not-for-profit, government entities

Professional associations

Risk management professionals

Lawyers

Regulators

Other rule-makers

COSOBoard of Directors


11/41

www.theiia.org

The Current Project:

Three Products


12/41

www.theiia.org

Stakeholder Survey

Over 700 responses Responses from wide range of

organizations/individuals Large, small and non-profit organizations 1 in 4 respondents are non-U.S.

Majority of respondents have been using theFramework for over 5 years

85% supported updating, but not a majoroverhaul of the Framework


13/41

www.theiia.org

III. About the Internal ControlIntegrated Framework


14/41

www.theiia.org

Internal Control IntegratedFramework

Defines:

Internal control andits components Purpose of internal

control

Components andcategories

Roles andresponsibilities

Internal Control IntegratedFramework


15/41

www.theiia.org

Internal Control Integrated

Framework The most-referenced framework for evaluating internal

control especially internal control over financialreporting

Influenced legislation and practice in many places Sarbanes-Oxley

Chinese Ministry of Finance

SEC of Japan Should work for greater harmonization


16/41

www.theiia.org

Internal Control - Integrated

Framework First published in 1992 Gained wide acceptance following financial control

failures of early 2000s Most widely-used framework in the U.S.

However Since 1992, the operating environment has evolved

Framework concepts are timeless, but context needs updating


17/41

www.theiia.org

Defining Internal Control

Internal control is a process, effected by anentitys board of directors, management, and otherpersonnel, designed to provide reasonable

assurance regarding the achievement ofobjectives in the following categories:

Effectiveness and efficiency of operations.

Reliability of reporting.

Compliance with applicable laws and regulations.


18/41

www.theiia.org

Key Points

Suitable for all types and sizes of organizations Impact will vary by organization

Suitable not only for financial reporting, but also foroperations and compliance objectives and activities

Principles-based approach allowing flexibility to be

applied at the entity, operating and functional levels.


19/41

www.theiia.org

A Changing Business Environment

Expectations for governanceoversight

Globalization of markets and

operations Changes in business models Demands and complexity of

rules, regulations andstandards

Expectations for competenciesand accountabilities

Use and reliance on evolvingtechnology

Drives updates

to the Framework


20/41

www.theiia.org

IV. About the Internal ControlIntegrated Framework

Proposed Changes


21/41

www.theiia.org

Refreshing the Framework

Enhancements are not intended to alter the core conceptsdeveloped in the original Framework

However, there may be changes pertaining to the applicationof these concepts that could impact how companies respond

Other project objectives include:

Adding more focus on operational and compliance controlobjectives

Explicitly identifying principles and attributes to provideefficiency and a basis for evaluating effectiveness


22/41

www.theiia.org


23/41

www.theiia.org

Much is Familiar


24/41

www.theiia.org

Examples of Significant

Changes The organization considers the potential for fraud relating to

material misstatement of reporting, inadequate safeguarding ofassets, and corruption in assessing risks to the achievement ofobjectives

The organization selects and develops general control activitiesover technology to support the achievement of objectives

The organization selects, develops, and performs ongoingand/or separate evaluations to ascertain whether thecomponents of internal control are present and functioning


25/41

www.theiia.org

Key Points

Identifies key attributes for each principle Considers relationship to enterprise risk

management, allowing for integration of boththe COSO ERM and ICIF models.

Changes are not major, but will nevertheless require reviewand potential updates to a number of processes, activities anddocumentation.


26/41

www.theiia.org

Objectives


27/41

www.theiia.org

Across the Organization

The overall entity,divisions,

subsidiaries,operating units, orfunctions

Business processessuch as sales,

purchasing,production,marketing


28/41

www.theiia.org

Specificity: The Principles

17 Principles drawn from the five components of theFramework

All 17 principles apply to each category of objective, as well asto individual objectives within the categories

It is generally expected that all principles will, to some extent, bepresent and functioning for a organization to have effectiveinternal control

When a principle is not being met, some form of internalcontrol deficiency exists


29/41

www.theiia.org


Control Environment

1.Demonstrates commitmentto integrity and ethical values

2.Exercises oversight

responsibility3.Establishes structure, authorityand responsibility

4.Demonstratescommitment tocompetence

5.Establishes accountability


30/41

www.theiia.org


Risk Assessment

6.Specifies relevant objectives

7.Identifies and assesses risk

8.Identifies and assessessignificant change

9.Assesses fraud risk


31/41

www.theiia.org


Control Activities

10.Selects and develops controlactivities

11.Selects and develops generalcontrols over technology

12.Deploys through policiesand procedures


32/41

www.theiia.org


Information & Communication

13.Generates relevant information

14.Communicates internally

15.Communicates externally


33/41

www.theiia.org


Monitoring Activities

16.Conducts ongoing andseparate evaluations

17.Evaluates and communicatesdeficiencies


34/41

www.theiia.org

Specificity: The Attributes

Each principle is supported by attributes,representing characteristics associated withthe principle

Each attribute generally is expected to be present

It may be possible to have a principle present andfunctioning without having every attribute


35/41

www.theiia.org

Example:A deficiency may or may not exist if

Control Environment Principle 2 Board of directors demonstrates independence of

management and exercises oversight for the development andperformance of internal control.

1. Establishes Board of Directors OversightResponsibilities Yes

2. Retains or Delegates Oversight Responsibilities Yes

3. Applies Relevant Expertise Yes

4. Operates IndependentlyThe board of directors has sufficient members who areindependent of the organization and demonstrate objectivity.

No

5. Provides Oversight Yes


36/41

www.theiia.org

V. Path Forward


37/41

www.theiia.org

Exposure Period:

Going, Going, Gone

Sept Jan Feb Oct Dec Mar Apr Dec

Assess & SurveyStakeholders

Design & Build Public Exposure Finalize

2010 2011 2012


38/41

www.theiia.org

When to Implement

Your circumstances dictate how fast changesshould be made

Final version to be issued in late 2012 Monitor for guidance by SEC or other regulators COSO, quite naturally, believes the advantages of

the updated Framework will drive adoption asquickly as possible.


39/41

www.theiia.org

COSO: Looking Ahead

Updating Internal Control Integrated Framework

Thought papers to assist the ERM stakeholders in advancing along thematurity curve of an effective ERM process.

Additional research and guidance on the control environment dealing

with behavioral issues and other soft side research issues likerationalization and overconfidence

Providing guidance on internal control in the public sector.

Coming soon:

Judgment Traps ERM and Cloud Computing

Advances in ERM Risk Assessment and Prioritization Approaches


40/41

www.theiia.org

Questions?


41/41

th ii

Questions?The Institute of Internal Auditors

Richard Chambers, CIA, CGAP, CCSA, CRMA

President & Chief Executive Officer

[email protected]

Twitter: @RFCHAMBERS
mailto:[email protected]:[email protected]

Documents

Proposed Revisions to the COSO Framework