COSO’s Updated Internal Control Integrated Framework
COSO’s Updated InternalControl IntegratedFrameworkA conversation with the Dallas Chapterof the IIASeptember 5, 2013
Agenda COSO – What is that again? Why did COSO decide an update was needed to the Internal ControlIntegrated Framework? What changed? Transition and recommended actionsDisclaimer:The contents of this document are purely for educational and awareness purposes of the audience,and do not represent or imply PwC’s views on the COSO IC Framework updates nor PwC’s auditmethodology related to areas impacted by the COSO IC Framework updates.PwC1
What is COSO?Internal Control-Integrated FrameworkIn 1992, COSO published the original IC Framework, which allowed themanagement of an organization to: establish,monitor,evaluate, andreport on internal control.The original IC Framework has gained widespread acceptance and useworldwide.In 2013, COSO published the updated IC Framework to ease use and application, considering changes in business and operating environments, articulating principles and clarifying requirements for effective internalcontrol, and encouraging users to apply internal control to additional objectives.PwC2
What is COSO?The Internal Control-Integrated Framework1992 COSO IC Cube2013 COSO IC CubeEntityStructureComponentsPwC3
What is COSO?Internal Control1992200620092013Enterprise Risk Management and Other2004PwC20104
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?Why a fresh look at controls will benefit your company“In the twenty years since the inception of the original framework, business andoperating environments have changed dramatically, becoming increasingly complex,technologically driven, and global. At the same time, stakeholders are more engaged,seeking greater transparency and accountability for the integrity of systems of internalcontrol that support business decisions and governance of the organization”In more recent years, internal control failures combined with the bursting offinancial asset bubbles and the meltdown in macro-economic conditions havetaught hard lessons about blind spots and hidden risks. In addition, 67 % ofcompanies have undergone a major business transformation in response tomarket shifts since mid-2011.*As businesses evolve and introduce new risks, an effective system(s) of internalcontrol adapts to both planned and unforeseen changes and events. Effectiveinternal control can help uncover and mitigate risk that interfere with achievingimportant business objectives.* Source – PwC, Risk in review – Global risk in the transformation age, 2013.PwC5
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?A fresh look at controls will provide benefits, especially if yourcompany is going through.Changes in business environment introduceor elevate riskChanges inside the business introduce orelevate risk Major change – New business models,markets, products, partners Major change – New leadership, growth,restructurings Ongoing regulatory oversight andscrutiny. If you’re complying with moreregional or global requirements, there may belittle room for error. Greater complexity in your operatingmodel and structure – Taking on newservice providers or partners can create risksthat may be far removed from the business New and evolving expectations for nonfinancial reporting – Stakeholders andregulators seek greater transparency andconfidence in your reporting Expanding reliance on technology –New uses of existing technology and newinvestments may impact risks for internaland external interactions Business failures and brand-damagingevents. Businesses in many industries need tore-build trust with customers and stakeholders.PwC6
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?Example #1: Dealing with ongoing regulatory oversight andscrutinyRapid, pervasive changes in the global business environment introduce new risksand elevate expectations to protect shareholders and key stakeholders.As a response, recently enacted legislation, laws and regulations have promptedbusiness leaders to re-assess existing system(s) of internal control across theirorganizations to determine whether risk is mitigated to an acceptable level.Increased Regulatory RequirementsSarbanes-Oxley/J-SOXDodd-Frank ActFCPAConsumerProtection ActBasel IIDoes your organization apply internal control to supportachievement of non-financial reporting, operations, and compliance7objectives?PwC
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?Example #2: Dealing with business failures and brand damagingeventsHistory repeats itself.Internal control failures at companies like Enron,WorldCom, Adelphia, Parmalat, Lehman Brothers and others led to: Increased expectations for application of internal control beyond financialreporting requirementsLearn from the past .Take a fresh look at existing controls in relation to therisks of achieving specific objectives. What breakdowns have you experienced with existing controls? Why didn’tyou anticipate them? What issues could have been prevented if you had more effective controls attheroot cause?PwC8
Why did COSO decide an update was needed to theInternal Control-Integrated Framework?Update is responsive to input provided by stakeholders and usersDo stakeholders and users fully understand the requirements of effectiveinternal control?Risk AssessmentInformation &CommunicationControl EnvironmentMonitoringControl Activities0%20%40%60%80%100%Difficult to interpretSomewhat difficult to interpretModerately easy to interpretGenerally easy to interpretEasy to interpretSource - COSO’s survey of users and stakeholders, worldwide – January to September 2011PwC9
Stakeholders and users impacted the updates toInternal Control-Integrated FrameworkCOSOBoard of DirectorsPwC: Author& Project LeaderStakeholdersCOSO Advisory Council Over 700 stakeholders in Frameworkresponded to global survey during 2011 Over 200 stakeholders publicallycommented on proposed updates toFramework during first quarter of 2012 Over 50 stakeholders publicallycommented on proposed updates infourth quarter of 2012PwCAICPAAAAFEIIIAIMAPublic accounting firmsRegulatory observers (SEC, GAO,FDIC, PCAOB) Others (IFAC, ISACA, others)10
What Is Not changing?Update is responsive to input provided by stakeholders and users,continuedWhat Is Not fundamentally changing. Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effectiveinternal control Important role of judgment in designing, implementing and conductinginternal control, and in assessing its effectivenessPwC11
What Is changing – Component chapters considercurrent business environmentControl EnvironmentAreaKey UpdatesGovernance Management’sphilosophy andoperating styleCombine into five principles the discussions relating to integrity and ethicalvalues, commitment to competence, board of directors or audit committee,management’s philosophy and operating style, organizational structure,assignment of authority and responsibility, and human resource policies andpracticesLinkagesbetweenvariouscomponents ofinternal controlExplains linkages between the various components of internal control todemonstrate the foundational aspects of the control environment for a soundsystem of internal controlGovernance OrganizationalStructureExpanding the discussion of governance roles in an organization, recognizingdifferences in structures, requirements, and challenges across differentjurisdictions, sectors, and types of entitiesIntegrity andethicalvaluesClarifies the expectations of integrity and ethical values to reflect lessonslearned and developments in ethics and compliance. E.g. code of conduct, theattestation process, whistle-blower processes, investigation and resolution, andtraining and reinforcement both internally and with third partiesPwC12
What Is changing – Component chapters considercurrent business environmentControl Environment (Continued)AreaKey UpdatesLinking riskandperformanceExpands the notion of risk oversight and strengthening the linkages betweenrisk and performance to help allocate resources to support internal control inthe achievement of the entity’s objectivesOrganizationalcomplexitiesEmphasizes the need to consider internal control across the complexities inorganizational structure resulting from different business models and the useof outsourced service providers, business partners, and other external partnersRoles andresponsibilitiesalignmentAligns roles and responsibilities discussed in organizational structure with theinformation presented in Appendix B, Roles and Responsibilities, so that majorroles are used consistently within the Framework.PwC13
What Is changing – Component chapters considercurrent business environmentRisk AssessmentAreaKey UpdatesRisk AssessmentprocessesClarifies that risk assessment includes processes for risk identification, riskanalysis, and risk responseRisk SeverityExpands the discussion on the risk severity beyond impact and likelihood toinclude velocity and persistenceRisk tolerancesIncorporates risk tolerances (set as a precondition to internal control andpertaining to the level of acceptable variation in performance and therelative importance of objectives) into the assessment of acceptable risklevelsImpact ofinternal andexternal factorsExpands the discussion on management needing to understand significantchanges in its internal and external factors and how those might impact theoverall system of internal controlFraud riskConsiders fraud risk relating to material omission or misstatement ofreporting, inadequate safeguarding of assets, and corruption as part of therisk assessment processPwC14
What Is changing – Component chapters considercurrent business environmentControl ActivitiesAreaKey UpdatesEvolution of technologyBroadens the discussion to reflect the evolution in technology since 1992Automated controlactivities vs. generalcontrols overtechnologyExpands the discussion of the relationship between automated controlactivities and general controls over technology to reinforce the linkagesto business processes, with the details on automated control activitiesand general controls over technology separated into discrete sections toclarify the distinction between the twoControl techniquesExpands the discussion that control activities constitute a range ofcontrol techniques while providing a more detailed description of thesetypes and techniques, and a way to categorize them; making distincttransaction-level controls from controls at other levels of theorganization; and discussing in more detail information-processingobjectivesGeneral technologycontrolsUpdates the discussion on general technology controls to focus more onthe universal concepts of what needs to be controlledPolicies andprocedures v.s.controls activitiesClarifies that control activities are actions established by policies andprocedures rather than being the policies and procedures themselvesPwC15
What Is changing – Component chapters considercurrent business environmentInformation & CommunicationAreaKey UpdatesInformation qualityEmphasizes the discussion of importance of quality of informationExternal ReportinginformationExpands the discussion of the expectations for verifying to a source andfor retention when information is used to support reporting objectivesto external partiesInformation protectionand reliabilityExpands the discussion on the impact of regulatory requirements onreliability and protection of informationInformation volumesand sourcesExpands the discussion on the volume and sources of information inlight of increased complexity of business processes, greater interactionwith external parties, and technology advancesImpact of technologyReflects the impact of technology and other communicationmechanisms on the speed, means, and quality of the flow of informationCommunication withthird partiesAdds content on the information and communication needs betweenthe entity and third parties, emphasizing the importance of consideringhow processes may occur outside the entity and how the entity needs toobtain information from parties that operate outside its legal andoperational boundariesPwC16
What Is changing – Component chapters considercurrent business environmentMonitoring ActivitiesAreaKey UpdatesMonitoringactivitiesterminologyRefines the terminology, where the two main categories of monitoringactivities are now referred to as “ongoing evaluations” and ds the need for a baseline understanding in establishing and evaluatingongoing and separate evaluationsTechnology andServiceProviders useExpands discussion of the use of technology and external service providersPwC17
Update expected to ease use and application ofinternal controlOriginalFrameworkEnhancementsto increaseease of useUpdatedFrameworkPwCCOSO’s Internal Control–Integrated Framework (1992 Edition)Reflect changes inArticulate principles tobusiness and operatingfacilitate development ofenvironmentseffective internal controlUpdatesContextClarifiesRequirementsExpand operations andreporting objectivesBroadensApplicationCOSO’s Internal Control–Integrated Framework: 201318
Update considers changes in business andoperating environmentsChanges in environments.Drove updates to the ICFramework.Expectations for governance oversightGlobalization of markets andoperationsChanges and greater complexity in thebusinessDemands and complexities in laws,rules, regulations, and standardsExpectations for competencies andaccountabilitiesUse of, and reliance on, evolvingtechnologiesExpectations relating to preventing anddetecting fraudPwCUpdated COSO Cube19
Update encourages users to consider newapplications of internal controlFor instance, organizations may choose to apply the IC Framework to achieveimportant reporting objectives, beyond external financial FinancialInternal/ExternalExternal Financial ReportingObjectives May Relate to: Annual Financial Statements Interim Financial Statements Earnings ReleasesPwCInternal Financial ReportingObjectives May Relate to: Divisional Financial Reports Customer Profitability Analysis Bank Covenant CalculationsExternal Non-FinancialReporting Objectives MayRelate to: Internal Control Reports Sustainability Reports Supply Chain/Custodyof AssetsInternal Non-FinancialReporting Objectives MayRelate to: Staff/Asset Utilization Customer SatisfactionMeasures Health and Safety Measures Used to meet externalstakeholder and regulatoryrequirementsPrepared in accordance withexternal standardsMay be required byregulators, contracts,agreementsUsed in managing thebusiness and decisionmakingEstablished by managementand board20
Update articulates principles of effective internalcontrol1.2.3.4.5.Demonstrates commitment to integrity and ethicalvaluesExercises oversight responsibilityEstablishes structure, authority and responsibilityDemonstrates commitment to competenceEnforces accountabilityRisk Assessment6.7.8.9.Specifies suitable objectivesIdentifies and analyzes riskAssesses fraud riskIdentifies and analyzes significant changeControl Activities10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and proceduresControlEnvironmentInformation &CommunicationPwCMonitoringActivities13. Uses relevant information14. Communicates internally15. Communicates externally16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies
Update articulates principles as importantcharacteristics of the components of internalcontrol Principles are suitable and presumedrelevant for all entities5Components17 PrinciplesPoints of focusControlsPwC Principles can support achievementof a single, multiple, or overlappingobjectives When principles are present andfunctioning, objectives are specifiedwith sufficient clarity to assess riskand deploy controls to mitigate riskto acceptable level Applying principles provides a basisfor checking what’s covered andwhat’s missing across the business—including dispersed and outsourcedoperations22
Update describes ‘points of focus’ as importantcharacteristics of principles. For instance.Control Environment 1. The organization demonstrates a commitment tointegrity and ethical values.Points of Focus: Sets the Tone at the Top Establishes Standards of Conduct Evaluates Adherence to Standards of Conduct Addresses Deviations in a Timely Manner The points of focus may not be suitable or relevant, and othercharacteristics of the principles may be in place The points of focus may facilitate designing, implementing, andconducting internal control There is no requirement to separately assess whether points of focus arein placePwC23
Update describes how controls effect principles,for instance.Control EnvironmentComponentPrincipleControlsembedded incomponentseffect thisprinciple24PwC1.The organization demonstrates a commitment to integrityand ethical values.Human Resourcesreview employees’confirmations toassess whetherstandards of conductare understood andadhered to by staffacross the entityManagement0btains and reviewsdata andinformationunderlying potentialdeviations capturedin whistleblowerhot-line to assessquality ofinformationControlEnvironmentInformation &CommunicationInternal Auditseparatelyevaluates ControlEnvironment,consideringemployeebehaviors andwhistleblowerhotline results andreports thereonMonitoringActivities
Update articulates requirements for effectivesystem(s) of internal control“An effective system of internal control requires that: “Each of the five components of internal control and relevant principles ispresent and functioning The five components are operating together in an integrated manner”“Management can demonstrate that components operate together when: Components are present and functioning Internal control deficiencies aggregated across components do not result inthe determination that one or more major deficiencies exist”PwC25
Update requires use of relevant criteria forassessing severity of internal control deficiencies For objectives established through laws, regulations, and standards, use onlythe criteria set out by the regulator or standard-setting body (e.g., SECdefines material weakness and significant deficiency) For other objectives, the updated IC Framework sets out criteria with twolevels of severity If a component or relevant principle is not present and functioning or thecomponents are not operating together in an integrated manner, a majordeficiency exists A system of internal control is not effective whenever a “major deficiency” (ormaterial weakness) exists based on the use of the appropriate criteriaPwC26
Update requires use of applicable criteria forassessing severity of internal control deficiencies Identify internal control deficiencies using the IC FrameworkIdentifySelectCriteriaAssessseverityPwC Consider whether an external standard exists relevant to the category ofobjectives/sub-objectives being assessed - e.g., SEC definitions of materialweakness and significant deficiency for external financial reporting Determine whether to use the classification criteria set out in the updatedIC Framework or the other external standard Assess severity using the applicable classification criteria selected above,but not both Conclude on severity and report as necessary
COSO provided guidance for transitioning systemof internal control to updated IC Framework COSO encourages thoughtful consideration of the updated Framework thentransition applications and related documentation as soon as feasible COSO decided to supersede the original IC Framework at the endof the transition period (i.e., December 15, 2014)- External financial reporting objectives - SEC registrants should beprepared to issue certifications on ICFR based on the updated ICFramework beginning December 31, 2014- Other suitable objectives - Board of directors and senior managementmay identify other applications to apply internal control COSO recommends users and stakeholders should monitor any regulatoryannouncements relating to the transition to the updated IC Framework For external reporting objectives COSO recommends disclosure of whetherthe original or updated IC Framework is used during the transition periodPwC28
Transition & Recommended Actions Step #1 – Read COSO’s updated IC Framework (and illustrative documents)and communicate and educate the Board of Directors, C-Suite, operatingunit and functional managers Step #2 – Conduct a preliminary assessment of what is covered andmissing by mapping the principles to existing controls Step #3 – Complete a comprehensive assessment and take actionto implement necessary changes in controls and related documentation Step #4 – Develop and execute transition plan timely ensuringnecessary changes are implemented in time to achieve your objective(s) Ongoing - Consider opportunities to (i) apply internal control to additionaloperational, reporting and compliance objectives, (ii) optimize the design ofcontrols to mitigate risk to acceptable level, and (iii) converge processes andcontrols within the five components that support multiple, overlappingobjectivesPwC29
For instance, SOX 404 external financial reportingrequirement 05/18/13Q2Q3Q4Q12013PwCQ22014Step 1 Educate and CommunicateStep 2 ConductPreliminaryAssessmentStep 3 Conduct Comprehensive Assessment Develop Transition Plan and TakeActionStep 4 Execute Transition Plan (timely)Q312/31/14
Consider necessary actions - Key stakeholders andusers, continuedStakeholders andUsersInternal AuditPwCKey Actions Consider impacts to existing IA processes, programs, evaluations, andreports Discuss impact of the updated IC Framework on IA’s operations andplans with key stakeholders Proactively work with management to create and manage thetransition plan(s) to the updated IC Framework Assist management with mapping of 17 principles and points of focusto existing controls Assist management in identifying and assessing “gaps” in design orrelated documentation Communicate any internal control deficiencies including majordeficiencies or material weaknesses and significant deficiencies,based on applicable classification criteria for the reporting objective31
Consider necessary actions - Key stakeholders andusersStakeholders andUsersBoard of Directors &Audit CommitteeKey Actions Gain a high level understanding of the updated Framework (e.g.,Executive Summary) Understand management ‘s assessment of the implications andopportunities, needed changes, and transition plan for applying theupdated IC Framework Understand management's assessment of any significant deficienciesand determination of necessary actions for applying the updated ICFramework Seek input from external auditors about management’s assessment andtransition plan and impact on the auditRisk, Compliance &Other Policy SettingGroups(e.g., CRO, CCO)PwC Perform an assessment of the impact on the entity’s policies, guidance,training, and analytic tools Work with management to communicate the impact on the organizationto the Board of directors and Audit Committee32
Consider necessary actions - Key stakeholders andusersStakeholders andUsersSenior Management(e.g., CFO, CorporateController, FunctionalVPs)Key Actions Assess how the entity’s system of internal control applies the seventeenprinciples associated with its five components of internal control Where the entity has applied the original IC Framework, managementwill need to first identify and assess any implications of applying theupdated IC Framework to the entity’s current system of internal control Review transition plans (e.g., approach, actions, milestones, activities,resources, timeline) for targeted sub-units Discuss with the board of directors its plan to adopt the updated ICFramework Communicate with external auditorsLine Management(e.g., DivisionalControllers, FunctionalManagers)PwC Map the 17 principles (using relevant points of focus) to existing controls Identify and assess any “gaps” in design or related documentation (byprinciple and location) with those responsible for internal control Develop remediation plans to address gaps in design or relateddocumentation for targeted sub-units33
Working with the auditors Existing auditing standards relating to an annual audit of an entity’s financialstatements require:– The external auditor to express an opinion on the effectiveness of a U.S.public company’s internal control over financial reporting (PCAOB AS 5)– The external auditor to obtain an understanding of other entity’s internalcontrol, evaluate the design, and determine whether controls have beenimplemented. Testing operating effectiveness is the auditor’s discretion.(AICPA AU 315-c) Accordingly, the external auditor will need to understand how yourorganization demonstrates the principles are present and functioning andcomponents operate together. For US registrants, the external auditor will need to assess and gain comfortwith your updated system of internal control over financial reporting andupdated SOX compliance program prior to the transition date Auditing standard setting bodies (e.g., PCAOB, ASB) will need to considerwhether to update respective attestation standards and guidancePwC34
Publications Overview Executive Summary (10 pages) Provides a high-level overview and is intended for board of directors, chiefexecutive officer and other senior management. Framework (146 pages) and Appendices (46 pages) Sets out the updated framework. Assists management, board of directors, external stakeholders, and othersin their respective duties regarding the entity’s system of internal control. The Appendices provide additional reference material, including a glossaryof key terminology and a discussion of roles and responsibilities. Illustrative Tools & Templates Provides tools that may be useful in applying the updated framework. Internal Controls Over Financial Reporting Compendium Includes relevant approaches and examples of how organizations can applythe principles set forth in the updated framework as it relates to externalreporting.35PwC
Getting COSO’s publicationsThe updated framework and related Illustrative documents are available in 3layouts1. E-book – This layout is ideally suited for those wanting access in electronicformat for tablet use. An e-book reader from the AICPA is required to viewthis layout. Printing is restricted in this layout.- Purchase through www.cpa2biz.com2. Paper-bound – This layout is ideally suited for those wanting a hard copy.- Purchase through www.cpa2biz.com3. PDF – This layout is ideally suited for organizations interested in licensingmultiple copies.- Contact the AICPA at copyright@aicpa.orgPwC36
Thank you!!!PwC contactsGeoffrey Woodbury, Nicole Rodriguez, Manager214-754-7284nicole.rodriguez@us.pwc.com 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network.Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.The contents of this document are purely for educational and awareness purposes of the audience, and do not represent or imply PwC’s views on theCOSO IC Framework updates nor PwC’s audit methodology related to areas impacted by the COSO IC Framework updates.37
What is COSO? Internal Control-Integrated Framework In 1992, COSO published the original IC Framework, which allowed the management of an organization to: establish, monitor, evaluate, and report on internal control. PwC The original IC Framework
1992 on the Internal Controls-Integrated Framework. Because, Internal control has different meanings to different parties, COSO tries to establish a common definition and standard that can serve such parties. Under COSO’s report, (quoted from July 1994 Edition of COSO Internal Controls-Integrated Framework, “COSO Report”), “Internal
COSO ICIF 2013 COSO Internal Control Integrated Framework Risk Assessment/Control Activities Principles and Points of Focus COSO Permission to Reprint: 201503‐0048 Michael L. Piazza Principal Associate Professional Development Associates Risk Ass
Updated Framework was issued May 14, 2013 COSO will continue to make available the original framework during the transition period extending to December 15, 2014, after which time COSO will consider it as having been superseded Early adoption is permitted Updated Framework supersedes existing Framework and Internal Control over Financial .File Size: 596KB
developed a risk management definition or framework definition called COSO Enter-prise Risk Management or COSO ERM. This risk management framework, updated with COSO guidance and published in 2011,2 provides a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.
Internal Control – Integrated Framework (2013) Committee of Sponsoring Organizations (COSO) COSO – INTERNAL CONTROL Page 14 Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Internal Control – Integrated Framework (2013) Committee of Sponsoring Organizations (COSO)
COSO Internal Control – Integrated Framework . divided among the 5 components of internal control COSO believes that the updates will result in a more flexible, reliable, and cost-effective approach to controls . . o Exposur
COSO Internal Control Integrated Framework was developed in 1992 COSO Cube (1992 Edition) MONITORING INFORMATION AND COMMUNICATION CONTROL ACTIVITIES RISK ASSESSMENT CONTROL ENVIRONMENT NS LPORTING E A B VITY 1 VITY 2 VITY 3 Used by the majority of companies to eval
us88280731 astm d 4255/d 4255m 2015 us88281030 awwa c 706 1980 us88281031 awwa c 706 1972 us88281034 awwa c 707 1975 us88281036 awwa c 708 1996 us88281041 awwa c 710 2002 us88281044 awwa c 712 2002 us88281059 awwa c 901 1988 us88281060 awwa c 901 1978 us88281092 awwa d 103 1980 us88281099 awwa d 110 2004 us88281110 ansi/awwa d 130 1987 us88281120 ansi/awwa f 102 1991 us88281124 awwa c 104/a21 .
