20 Years in the Making…

1
…

“…while effective internal control requires leadership from

the top, the responsibility for effective implementation of
internal control resides with everyone in the organization,
not just the finance function. This includes accountants,
compliance officers and those involved in making contracts
and supporting operations as well as those working on the
production line to ensure that products produced meet
quality objectives.

…the individuals that are responsible for achieving the

objectives are also responsible for the quality of internal
controls. “
Larry Rittenberg
Chair Emeritus, COSO
2
 3

Walk Your Talk…

• The University of Wisconsin–Madison is building on the success of
a recent forum to engage the campus community in a discussion
about effective financial management practices and internal
controls.
• “This is the start of a process – a process that will require strong
collaboration all across the campus. The process will lead to higher-
quality financial and business management and strengthen UW–
Madison’s standing as a preeminent university.”
• The first of its kind at UW–Madison – also featured cross-campus
collaboration and participation
• Developing and implementing a robust campus strategy on internal
controls is expected to be a multi-year process. It will include
defining participation, roles and responsibilities of leadership and
staff across campus 3
History is Important…

4
Originally formed in 1985, COSO is a joint initiative of five private sector
organizations and is dedicated to providing thought leadership through
the development of frameworks and guidance on enterprise risk
management (ERM) internal control and fraud deterrence.
9,300

386,000
15,000 > 600,000
67,000

180,000
5
 Mission
COSO’s Mission is “To provide thought leadership
through the development of comprehensive frameworks
and guidance on enterprise risk management, internal
control and fraud deterrence designed to improve
organizational performance and governance and to reduce
the extent of fraud in organizations.”

COSO’s Fundamental Principle

Good risk management and internal control are necessary
for long term success of all organizations
6
 National Commission on Fraudulent Financial Reporting
formed with James C. Treadway, Jr., former SEC
And Thus…
Commissioner and General Counsel, Paine Webber as its
Chairman – becoming known as the “Treadway
Commission” a private-sector initiative, was formed in 1985
to inspect, analyze, and make recommendations on
fraudulent corporate financial reporting.

Source: sechistorical.org

7
The Internal Control Recommendation
All public companies should maintain internal
controls that provide reasonable assurance that
fraudulent financial reporting will be prevented or
subject to early detection - this is a broader
concept than internal accounting controls…
…The Commission also recommends that
its sponsoring organizations cooperate on
developing additional, integrated guidance on
internal controls…

- Treadway Commission report

8
COSO Overview – Internal Control
Publications

1992 2006 2009 2013

9
COSO is more than Internal Control…

10
 COSO Releases New
Thought Lead
Paper Demonstrating How
Frameworks Improve
Organizational Performance
and Governance

ALTAMONTE SPRINGS, Fla., Feb. 10, 2014: The Committee of Sponsoring

Organizations of the Treadway Commission (COSO) announced today the
release of a new thought paper, Improving Organizational Performance and
Governance: How the COSO Frameworks Can Help, developed to illustrate
how the enterprise risk management (ERM) and internal control frameworks
can contribute to enhancing organizational performance and governance for
sustainable success.

11
COSO Framework and COBIT 5

• A new guide released by ISACA shows how the latest versions of the
COSO Internal Control—Integrated Framework and COBIT relate and helps
professionals who use both frameworks to create business value for
enterprises in all industries and geographies.
• Relating the COSO Internal Control—Integrated Framework and COBIT”
looks at the updated COSO framework, which now includes a stronger
emphasis on information technology, and examines the related COBIT 5
components. The paper outlines COBIT 5’s relationship to specific COSO
principles and matches the relevant COBIT 5 framework content with the
associated COSO framework concept.
12
 “Many enterprises have been asking if the two are still
complimentary.This paper answers that question with a
resounding yes, and shows exactly how the two relate. By
using both together, organizations can be confident that
they are following proven guidance on assessing and
improving their internal control practices within an effective
governance structure.”
Steven Babb
Framework Committee Chair
ISACA and the IT Governance Institute
13
How to get your Copy…

Relating the COSO Internal Control—Integrated

Framework and COBIT” is available free of charge at
www.isaca.org/coso-and-cobit . Additional information
about the COSO framework is at www.coso.org/ic.htm.
The COBIT 5 framework is a free download at
www.isaca.org/cobit.

14
 W In the twenty years since the inception of the
hy Make Changes?
original framework, business and operating
environments have changed dramatically,
becoming increasingly complex,
technologically driven, and global.

At the same time, stakeholders are more

engaged, seeking greater transparency and
accountability for the integrity of systems of
internal control that support business
decisions and governance of the
Source: COSO September 2012 organization

15
 Why is COSO a Suitable Model?
Management is required to base its assessment
of the effectiveness of the company's internal
control over financial reporting on a suitable,
recognized control framework established by
a body of experts that followed due-process
procedures, including the broad distribution
of the framework for public comment.

Source: SEC
16
Transition & Impact
• Users are encouraged to transition applications and
related documentation to the updated Framework as
soon as feasible
• Updated Framework will supersede original Framework
at the end of the transition period (i.e., December 15,
2014)
• During the transition period, external reporting should
disclose whether the original or updated version of the
Framework was used
17
SEC Drops New Hint: Update to
New COSO Framework
(Source: Compliance Week, November 12, 2013)

“The staff indicated the longer issuers continue

to use the 1992 framework, the more likely they
are to receive questions from the staff about whether
the issuer's use of the 1992 framework satisfies the
SEC's requirement for a suitable, recognized framework”,
especially after the Dec. 15, 2014, transition date.
18
 Why update what works – The Framework has become the
most widely adopted control framework worldwide.
Original COSO’s Internal Control–Integrated Framework (1992 Edition)
Framework

Reflect changes in Expand operations and Articulate principles to

Refresh
business & operating reporting objectives facilitate effective
Objectives
environments internal control

Enhancements Updates
Broadens Application Clarifies Requirements
Context

Updated
Framework COSO’s Internal Control–Integrated Framework (2013 Edition)

19
Project timetable
Assess & Survey Public Exposure,
Design & Build Finalize
Stakeholders Assess & Refine

2010 2011 2012 2013

20
Project participants
COSO
Board of Directors

PwC
Author &
Project Leader

COSO Advisory Council Stakeholders

• AICPA • Over 700 stakeholders in Framework

• AAA responded to global survey during 2011
• FEI • Over 200 stakeholders publically commented
• IIA on proposed updates to Framework during
• IMA first quarter of 2012
• Public Accounting Firms
• Regulatory observers (SEC, GAO, FDIC, • Over 50 stakeholders publically commented on
PCAOB) proposed updates in last quarter of 2012
• Others (IFAC, ISACA, others)

21
Project deliverable #1 – Internal Control-Integrated
Framework (2013 Edition)
• Consists of three volumes:
▫ Executive Summary
▫ Framework and Appendices
▫ Illustrative Tools for
Assessing Effectiveness of a
System of Internal Control
• Sets out:
▫ Definition of internal control
▫ Categories of objectives
▫ Components and principles
of internal control
▫ Requirements for
effectiveness
22
Project deliverable #2 – Internal Control over External
Financial Reporting: A Compendium....
• Illustrates approaches and
examples of how principles are
applied in preparing financial
statements
• Considers changes in business
and operating environments
during past two decades
• Provides examples from a
variety of entities – public,
private, not-for-profit, and
government
• Aligns with the updated
Framework
23
Update expected to increase ease of use
and broaden application…
What is not changing... What is changing...

• Core definition of internal control • Changes in business and operating

environments considered
• Three categories of objectives and
five components of internal control • Operations and reporting objectives
expanded
• Each of the five components of
internal control are required for • Fundamental concepts underlying
effective internal control five components articulated as
principles
• Important role of judgment in
designing, implementing and • Additional approaches and
conducting internal control, and in examples relevant to operations,
assessing its effectiveness compliance, and non-financial
reporting objectives added

24
Update considers changes in business
and operating environments…
Environmental changes... …have driven Framework updates

Expectations for governance oversight

Globalization of markets and operations

Changes and greater complexity in business

Demands and complexities in laws, rules,
regulations, and standards
Expectations for competencies and
accountabilities

Use of, and reliance on,

evolving technologies COSO Cube (2013 Edition)
Expectations relating to preventing and
detecting fraud
25
Update articulates principles of effective internal control
Control Environment 1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
Risk Assessment 7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities 10. Selects and develops control activities

11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & 13. Uses relevant information

Communication 14. Communicates internally
15. Communicates externally

Monitoring Activities 16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies
26
Update describes important characteristics of principles, e.g.,

Control Environment 1. The organization demonstrates a commitment to

integrity and ethical values.

Points of Focus:
• Sets the Tone at the Top
• Establishes Standards of Conduct
• Evaluates Adherence to Standards of Conduct
• Addresses Deviations in a Timely Manner

• Points of focus may not be suitable or relevant, and others may be identified
• Points of focus may facilitate designing, implementing, and conducting internal
control
• There is no requirement to separately assess whether points of focus are in
place
27
 Update describes how various controls effect principles, e.g.,

Component Control Environment

Principle 1. The organization demonstrates a commitment to integrity and

ethical values.

Human Resources Management obtains Internal Audit

review employees’ and reviews data separately evaluates
Controls confirmations to and information Control Environment,
embedded in assess whether underlying potential considering
other standards of conduct deviations captured employee behaviors
are understood and in whistleblower hot- and whistleblower
components
adhered to by staff line to assess quality hotline results and
may effect this
across the entity of information reports thereon
principle Information &
Control Environment Communication Monitoring Activities
28
29
Control Environment 1. The organization demonstrates a commitment to
integrity and ethical values.
2. The board of directors demonstrates
independence from management and
exercises oversight of the development and
performance of internal control.

3. Management establishes, with board

oversight, structures, reporting lines, and
appropriate authorities and responsibilities in
the pursuit of objectives.
4. The organization demonstrates a commitment to
attract, develop, and retain competent individuals
in alignment with objectives.
.
30
Principle 2- Points of Focus
• Establishes oversight responsibilities
• Applies relevant expertise
• Operates independently

• Provides oversight to the system of

internal control
31
Principle 3 - Points of Focus
• Considers all structures of the entity
• Establishes reporting lines
• Defines, assigns and limits authorities
and responsibilities

32
33
 6. The organization specifies objectives with
sufficient clarity to enable the identification and
Risk Assessment assessment of risks relating to objectives.

7. The organization identifies risks to

the achievement of its objectives
across the entity and analyzes
risks as a basis for determining
how the risks should be managed.
8. The organization considers the potential for
fraud in assessing risks to the achievement of
objectives.
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control.
34
Principle 7- Points of Focus
• Includes entity, subsidiary, division,
Operating unit and functional levels
• Analyzes internal and external factors
• Involves appropriate levels of
management
• Estimates significance of risks identified
• Determines how to respond to risks
35
36
Compliance “Concepts”
• Laws, rules, standards and regulations
establish minimum standards of conduct
• Compliance objectives are established
• Management consider acceptable level of
variation
• Many laws and regulations depend on external
factors, geography and industry- and at times,
size
37
38
Update considers changes in business
and operating environments…
Environmental changes... …have driven Framework updates

Expectations for governance oversight

Globalization of markets and operations

Changes and greater complexity in business

Demands and complexities in laws, rules, regulations, and

standards

Expectations for competencies and accountabilities

Use of, and reliance on,

COSO Cube (2013 Edition)
evolving technologies
Expectations relating to preventing and detecting fraud
39
 10. The organization selects and develops control
activities that contribute to the mitigation of risks
Control Activities to the achievement of objectives to acceptable
levels.

11. The organization selects

and develops general control
activities over technology to
support the achievement of
objectives.
12. The organization deploys control activities
through policies that establish what is expected
and procedures that put policies into place.

40
Principle 11- Points of Focus
• Determine dependency between the use of
technology in business processes
and technology general controls
• Establishes relevant:
– technology infrastructure control activities
–security management process control activities
–technology acquisition, development and
maintenance control activities
41
Outsourcing Alternative (page 23)

“…While in principle, the same considerations

apply whether controls are performed internally or
by an outsourced service provider, outsourcing
presents unique risks and often requires selecting
and developing additional controls over the
completeness, accuracy, validity of information
submitted to and received from the outsourced
service provider .”
42
 Information &
Communication
13. The organization obtains or
generates and uses relevant,
quality information to support
the functioning of internal
control.
14. The organization internally communicates
information, including objectives and
responsibilities for internal control, necessary to
support the functioning of internal control.
15. The organization communicates with external
parties regarding matters affecting the
functioning of internal control.
43
Principle 13- Points of Focus

• Identifies information requirements

• Captures internal and external sources of
data
• Processes relevant data into information
• Maintains quality throughout processing
• Considers costs and benefits
44
• Effective internal control provides reasonable assurance
regarding the achievement of objectives and requires that:
– Each component and each relevant principle is present and functioning
– The five components are operating together in an integrated manner

• Each principle is suitable to all entities; all principles are presumed

relevant except in rare situations where management determines that a
principle is not relevant to a component (e.g., governance, technology)

• Components operate together when all components are present

and functioning and internal control deficiencies aggregated across
components do not result in one or more major deficiencies

• A major deficiency represents an internal control deficiency or

combination thereof that severely reduces the likelihood that an entity can
achieve its objectives

45
 does not prescribe controls to be
• The Framework
selected, developed, and deployed for effective internal
control

• An organization’sselection of controls to effect relevant principles

and associated components is a function of management
judgment based on factors unique to the entity
• A major deficiency in a component or principle
cannot be mitigated to an acceptable level by the presence and
functioning of other components and principles

• However, understanding and considering how

controls effect
multiple principles can provide persuasive evidence
supporting management’s assessment of whether components and relevant
principles are present and functioning
46
• Selecting, developing, and deploying controls to effect
multiple principles may also reduce the number of
discrete, layered-on controls.
• Applying an integrated approach to internal control -
encompassing operations, reporting, and compliance –
may lessen complexity.
• In assessing severity of internal control
deficiencies, use only the relevant
classification criteria as set out in the
Framework or by regulators, standard-
setting bodies, and other relevant third
parties, as appropriate (pages 20 and 21). 47
COSO Can Help ALL Organizations!

48
Getting COSO Publications
The updated Framework and related Illustrative
documents are available in 3 layouts
1. E-book – This layout is ideally suited for those wanting access in
electronic format for tablet use. An e-book reader from the AICPA is
required to view this layout. Printing is restricted in this layout.
• Purchase through www.cpa2biz.com
2. Paper-bound – This layout is ideally suited for those wanting a
hard copy.
• Purchase through www.cpa2biz.com
3. PDF – This layout is ideally suited for organizations interested in
licensing multiple copies.
• Contact the AICPA at [email protected] 49
Internal Control–Integrated Framework

A Suitable Model for ALL

50
Working to Improve
Organizations…Together

51
52
Thank You !

53