COSO changes coming in 2014

An overview of COSOs 2013 update to the Internal Control Integrated FrameworkCOSO changes coming in 2014January 7, 2014www.eidebailly.comwww.eidebailly.comwww.eidebailly.comwww.eidebailly.comAgendaOverview of updated 2013 COSO Internal Controls Integrated Framework

Principles & Points of Focus supporting the Five Components

Transitioning to the 2013 Framework

Other Considerations

www.eidebailly.comwww.eidebailly.comOverview of COSO IC-IFInternal Control - Integrated Framework (ICIF)

Originally released in 1992

Updated in May 2013, including three companion documents

Authored by PwC under direction of COSO Board

Committee Of Sponsoring Organizations of the Treadway Commission

www.eidebailly.comwww.eidebailly.comCOSO 2013 updateUpdated Internal Control Integrated Framework issued on May 14, 2013

Companion documents include:

Internal Control Integrated Framework Executive Summary

Illustrative Tools for Assessing Effectiveness of a System of Internal Controls

Internal Control over External Financial Reporting: A Compendium of Approaches and Examples

Transition Date: December 15, 2014

www.eidebailly.comwww.eidebailly.com2013 update: Whats new?Expands operations and reporting objectives

Codification of 17 principles supporting the five components

Points of Focus to help identify and evaluate 17 principles

Addresses increased relevance and dependence on IT

Expands operations and reporting objectives

Increased guidance on fraud risk assessment and responses

Updated for changes in business and operating environments

www.eidebailly.comwww.eidebailly.com2013 update: Whats the same?Core definition of internal controls

Objectives: Operations, Reporting & Compliance

Five components of internal controls: Control Environment Risk Assessment Control ActivitiesInformation & Communication Monitoring

Role judgment plays in design, implementation, operation and assessment of internal controls

www.eidebailly.comwww.eidebailly.com17 Codified Principles

www.eidebailly.comwww.eidebailly.comInternal Control ObjectivesOperations: relate to the achievement of an entitys basic mission and vision operational . . . financial performance, productivity . . . and includes safeguarding of assets against loss (92 framework effectiveness and efficiency of the entity's operations, including performance and profitability goals and safeguarding resources against loss)

Reporting: pertains to the preparation of reports for use by organizations and stakeholders and may relate to financial and non-financial reporting . . . External reporting objectives are driven primarily by regulations and/or standards established by regulators and standard-setting bodies . . . (92 framework was know as Financial Reporting objective preparation of reliable published financial statements, including prevention of fraudulent public financial reporting)

Compliance: conduct activities, and often take specific actions, in accordance with applicable laws and regulations . . . understanding which laws, rules and regulations apply across the entity (92 framework pertains to adherence to laws and regulations to which the entity is subject)www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Control EnvironmentThe control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. . . The control environment comprises the integrity and ethical values of the organization . . . enabling the board of directors to carry out its oversight responsibilities . . . structure and assignment of authority and responsibility . . . attracting, developing, and retaining competent individuals . . . rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control.

1. Organization demonstrates a commitment to integrity and ethical valuesTone at the TopEstablishes Standards of ConductEvaluates adherence to Standards of ConductAddresses deviations in a timely manner.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal controlEstablishes oversight responsibilities Applies relevant expertise Operates independentlyProvides oversight for the system of internal control

www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Control Environment Continued3. Management establishes, with Board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectivesConsiders all structures of the entity Establishes reporting lines Defines, assigns and limits authorities and responsibilities

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectivesEstablishes policies and practices Evaluates competence and addresses shortcomings Attracts, develops and retains individuals Plans and prepares for succession

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectivesEnforces accountability through structures, authorities, and responsibilities Establishes performance measures, incentives and rewards Evaluates performance measures

www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Risk AssessmentRisk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entitys objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectivesOperations Objective:Reflects Managements ChoicesConsiders Tolerances for RiskIncludes Operations and Financial Performance GoalsForms a Basis for Committing of Resources

Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of five specific objectives: Operations ObjectivesExternal Financial Reporting Objectives External Non-Financial Reporting Objectives Internal Reporting Objectives Compliance Objectives www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Risk AssessmentRisk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entitys objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectivesExternal Financial Reporting Objective:Complies with applicable accounting standardsConsiders MaterialityReflects entity activities

Note: For Principal 6 related to Risk Assessment, there are different Points of Focus for each of five specific objectives: Operations ObjectivesExternal Financial Reporting Objectives External Non-Financial Reporting Objectives Internal Reporting Objectives Compliance Objectives www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Risk Assessment Continued7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managedIncludes Entity, Subsidiary, Division, Operating Unit, and Functional LevelsAnalyzes Internal and External FactorsInvolves Appropriate Levels of ManagementEstimates Significance of Risks IdentifiedDetermines How to Respond to Risks

8. The organization considers the potential for fraud in assessing risks to the achievement of objectivesConsiders Various Types of FraudAssesses Incentive and PressuresAssesses OpportunitiesAssesses Attitudes and Rationalizations

9. The organization identifies and assesses changes that could significantly impact the system of internal controlAssesses Changes in the External EnvironmentAssesses Changes in the Business ModelAssesses Changes in Leadership

www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Control ActivitiesControl activities are the actions established through policies and procedures that help ensure that managements directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may . . . encompass a range . . . of activities . . . Where segregation of duties is not practical, management selects and develops alternative control activities.

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levelsIntegrates with Risk AssessmentConsiders Entity-Specific FactorsDetermines Relevant Business ProcessesEvaluates a Mix of Control Activity TypesConsiders at What Level Activities Are AppliedAddresses Segregation of Duties

www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Control Activities Continued11. The organization selects and develops general control activities over technology to support the achievement of objectivesDetermines Dependency between the Use of Technology in Business Processes and Technology General ControlsEstablishes Relevant Technology Infrastructure Control ActivitiesEstablishes Relevant Security Management Process Control ActivitiesEstablishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into actionEstablishes Policies and Procedures to Support Deployment of Managements DirectivesEstablishes Responsibility and Accountability for Executing Policies and ProceduresPerforms in a Timely MannerTakes Corrective ActionPerforms Using Competent PersonnelReassesses Policies and Procedureswww.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Information & CommunicationInformation is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.

13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control Identifies Information RequirementsCaptures Internal and External Sources of DataProcesses Relevant Data into InformationMaintains Quality throughout ProcessingConsiders Costs and Benefitswww.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Information & Communication Continued14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal controlCommunicates Internal Control InformationCommunicates with the Board of DirectorsProvides Separate Communication LinesSelects Relevant Method of Communication

15. The organization communicates with external parties regarding matters affecting the functioning of internal controlCommunicates to External PartiesEnables Inbound CommunicationCommunicates with the Board of DirectorsProvides Separate Communication Lines

www.eidebailly.comwww.eidebailly.comPrinciples & Points of Focus: Monitoring Activities16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioningConsiders a Mix of Ongoing and Separate EvaluationsConsiders Rate of ChangeEstablishes Baseline UnderstandingUses Knowledgeable PersonnelIntegrates with Business ProcessesAdjusts Scope and FrequencyObjectively Evaluates17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriateAssesses ResultsCommunicates DeficienciesMonitors Corrective Actionswww.eidebailly.comwww.eidebailly.comTransition to 2013 FrameworkTransition to the 2013 Framework, 1992 Framework to be superseded on December 15, 2014

COSO issued transition document The 2013 Framework & SOX Compliance One Approach to An Effective Transition by Steven McNally, CPA

SEC implications in transitioning to the 2013 Framework

Developing a transition plan, documentation & other considerationswww.eidebailly.comwww.eidebailly.comCOSO Guidanceon TransitionThe 2013 COSO Framework & SOX Compliance One Approach to An Effective TransitionBy Stephen McNally, CPA

Develop Awareness, Expertise and AlignmentTimeless concepts, Expanded reporting, Codified principles, Conduct Preliminary Impact AssessmentEvaluate existing system, leverage existing documentation, identify gapsFacilitate Broad AwarenessEngage broader organization, educate & build awareness, leverage key stakeholdersDevelop & Execute Transition Plan for SOX ComplianceDocumentation & evaluation, testing, gap remediation, external review & testingDrive Continuous ImprovementTone at the top, culture & processes, improve reporting & communicationwww.eidebailly.comwww.eidebailly.comSEC Reporting ImplicationsI understand that COSO intends to supersede their 1992 Framework . . .we expect there will be questions about whether the SEC will provide management with any transition or implementation. . . SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. . . Ill simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition. Paul BeswickChief Accountant, SEC

SEC definition of internal control over financial reporting has NOT changed.

Material weakness (SEC/PCAOB) vs major deficiency (COSO)

Disclosures: framework used for assessment and plan for transition

www.eidebailly.comwww.eidebailly.comSEC Reporting implications continuedRegulation 13a-15(f) defines internal controls over financial reporting as:

A process . . . To provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in accordance with GAAP . . .

Policies and procedures must:

Maintain records in reasonable detail that accurately and fairly reflect the transactions and dispositions of the assets of the issuer

Ensure receipts and expenditures of the issuer are made only in accordance with authorizations of management and directors, and

Provide reasonable assurance regarding prevention of timely detection of the unauthorized acquisition, use or disposition of the issuers assets that could have a material effect on the financial statements.

www.eidebailly.comwww.eidebailly.comTransition planHigh level assessment and implications of adopting 2013 Framework ASAP

Determine the impact at the Entity, Division, Operating and Functional levels across the organization

Identify key stakeholders and decision makers associated with the organization Internal Controls (specifically over Financial Reporting)

Leverage existing processes, procedures and documentation

Develop a transition plan: Responsibilities and expectationsTimelineReporting and communicationOpportunities and benefits

www.eidebailly.comwww.eidebailly.comDocumentationDocumentation of the organizations system of internal controlsProvides evidentiary support regarding design and operating effectivenessAllows for ongoing monitoring and communicationBasis for managements assessmentSupport for third parties (Shareholders, Regulators, External Auditors)

Responsibility and accountabilityTraining and consistency

www.eidebailly.comwww.eidebailly.comOther ConsiderationsOrganizational objectives related to risk, operations, controls, and reporting

Use of third-party service provides and SaaS

Size and scope of entity, subsidiaries, foreign operations

Judgment regarding internal controls, specifically over External Financial reporting

Costs and benefits of internal controls

Limitations of internal controls

www.eidebailly.comwww.eidebailly.comCompanion documentsExecutive Summary

Illustrative Tools for Assessing Effectiveness of a System of Internal ControlsTemplates & scenariosDo not modify existing framework

Internal Controls over External Financial Reporting: A Compendium of Approaches and ExamplesExamples of how principles apply to External Financial ReportingIllustrate design and implementation for any size entityDemonstrate how Points of Focus support principles www.eidebailly.comwww.eidebailly.comReferences & LinksCOSO references & linksThe 2013 COSO Framework & SOX Compliance: One Approach to an Effective Transition http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf

Executive Summary, 2013 Internal Control Integrated Frameworkhttp://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdfThe complete updated 2013 IC-IF compendium is available through the AICPA, Ebook member price $216http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990027/PC-990027.jsp

SEC references & linksRemarks at the 32nd Annual SEC and Financial Reporting Institute ConferencePaul Beswick, Chief Accountant, U.S. Securities and Exchange Commissionhttp://www.sec.gov/News/Speech/Detail/Speech/1365171575494

Jeff Lliteras, CPAConsulting Services Manager Eide Bailly LLP877 W. Main Street, Suite 800Boise, ID 83702208.424.3528jlliteras@eidebailly

www.eidebailly.comwww.eidebailly.com