BUILDING TRUST IN <IR>: APPLYING THE COSO FRAMEWORK & UNDERSTANDING KEY RELATED ISSUES

IMA 2015 ANNUAL CONFERENCELOS ANGELES, CAJUNE 23, 2015

BRAD MONTERIO, COLCOMGROUP, INC.LIV WATSON, WORKIVA, INC.

AGENDA

CONTEXT WHAT WE WANT WHAT WE HAVE HOW WE GOT HERE: COSO &

RELATED DRIVERS/ISSUES PATHWAY TO THE SOLUTION

CONTEXT

A process founded on integrated thinking that results in a periodic integrated report by an organization about value creation over time and related communications regarding aspects of value creation.

An integrated report is a concise communication about how an organization’s strategy, governance, performance and prospects, in the context of its external environment, lead to the creation of value in the short, medium and long term.

Integrated Thinking is the active consideration by an organization

of the relationships between its operating/functional units and the capitals it uses or affects. It leads

to integrated decision-making and actions that consider the

creation of value over the short, medium and long-term.

INTEGRATED REPORTING

INTEGRATED REPORT

INTEGRATED THINKING

"Data must be accurate, reliable and timely for meaningful, trustworthy reporting. Equally robust internal controls and monitoring are essential for both financial and non-financial information in order for integrated thinking to be effective and integrated reporting to be trusted.”

Liv Watson and Brad Monterio

WHAT WE WANT

WHAT WE WANT

TRUSTRELIABLE INFORMATIONMEANINGFUL PICTURE

WHAT BUILDS TRUST?

Transparency Data with lineage Having access to information Timely information Complete/comprehensive information Relevant information Valid/Accurate data Accurate/Quality information Authentic information Robust internal controls Independent assurance

WHAT WE HAVE

WHAT WE HAVE

WHAT WE HAVEWHAT WE HAVE:CRISIS OF TRUST

• Inaccurate, incomplete information• Poor audit quality (PCAOB)• Unclear oversight authority• Patchwork quilt of frameworks and

standards without clear leader• Data definition problems • Lack of good data governance• Inconsistent information, formats,

disclosures• Lack of data connectivity and

lineage• Unclear materiality standard• Lack of non-financial controls• Inadequate monitoring

REALITY TODAY

Differing views and perspectives – no complete picture

Inconsistent approaches Lack of agreement Inaccurate

HOW WE GOT HERE: COSO & RELATED DRIVERS/ISSUES

THE NEED FOR MATERIAL

INFORMATION

COSO & MATERIALITY.

The materiality determination process for the purpose of preparing and presenting an integrated report involves:

Identifying relevant matters based on their ability to affect value creation

Evaluating the importance of relevant matters in terms of their known or potential effect on value creation

Prioritizing the matters based on their relative importance Determining the information to disclose about material

matters

COSO's Internal Controls are put in place based on the materiality (impact) of a risk on the organization and the perceived likelihood (probability) that the risk would be realized if nothing was done.

FINANCIAL INFORMATION NON FINANCIAL INFORMATION

Long history in corporate reporting Established, uniform reporting

standards Established oversight bodies Established quality control Established internal controls and

monitoring (e.g., COSO) Well understood systems and

processes – highly automated Heavily structured Mature assurance standard Solid, broad market acceptance and

credibility - trusted

Short history in corporate reporting Lack of uniform reporting standards Lack of clear oversight responsibility –

patchwork of competing frameworks Lack of strong quality control Internal controls and monitoring not

well understood (e.g., No COSO yet) Mix of systems and processes to

gather/store information – not highly automated; many manual processes

Immature assurance standard Not often not assured Narrow market acceptance – not well

trusted

LOWER RISKHIGHER RISK

Evidence Management

COSO OVERVIEW

Source: www.coso.org/governance.htm

COSO ERM

“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

Barclays PLC Annual Report 2014 (PDF - 4.92MB)Barclays Bank PLC Annual Report 2014 (PDF - 4.53MB)Barclays PLC Strategic Report 2014 (PDF - 2.27MB)Barclays PLC Pillar 3 Disclosures 2014 (PDF - 1.31MB)Barclays PLC Pillar 3 Disclosures - Terms and Conditions of Capital Resources 2014 (PDF - 0.4MB)Barclays PLC Form 20-F 2014 (PDF - 7.28MB)Barclays PLC Citizenship Data Supplement 2014 (PDF - 1.63MB)Glossary (PDF - 0.17MB)

Volume Data

COSO Component & Principle (example)

Objectives Example of Measures and Controls

Component: Control Environment Principle 1: Demonstrates commitment to integrity and ethical values

Demonstrate ethical values of the organization by ensuring the integrity of the integrated reporting process, the report(s) and the culture of integrated thinking and incorporating into the company ‘story.’

Develop, nurture and maintain an ethical, collaborative culture of integrated thinking by consistent actions and commitment to these values at all levels of the organization.

Integrate non-financial key performance indicators (KPIs) exemplifying ethical values and integrity into internal and external reporting.

All persons at all levels must be held accountable for deviations from these core expectations in order for these to become a part of the organizational integrated-thinking culture.

• Written and communicated organization’s commitment towards collaborative, integrated thinking and <IR> and their importance in value creation.

• Define and communicate the ethical/integrity expectations of all employees via a Code of Conduct, Employee Handbook, policies and procedures.

• Integrate non-financial key performance indicators (KPIs) exemplifying ethical values and integrity into internal and external reporting.

• Include narrative and illustrative examples about ethical commitment of employees in the integrated report.

.

COSO Component &

Principle (example)

Objectives Example of Measures and Controls

Component: Risk Assessment

Principle 6: Specifies suitable objectives.

Set ‘tone at the top’ - board of directors’ and/or executive management sets both financial and non-financial objectives to link strategy to business model and value creation.

Specify clearly defined non-financial objectives in order to facilitate identification of material risks.

Define reporting boundary, identify risks, opportunities and outcomes attributable to or associated with stakeholders that impact the ability of the organization to create value. Define the concept of the reporting boundary based on principles of risk and materiality.

• Documentation and Identification of material, non-financial issues - good and bad - that is supported by a robust materiality assessment(e.g., through a materiality matrix) that measures impact on strategy and business objectives.

• Definition of concise, material non-financial objectives that are actionable and have measurable targets and timelines.

• Documented materiality assessment process

• Documented materiality assessment results using a comprehensive set of non-financial measures (both negative and positive) along the entire value chain that analyzes impact on business objectives.

• Engagement of and communication mechanism with external stakeholders in the process to identify issues and potential risks.

COSO Component & Principle (example)

Objectives Example of Measures and Controls

Component: Control Activities

Principle 10: Selects and develops control and monitoring activities

Define control and monitoring activities that help to mitigate risks related to non-financial and financial reporting around processes, systems, and data.

Ensure reliability, accuracy and utility of non-financial and financial information through robust internal control and monitoring systems, effective stakeholder engagement feedback mechanisms, internal audit or similar functions, and independent/external assurance.

• Documented data governance policies, controls and monitoring activities for non-financial and financial information covering data creation, access, collection, transfer and consolidation processes for <IR>.

• Assumptions and information sources are documented and managed with defined controls and monitoring processes to reduce risk of material misstatement to acceptable level.

• Data governance polices communicated to all employees.

• Processes around non-financial and financial information segregated to mitigate risk of errors

COSO Component & Principle Objectives Example of Measures and

Controls

Component: Information and Communication

Principle 13: Uses relevant information

Establish connectivity between financial and non-financial information to meet internal control and monitoring requirements and enhance overall reliability/quality of the integrated report for providers of capital and other stakeholders.

Define the level of internal controls required to ensure delivery of relevant, comparable information to providers of capital and other stakeholders.

Include and define financial and non-financial information material to providers of capital and other stakeholders.

Produce an integrated report that is logically structured, well presented, written in clear, understandable and jargon-free language, and includes effective navigation devices, such as clearly delineated (i.e., linked) sections and cross-referencing.

• Documentation of strategy, business model and flow of capitals throughout as inputs/outputs and linked to value creation story.

• Description of stakeholder engagement mechanisms and processes along with summary of feedback to determine material information.

• Established communication mechanisms to share relevant, comparable disclosures with stakeholders (internal and external) in usable, reliable formats and on a timely basis.

• Non-financial and financial KPIs are reported and reviewed on a regular basis in accordance with a defined materiality assessment process.

COSO Component & Principle Objectives Example of Measures and Controls

Component: Monitoring Activities

Principle 16: Conducts ongoing and/or separate evaluations

Non-financial/financial reporting and controlling processes are monitored on a regular basis to identify improvement opportunities.

Financial and non-financial reporting and controlling processes align with generally accepted external market best practices, frameworks and/or standards (e.g., US GAAP, IFRS, <IR>, COSO).

The integrated Report is independently verified and assured by an external third party.

• Controls and monitoring around integrated reporting regularly reviewed and assessed for effectiveness and updating.

• Continuous monitoring and analysis of the external environment in the context of the organization’s mission/vision identifies risks and opportunities relevant to its strategy, capitals, business model, impacts and ability to create value.

• Independent assurance (i.e., from external auditors) provided for financial and non-financial information in the integrated report according to generally accepted assurance standards.

ASSURANCE & <IR>

Integrated assurance role can be achieved via different types of engagements such as:

Assurance on the "Due Process" of an integrated report

A focus on governance, risk management and control processes supporting the main objectives of integrated thinking and reporting

Independent assurance on the reliability of the facts and figures included in the report

The existence of an integrated thinking culture within the organization

ASSURANCE & <IR>

ASSURANCE & <IR>

ASSURANCE & <IR>

In the 2012 inspection year (reported in the 2013 inspection report) 849 separate audits performed by the Big 4 that were inspected by the PCAOB, over 300 were found to have deficiencies.

Compliance Week 2014 Audit Committee Report

"...Overall, 39% of audits inspected in the latest evaluations of the Big Four firms were found to have deficiencies, compared with 37% the previous year"

WSJ, October 23, 2014

Of the specific issues noted by the PCAOB in their inspections of one of the Big 4 firms. Deficiencies related to internal controls (ICFR) were the most commonly cited issue issue over the last 3 years.

Compliance Week 2014 Audit Committee Report

AUDIT QUALITY & <IR>

PATHWAY TO THE SOLUTION

ROLE OF MGT ACCOUNTANTS

YOUR ROLE AS A MGT. ACCOUNTANTContribute to the collaborative, Integrated

Thinking culture and “tone at the top” Establish guidance on shared rules facilitating consistency and comparability

Establish proper “governance structure” that defines the roles within your team

Establish a broad view of all the capitals needed and available for value creation

Anticipate internal/external reporting requirements and establish data governance

policy and collection processes Define and document internal control

functions across the enterprise

Establish polices and engagement strategies with providers of capital and other

stakeholders

Work with internal audit to clarify the expectations regarding internal audit actives

by establishing: (1) Functions that own and manage risk (2) Functions that

oversee risk, and (3) Functions that provide independent, integrated assurance

Establish and review controls (including continuous monitoring)

Establish benchmarks against other organizations within/outside your industry

1

2

3

4

5

6

7

8

9

10

Few corporations are voluntarily going to disclose the actual facts about their environmental and social impacts when they can selectively 'dress up' generalized information and trends as indicators of Integrated Reporting “performance.”

The most valuable and significant non-financial information is under their control - they will want to hold it under 'lock and key' until legally required to disclose it.

SOME CHALLENGES YOU MAY ENCOUNTER…

Brad MonterioManaging Director

Brad MonterioManaging Director, Colcomgroup, Inc.Board Member, IMAbmonterio@colcomgroup.com

Liv WatsonDirector, Strategic Customer InitiativesFounder of XBRLliv.watson@workiva.com