COSO's NEW 2013 Framework & Third Party Analysis Compliance Made Simple ©
Nov 13, 2014
COSO's NEW 2013 Framework & Third
Party Analysis
Compliance Made Simple ©
Agenda
Why it changed?
What’s Actually Changing?
Areas of the new framework impacting third party vendors
Compliance Made Simple ©
Compliance Made Simple ©
Key influences to create updated framework
Social media and it’s impact to business processes, relationships and growth strategies were not foreseen factors.Fact: 92% of all companies use social media tools to recruit according to 2012 Jobvite Social Recruitment survey
93%
Compliance Made Simple ©
Cloud Computing - Adoption
(a) 2013 third annual Future of Cloud Computing Survey
Cloud adoption continued to rise in 2013, with 75% percent of those surveyed reporting the use of some sort of cloud platform – up from 67% percent last year!(a)
Compliance Made Simple ©
How We See Framework Changes?
1992COSO
“Good”
ERM2004
Small COSO2006
“Better”
2013 COSO
“BEST”
20 Principles(76
Attributes)
?? Principles(??
Attributes)
Compliance Made Simple ©
How We See Framework Changes?
1992COSO
“Good”
ERM2004
Small COSO2006
“Better”
2013 COSO
“BEST”
20 Principles(76
Attributes)
17 Principles
(87 Attributes)
Compliance Made Simple ©
Grouping “Better to BEST”
Compliance Made Simple ©
Grouping from “Better to BEST” (Cont.)
Compliance Made Simple ©
Compliance Made Simple ©
What’s been provided by COSO?
•Executive Summary — high-level overview
•Framework and Appendices — The New Framework seventeen principles & illustrates many approaches
•Illustrative Tools for Assessing a System of Internal Control (Tools) — The Tools provide illustrative templates.
•Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples — This publication is for SOX
Compliance Made Simple ©
COSO Monitoring Guidance
Vol#3 = Better job in providing how to evaluate third party providers and ties to the new 2013 COSO Framework.
Compliance Made Simple ©
Implementation- what does COSO say?
O COSO’s press release March 20, 2013:“it will continue to make available the original framework during the transition period extending to December 15, 2014, after which time COSO will consider it as having been superseded.”
“continued use of the original framework during the transition period (May 14, 2013 to December 15, 2014) is appropriate. During that period, the Board believes that application of its Internal Control-Integrated Framework that involves external reporting should clearly disclose whether the original or 2013 version was utilized.”
Source: www.coso.org
Compliance Made Simple ©
Implementation - what does SEC say?
O SEC’s remarks at the 32nd Annual SEC and Financial Reporting Institute Conference, by Paul Beswick, Chief Accountant, Office of the Chief Accountant, U.S. Securities and Exchange Commission
“SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. However, at this time, I’ll simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition.”
Source- www.SEC.gov
Compliance Made Simple ©
Polling Question?
Who’s implementing the new framework in 2014?
Compliance Made Simple ©
Compliance Made Simple ©
What “holds” a principle UP!
Prin
cipl
e“Points of Focus”
Compliance Made Simple ©
Looking at Third Party Service Providers and New COSO
Example for Vol #3 “Illustrative Tools for Assessing Effectiveness of a System of Internal Control”
Company Background:1. Private Company2. $200 Million in Annual Revenue in
Western US3. Board is comprised of family members
and number of business professionals with significant experience.
4. Internal Audit Dir. with over 15 yrs. exp.
Compliance Made Simple ©
CE – Quick Review (Principle #3)Principle 3: Establishes Structure, Authority, and Responsibility
—Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.Point of Focus = 3
Compliance Made Simple ©
Points of Focus – Quick ReviewConsiders All Structures of the Entity—Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.Establishes Reporting Lines—Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity.Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization:
– Board of Directors — Retains authority over significant decisions and reviews management’s assignments and limitations of authorities and responsibilities
– Senior Management—Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities
– Management—Guides and facilitates the execution of senior management directives within the entity and its subunits
– Personnel—Understands the entity’s standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives
– Outsourced Service Providers—Adheres to management’s definition of the scope of authority and responsibility for all non-employees engaged
Compliance Made Simple ©
Fast Forward: What did they
find?
Page 76: “CE 3-1: Management has defined and the board of directors has signed off on the company’s structures, reporting lines and authorities and responsibilities. However the business model has since evolved to encompass business partners, outsourced service providers, and new product lines that new or different oversight and control structures are needed. Internal control weaknesses relating to this new dimension of the business could therefore be missed and cause the company to fall short of meeting its internal financial reporting objectives.
Compliance Made Simple ©
So how bad is this? (Polling)
MWSD - Mod
CD - Low
Compliance Made Simple ©
Answer – Vol. #3O Page 76 - “This IC deficiency is
important, but does not rise to the level of a major deficiency. Currently the business structure changes affect a relatively small portion of the entity”
Compliance Made Simple ©
What would be helpful?
Compliance Made Simple ©
IT Assessments
COSO wants more “benchmarking” based on it’s cloud computing 2012 Guidance – (PAGE #8 to 16 for Expert Auditor to read)
Control Env. – Pr #3 (attribute 1 & 3) (page 34 of ICEFR
Compendium)
Control Act. (page 85 – 86 of ICEFER Compendium)
Cloud Computing and COSO Framework
Compliance Made Simple ©
Despite the security concerns, only 29% of organizations report conducting a heavy review of their cloud service provider’s security policies, procedures and capabilities.
Source: CompTIA’s IT Industry Outlook 2012 Survey
Compliance Made Simple ©
Example of Risk Assessment and Third Parties
O RA 9 -1: Some Operations Personnel do not possess the necessary skills to identify the risks associated with the new technology.
SO HOW BAD IS THIS?
Compliance Made Simple ©
Answer (page 96 vol 3)O CD – Compensating control was
linked to Management’s annual risk assessment process.
Compliance Made Simple ©
New CLOUD BOD & C-Level responsibilities by COSO
Impact AICPA Audit Committee ToolKit
(Tool #19 “Enterprise Risk Management: A Tool for Strategic Oversight”)
Compliance Made Simple ©
Third Party Control Language
Good v. Bad Control LanguageOlder Language
(“Bad”)Updated Control
(“Better”)
Quarterly, the CFO reviews the valuation analysis provided by ABC firm in which the CFO determines if there is an impairment on Goodwill and signs and dates the “Valuation Report” verifying his review process.
Quarterly, CFO provides the ABC Firm the quarter-ended “unadjusted Trial Balance” which typically does not contain tax provision amounts and the forecasted revenue line items by geographical location and product line and submitted via email to ABC Partner and Senior Manager. Questions to confirm understanding of the assumptions of the forecasted revenue items are submitted via email and corrections/adjustments to the forecast are done by the CFO and resubmitted to ABC Firm. ABC firm prepared the valuation report and assists management in determining if adjustments are required to Goodwill. Both the valuation report and adjustments if needed (e.g. J/E) are sign and dated by the CFO.
Compliance Made Simple ©
So what happens in testing?
BEFOREReview initials – DONE! #1 - Initials
#2 – Key reports Review
(completeness/accuracy)
#3 – Analysis (recomputed assumptions,
interviews 3rd party, &/or validate
summary)
Laye
red t
est
ingAFTERP
ub
lic Com
pan
y
Compliance Made Simple ©
Third Party Control Language
Good v. Bad Control LanguageOlder Language
(“Bad”)Updated Control
(“Better”)Annually, the CFO reviews SOC reports provided by the payroll service provider and reviews the report for an adverse opinion, if none, then he creates a memo documenting his steps to analyze the conclusion and end-user responsibilities to ensure the organization has met those requirements.
Annually, CFO reviews the SOC “type 1, 2 etc.) reports from ADP and creates a memo documenting his review procedures which includes, a) Opinion/Conclusion review b) End-user Assessment c) Failures in the report and what management has determined is their risk response to such failures.
Compliance Made Simple ©
COSO Health Check – On Your Own
Free Tool Evaluation of 87 Attributes go to www.AvivaSpectrum.com/Blog
Included:1) Introduction2) Overall Assessment3) Components (167 rows
data)4) Principles w/Attr. (386
rows of data)5) Deficiencies
Compliance Made Simple ©
Quick Glance
Compliance Made Simple ©
Compliance Made Simple ©
Compliance Made Simple ©
Compliance Made Simple ©
1. Must abide by internal PnP/Memo2. IT – Different that Financial controls3. Evaluation tools based on
standards (IIA such as GAIT or other publications and state source)
Join COSO 2013 LinkedIn Group for FREE templates, advise and learn from others implementing this new framework.
Implementation Resources
Compliance Made Simple ©
COSO 2013 Implementationhttp://www.linkedin.com/groups/2013-COSO-Implementation-4888186/about
Contact Information
Sonia Luna, President, CEOSonia.Luna@AvivaSpectrum
.com
700 S. Flower Street #1100Los Angeles, CA 90017P: (213) 250-5700
Compliance Made Simple ©