8/17/2019 PCAOB Inspections Themes
1/51
8/17/2019 PCAOB Inspections Themes
2/51
Page 2
Introductions
Matt Mabel – Senior Manager, Advisory Services – Risk Assurance.
Eleventh year in public accounting. Serves several Fortune 1000 public
company based out of Arizona. Participated in PCAOB and internal
quality inspections and led several internal quality initiatives.
Diana Gomes – Manager, Assurance Services. Seventh year in publicaccounting. Serves multiple public companies based out of Arizona.
Participated in PCAOB and internal quality inspections.
Shirley Karnos – Manager, Advisory Services – Risk Assurance.
Second year in public accounting and ninth year in professional services.
Serves multiple public companies based out of Arizona. Participated ininternal quality inspections.
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
3/51
Page 3
Agenda
► Overview of PCAOB, inspection process, and recent
results
► Recent IT-related PCAOB inspect
►
Better understanding flows of transactions, IT interfaces, andconsidering all IT risks
► Testing management’s controls over electronic audit evidence
► Testing precision of review controls
► Evaluating controls over service providers (SOC reports)
► Transition to COSO 2013
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
4/51
Page 4
Overview of PCAOB, inspection process, andrecent results
► The Public Company Accounting Oversight Board (PCAOB) is a private-
sector, nonprofit corporation created by the Sarbanes–Oxley Act of 2002 to
oversee the audits of public companies and other issuers in order to protect
the interests of investors and further the public interest in the preparation of
informative, accurate and independent audit reports.
► The PCAOB audits “Big 4” accounting firms in calendar Q2 and Q3 each year,and other public accounting firms in Q4. The inspection typically consists of
review of audit documentation over internal controls and substantive audit
testing over selected high risk/focus areas. The inspections typically require
1-2 weeks of on-site fieldwork. Comments can be verbal, written (does not
appear in report) or audit deficiencies (appears in public report)
► EY’s last publicly available inspection report (which covered the results of reviews of 2012 audits) was released on 8/14/14
► The PCAOB inspection 56 audits of public companies during 2013
► 28 issuers had audit deficiencies that appeared the report, 27 of which
(48% of inspections) had comments related to ICFR
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
5/51
Page 5
IT-related PCAOB inspection themes
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
6/51
Page 6
Flows of transactions, IT interfaces, andconsidering all IT risks
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
7/51
Page 7
PCAOB inspection theme
► There have been instances in inspections in which teamshave identified ineffective ITGC's over in-scope IT
systems or have not scoped in key IT systems that
process transactions within significant accounts.
►
In these instances, some teams attempted to identify andtest business process controls that address the risk of an
ineffective IT system, but were unable to identify and test
enough controls, specifically front-end prevent controls
around initiation, to sufficiently address the risks.
► Inspectors have challenged our conclusions that ineffective
ITGCs did not result in a significant deficiency or material
weakness, particularly when ineffective ITGCs have existed
for more than one year.
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
8/51
Page 8
Common IT risks that need to be consideredwithin significant financial processes
► Unauthorized initiation/authorization of transactions
► Lack of segregation of incompatible duties
► Reliance on IT applications or programs that are
inaccurately processing data
► Potential for errors and fraud within IT applications
► Inappropriate dependence on the results of computer
processing
► Lack of transaction trails or loss of data
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
9/51
Page 9
System interface diagrams
PCAOB Inspection Themes
A system interface flow chart gives a pictorial representation of thesystems that support significant business processes, including how data
flows from system to system.
System Interface flow charts provide the reader with a quick
understanding that can help us to:
► assess the complexity of the IT environment
► identify where application interface controls should exist (or where control
gaps do exist)
► understand the inputs/outputs from systems
► understand the types of electronic audit evidence generated
► Understand applications and tools supporting significant process
8/17/2019 PCAOB Inspections Themes
10/51
Page 10
Example system interface diagram
PCAOB Inspection Themes
E2 HyperionHFM
FRP
EMP
Accurate NXG
FinancialStatements
Caesar
CASH
CDS
CIMS GEAC
Pep+
TMS
CDE
OCRA
Policy
Administrative
Systems
Treasury
Customer Online
CheckRequests
Cost
allocation
files
Payroll
Files
A
B
C D
E
F
G
H I
J
K
L
M
N
A systems
interface
diagram is a key
source of
information
used tounderstand a
complex and
highly
automated IT
environment
8/17/2019 PCAOB Inspections Themes
11/51
8/17/2019 PCAOB Inspections Themes
12/51
Page 12
Testing management’s controls over electronic audit evidence
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
13/51
Page 13
PCAOB inspection theme
► Not identifying and testing Issuer controls (either ITGC or businessprocess controls) to assess the completeness and accuracy of
system-generated data and reports -- electronic audit evidence or
“EAE” -- used in the performance of a control
► Not testing completeness and accuracy of system generated data
used to select control testing samples or to support our reliance for substantive tests
► Not testing IT general controls over all applications that produce
system-generated data or reports used in the performance or a
control or in our substantive tests
► Not testing appropriate controls over end-user computing solutions
used in performance of controls
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
14/51
Page 14
Increased focus on issuer controls over EAEused in performance of controls
► Auditor needs to better consider that the specific system-
generated data or report is considered and testing within
IT general control testing
► Report changes need to be considered within change
management testing► Controls over access and changes to reporting tools (e.g.,
Hyperion HFM, Cognos, data warehouses) need to be considered
► Auditor needs to better consider controls that issuer has in
place over completeness and accuracy of underlying data
► Auditor needs to better consider if system-generated data
or reports used in performance of controls are subject to
manual change, and if so the proper controls are in place
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
15/51
Page 15
An example of audit documentation of EAE
Better documentation
Management has designed and implemented the followingcontrols to support the completeness and accuracy of the PPV
report:
• Business process controls - Ctrl # INV # 3.1, 3.4, 3.7; P&P #
4.1, 4.2, 4.7. We walked through and evaluated the design of the controls at B01, B03 and B04, respectively.
• Changes to the PPV report are subject to the entity’s ITGCsand the completeness and accuracy of the report is
programmed within the Inventory application. We evaluatedthese controls by inspecting the underlying query used to
generate the report and by clerically testing the accuracy of thePPV report, w/o/e (refer to B03).
• Effective ITGCs over the Inventory application that maintains
the PPV report and processes the underlying data. Weevaluated the ITGCs over the Inventory application at IT01 —
IT03 w/ps.
Controls over the
completeness andaccuracy of the
underlying data
Controls over the
completeness and
accuracy of the
report
Controls that support
the continued
integrity of the data
and system
processing
8/17/2019 PCAOB Inspections Themes
16/51
Page 16
Data and reports supporting the performanceof internal controls
Control: The allowance for doubtful accounts reserve calculation is reviewedby the accounts receivable manager on a monthly basis.
Cash
receipts
A/R
subledger Analys is
prepared by
the credit
manager
Sales and
trade
receivables
Appl icati on
A/R aging
report
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
17/51
8/17/2019 PCAOB Inspections Themes
18/51
Page 18
Data and reports supporting the performanceof internal controls
Control: The allowance for doubtful accounts reserve calculation is reviewedby the accounts receivable manager on a monthly basis.
Cash
receipts
A/R
subledger
Sales and
trade
receivables
Appl icati onGreat Plains
A/R aging
report
Step #2: Is the data or report generated by an in-scope
application?
Analys is
prepared by
the credit
manager Excel
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
19/51
Page 19
Data and reports supporting the performanceof internal controls
Control: The allowance for doubtful accounts reserve calculation is reviewedby the accounts receivable manager on a monthly basis.
Cash
receipts
A/R
subledger Analys is
prepared by
the credit
manager Excel - NO
Sales and
trade
receivables
Appl icati onGreat Plains - YES
A/R aging
report
Step #3: Are ITGCs over the appl ication or end user
computing solution that generated the data or report
effective?
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
20/51
Page 20
Data and reports supporting the performanceof internal controls
Control: The allowance for doubtful accounts reserve calculation is reviewedby the accounts receivable manager on a monthly basis.
Cash
receipts
YES
A/R
subledger
Sales and
trade
receivablesYES
Appl icati onGreat Plains
A/R aging
report
Step #4: Have we tested specific controls over the completeness and
accuracy of the underlying data? Are the controls effective?
Analys is
prepared by
the credit
manager Excel
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
21/51
Page 21
Data and reports supporting the performanceof internal controls
Control: The allowance for doubtful accounts reserve calculation is reviewedby the accounts receivable manager on a monthly basis.
Cash
receipts
A/R
subledger
Sales and
trade
receivables
Appl icati onGreat Plains
A/R aging
report - NO
Step # 5: Is data or report subject to manual change?
Analys is
prepared by
the credit
manager Excel - YES
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
22/51
Page 22
Data and reports supporting the performanceof internal controls
► Extent of identification and testing of controls over keydata and reports depends on:
► Importance of the data or report to the functioning of the control
► Complexity of the calculations in a spreadsheet or manipulation of the data in the preparation of thereport
► Generally, the “further away” from the application witheffective ITGCs, the greater the importance of controlsover the data and reports used by management
► Focus on the data and reports with greater importance tothe functioning of the controls, particularly review controls,and higher complexity of calculations not performed by theapplication with effective ITGCs
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
23/51
Page 23
Example of controls over review of A/R agingreport and preparation of bad debt allowance
EAE = A/R Aging Report
Quantities shipped are reconciled to quantities billed (Initiation)
The invoice amount is posted automatically into the customer’s account
upon generation of the invoice (Recording)
The system ages invoices based on the invoice data (Processing)
On a monthly basis, the sub-ledger is posted automatically to the GL
(Processing)
An AR reconciliation is performed by the senior accountant and reviewedfor completeness and accuracy by the accounting manager (Processing)
The controller reviews the bad debt allowance calculation and approves
the adjusting journal entry on a quarterly basis (Processing)
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
24/51
Page 24
End-user computing solutions
► End-user computing solutions likely are not subject to IT-
general controls
► Excel files
► Access databases
►
Dynamic data warehouse reporting tools► System-generated data in slide decks
► Need to better consider issuer controls over end-user
computing solutions
► Input control – the company reconciles data back to source documents
► Access control – Access is restricted to authorized personnel and is
password protected
►Version control – Standard naming conventions are in place so only
current and approved versions are used
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
25/51
Page 25
Testing precision of management reviewcontrols
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
26/51
8/17/2019 PCAOB Inspections Themes
27/51
Page 27
Example – periodic access review
► Test of control – bad example:► Obtained evidence of review, saw review was signed off and some
updates were noted in the review listing
► Test of control – good example:► Inquired with individual(s) performing review to understand how they
review and identify errors/exceptions
► Obtained understanding of how access reports were generated and how
reviewer knows listings are complete
► Observe the performance of the review
► For each review tested, confirm the review was signed off
► For each review tested, traced a sample of updates requested through to
updated system access
► For each review tested, considered significant instances of inappropriate
access identified and their impact on the overall control environment
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
28/51
Page 28
Evaluation of controls at service providers(SOC reports)
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
29/51
Page 29
PCAOB inspection theme
► Reliance on service organizations was either not identified or not appropriately
documented to determine whether the service auditor’s report provided sufficient audit
evidence about the effectiveness of relevant controls
► Sub-service organizations that were scoped out of the report were not addressed (i.e.,
SOC 1 report was not obtained and there was no documentation of considerations and
conclusion if such sub-servicers were deemed insignificant or not relevant)
► Complementary entity user controls were either not sufficiently tested, or were not
properly linked to engagement team testing of user controls that would address the
relevant considerations
► Update procedures were not properly performed or documented when the service
auditor’s report did not sufficiently cover the entire audit period
► Control exceptions identified by the service auditor were not evaluated to determine
whether sufficient audit procedures to support our combined risk assessments were still
appropriate to prevent or detect potential misstatements
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
30/51
Page 30
Why do we review SOC reports?
► Many entities outsource aspects of their business to service
organizations that provide services ranging from performing a specific
task under the direction of the entity to replacing an entity’s entire
business unit or function. These services are relevant to the audit
when these services, and the controls over them, are part of the
entity’s information system relevant to financial reporting (e.g., if the client uses electronic audit evidence from a third-party
provider as part of a control activ ity).
► If we plan to place reliance on controls at the service organization, we
ordinarily obtain and review a service auditor’s report (SOC 1)
covering a sufficient portion of the audit year (this includes sub-service providers of those organizations).
► We review the SOC 1 report and document our evaluation of the
service provider and their impact on the audit.
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
31/51
8/17/2019 PCAOB Inspections Themes
32/51
Page 32
Complementary User Entity Controls(CEUCs)
► Controls at the service provider alone do not ensure the accuracy of
our client’s financial statements, and the SOC 1 report will outline
control considerations for user (our client) of the service
► For each CEUC, we should evaluate if the CEUC is relevant (e.g.,
does the CEUC directly impact financial reporting risk(s) that we have
identified that the service providers’ controls help mitigate?)
► For IT-related CEUCs, IT specialists should be used and consider the
client’s responsibilities in things like user access administration (e.g.,
who has access to transmit data to the service provider for
processing) and testing/approving program changes from provider
► For each CEUC deemed relevant to the financial reporting risk(s) thatwere identified, we must demonstrate that the client has the
appropriate controls in place and we have tested the operating
effectiveness of those controls (e.g., these controls should be defined
as key SOX controls)
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
33/51
Page 33
Evaluating time period of the report and gapbetween year-end
► Generally, to rely on a SOC 1 report, the report must cover at least six monthsof our audit period. If the report covers less than six months and a second
report is not available, we must consider/document how we are comfortable
relying on the report with a smaller coverage period (and expect to be
challenged on this).
► At minimum, consider what controls are in place at the user entity that gives us
comfort that the client’s internal controls would detect a material misstatementmade by the service provider if there is a large gap between the report end date
and our client’s year-end date. The client’s controls must be sufficiently precise.
► If there is a gap larger than three months between the report end date and our
client’s year-end date, we again must document our considerations of how we
are comfortable relying on the report with a large time period gap (and expect
to be challenged on this).► At minimum, bridge letters should be obtained; but we should challenge if a bridge
letter alone is sufficient and how else the client gets comfortable over the service
providers’ control environment (e.g., client controls over the reports/data).
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
34/51
Page 34
Evaluating control exceptions
► The service auditor’s section of the report will summarize the test of controlsperformed and results of controls testing. Exceptions (often called deviations)
will be noted in this section.
► Auditor should evaluate all relevant exceptions noted in review
documentation
►
All exceptions relevant to control objectives that mitigate identified financialreporting risks should be evaluated
► Exceptions related to ITGCs supporting relevant applications that mitigate identified
financial reporting risks should be evaluated
► The exceptions should show an appropriate amount of evaluation of the risk
of the exception. A blanket “This exception has no impact on our audit
approach” is generally not sufficient and could lead to increased scrutinyduring a quality inspection.
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
35/51
Page 35
Evaluating SOC reports – other considerations
► Management should review/evaluate SOC reports as part
of their testing of controls for management’s opinion on
their internal controls over financial reporting
►
PCAOB appears to have a list of “problem reports”, andwill challenge how teams addressed these “problem
reports” when used in the audit of an issuer
► Some chatter on PCAOB auditing service auditors who
issue SOC reports in the near future
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
36/51
Page 36
Application controls
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
37/51
Page 37
PCAOB inspection theme
► Application controls - Testing without understanding the design
► We did not demonstrate our knowledge of whether the application control was
configured by the entity or embedded into the system
► If the control is configured, we did not gain/demonstrate our knowledge of how
the entity configured the control (e.g., is the three way match control configured
with a tolerance of 10% receiving variance)
► Some teams did not document their considerations around which applicationcontrols need to be re-tested in the roll forward period
► Lack of evidence regarding the identification and
understanding/walkthrough of application controls, as well as
insufficient testing of application controls, including inappropriate
benchmarking procedures, inappropriate reliance on test of one
transaction, lack of consideration of management’s ability to override
the automated control or insufficient evaluation of the effect of
ineffective ITGCs on the audit of application controls
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
38/51
Page 38
Other IT-related inspection themes
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
39/51
Page 39
PCAOB inspection theme
► Multi-location scoping
► Consideration should include commonality of IT systems at the
locations subject to multi-location scoping
► Should ensure alignment with Assurance on scope of testing of de-
centralized applications (e.g. Point of Sale, Revenue applications)
subject to multi-location scoping
► Controls over pricing in revenue
► In certain instances, specifically when significant revenue systems
are not subject to testing or are deemed ineffective, engagement
teams have not identified sufficient controls that address pricing,
quantities sold and the related extension (P x Q).
► Inventory cycle counting
► Failure to test cycle count configuration (logic for A/B/C
completeness, cycle count reports)
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
40/51
Page 40
Transition to COSO 2013
PCAOB Inspection Themes
8/17/2019 PCAOB Inspections Themes
41/51
Page 41
Original framework (1992)
► Designed to► Establish a common definition serving the needs of different parties
► Provide a standard against which business and other entities could
assess their control systems
Internal control is defined as a process, effected by an entity's people,
designed to accomplish specified objectives.
COSO 2013
Monitoring
Information &communication
Control activities
Risk assessment
Control environment
U n i t A
U n i t B
A c t i v i t y 1
A c t i v i t y 2
8/17/2019 PCAOB Inspections Themes
42/51
Page 42
COSO’s Internal Control – Integrated Framework (1992 edition)
Refresh
objectives
Enhancements
COSO’s Internal Control – Integrated Framework (2013 edition)
Address signif icantchanges to thebusiness environmentand associated ri sks
Updated, enhanced
and clarified
framework
Increase focus onoperations, complianceand nonfinancialreporting objectives
Expanded internal
and nonfinancial
reporting guidance
Codify criteria to use inthe development andassessment of systemsof internal control
Principles
Point of
Focus
Why the update?
COSO 2013
8/17/2019 PCAOB Inspections Themes
43/51
Page 43
In the 2013 update, much remained the same
► The cube!
► Five components of internal control
► The core definition of internal control
► Requirement to consider the five
components to assess the
effectiveness of a system of
internal control
► Emphasis on the importance of management judgment
in designing, implementing, and conducting internalcontrol, and in assessing the effectiveness of a system
of internal control
COSO 2013
8/17/2019 PCAOB Inspections Themes
44/51
Page 44
One of the big changes in the 2013 Framework
• Principles-based approach
• While the 1992 version implicitly reflected the core principles of
internal controls, the 2013 version explicitly states 17 principles that
represent the concepts associated with each of the five components
• The new framework presumes that all 17 princ iples must be
present and functioning in an effective system of internal
control
COSO 2013
8/17/2019 PCAOB Inspections Themes
45/51
Page 45
17 principles defined
1. Demonstrates commitment to integrity and ethical values
2. Board of Directors demonstrates independence from managementand exercises oversight responsibility
3. Management, with Board oversight, establishes structure, authorityand responsibility
4. The organization demonstrates commitment to competence
5. The organization establishes and enforces accountability
6. Specifies relevant objectives with sufficient clarity to enable
identification of risks7. Identifies and assesses risk
8. Considers the potential for fraud in assessing risk
9. Identifies and assesses significant change that could impactsystem of internal control
10.Selects and develops control activities
11. Selects and develops general controls over technology
12.Deploys through policies and procedures
13.Obtains or generates relevant, quality information14.Communicates internally
15.Communicates externally
16.Selects, develops and performs ongoing and separate evaluations
17.Evaluates and communicates deficiencies
Principles
in the
framework
1. Controlenvironment
2. Risk assessment
3. Control activities
4. Information &communication
5. Monitoring
COSO 2013
8/17/2019 PCAOB Inspections Themes
46/51
Page 46
Points of focus also provided
► Points of focus are important characteristics of principles
► Some points of focus may not be suitable or relevant, and others may be
identified that may be relevant
► Points of focus may facilitate designing, implementing and conducting internalcontrol, and assessing whether the principles are present and functioning
► While there is no requirement to separately assess whether points of
focus are in place, we think that is the best (and potentially only) way to
determine whether the objectives of the principles are achieved
Control
Environment
Component
Principle 1: The organization demonstrates a
commitment to integrity and ethical values
Points of focus:► Sets the tone at the top
► Establishes standards of conduct
► Evaluates adherence to standards of conduct
► Addresses deviations in a timely manner
COSO 2013 COSO 2013
8/17/2019 PCAOB Inspections Themes
47/51
Page 47
Other key changes
► Specific risk assessment principle related to fraud
► Principle 8: The organization considers the potential for fraud in
assessing risks to the achievement of objectives
► Specific information and communication principle related
to information quality► Principle 13: The organization obtains or generates and uses
relevant, quality information to support the functioning of
internal control
► Increased discussion of the effect of other organizations
(e.g., other business models, joint ventures, serviceorganizations)
► Management retains responsibility for controls
COSO 2013
8/17/2019 PCAOB Inspections Themes
48/51
Page 48
Deficiency evaluation
► An effective system of internal control requires that:
► Each of the five components of internal control and all relevant
principles are present and functioning
► The five components are operating together in an integrated
manner
► Principles are fundamental concepts associated with
components
► If a relevant principle is not present and functioning, the associated
component cannot be present and functioning
►
Controls will need to be mapped to the 17 principles anddeficiencies will need to be evaluated in the context of the 17
principles
COSO 2013
8/17/2019 PCAOB Inspections Themes
49/51
Page 49
Transition
► How long do issuers have to adopt the new framework?
► Updated framework will supersede original framework at the end of
the transition period (i.e., 15 December 2014)
► The SEC staff has indicated that the longer an issuer uses the
1992 framework after the transition period, the more likely it will be
that the SEC staff will have questions regarding the entity’s internal
control assessment
► Are there any additional disclosure requirements?
► During the transition period, entities reporting externally (and their
auditors) should disclose whether the original or updated version
of the framework was used
COSO 2013
8/17/2019 PCAOB Inspections Themes
50/51
Page 50
Key points
► 2013 COSO framework requires that the company align
its internal control with the newly defined 17 principles
► Although much of what we do today will not change
significantly, the 2013 COSO framework has additionalconsiderations we need to evaluate and document when
understanding the design of and testing internal controls
(transaction level and entity-level)
8/17/2019 PCAOB Inspections Themes
51/51
Page 51
Available resources
► COSO
► Internal Control – Integrated Framework Executive Summary
► Internal Control – Integrated Framework and Appendices
► Internal Control – Integrated Framework Internal Control over
External Financial Reporting: A Compendium of Approaches
and Examples
► Internal Control – Integrated Framework Illustrative Tools for
Assessing Effectiveness of a System of Internal Control
► EY
►
Publication: Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes (March 2014)► Highlights key changes to the 2013 framework, a suggested project plan, questions
to consider when evaluating whether the 17 principles are addressed and anexample generic documentation template
COSO 2013