8/2/2019 Proposed Revisions to the COSO Framework
1/41
www.theiia.org
Click to edit Master subtitle style
www.theiia.org
COSO: Outlook for the NewInternal Controls Framework
Richard F. Chambers CIA, CGAP, CCSA, CRMAPresident and CEO, The Institute of Internal Auditorsand COSO Board Member
8/2/2019 Proposed Revisions to the COSO Framework
2/41
www.theiia.org
I. About COSO
II. About the Update Process
III. About the Framework
IV. About the Proposed Changes
V. Path Forward
8/2/2019 Proposed Revisions to the COSO Framework
3/41
www.theiia.org
I. About COSO
8/2/2019 Proposed Revisions to the COSO Framework
4/41
www.theiia.org
About COSO
8/2/2019 Proposed Revisions to the COSO Framework
5/41
www.theiia.org
About COSO
8/2/2019 Proposed Revisions to the COSO Framework
6/41
www.theiia.org
A History of Thought Leadership
National Commission Report on Financial Fraud (1987)
Internal Control Integrated Framework (1992)
Internal Control Issues in Derivatives Usage (1996)
Fraudulent Financial Reporting: 1987-1997 (1999) Enterprise Risk Management Integrated Framework (2004)
Internal Control over Financial Reporting Guidance forSmaller Public Companies (2006)
Guidance on Monitoring Internal Control Systems (2009)
Fraudulent Financial Reporting: 1998-2007 (2010)
8/2/2019 Proposed Revisions to the COSO Framework
7/41
www.theiia.org
External Developments
Affecting the Mission SOX 404 requirement public reporting on
internal control effectiveness
Recent financial crisis focus on riskmanagement inadequacies pressure onboards to become more involved in riskmanagement
Ongoing concerns about fraudulent financialreporting
8/2/2019 Proposed Revisions to the COSO Framework
8/41
www.theiia.org
II.About the Update Processfor the Internal Control
Integrated Framework
8/2/2019 Proposed Revisions to the COSO Framework
9/41
www.theiia.org
Why Update What Works?
ICIF workswell today
Refreshobjectives
Enhancements
ICIF willworkbettertomorrow
COSOs Internal Control Integrated Framework(1992 Edition)
COSOs Internal Control Integrated Framework(Draft, 2012 Edition)
Address significantchanges to the
business environmentand associated risks
Updated, enhancedand clarifiedFramework
Increase focus onoperations,
compliance andnon-financial
reporting objectives
Expanded internal andnon-financial
reporting guidance
Codify criteria to use inthe development
and assessment ofsystems of internal
control
Principles
Attributes
8/2/2019 Proposed Revisions to the COSO Framework
10/41
www.theiia.org
COSO Advisory Council(nominated by the COSO Board)
AICPA AAA IIA FEI IMA Regulatory Observers Public Accounting Firms Others
Project TeamPricewaterhouseCoopers
Companies and OtherStakeholders
Industry Associations Academia Not-for-profit, government entities
Professional associations
Risk management professionals
Lawyers
Regulators
Other rule-makers
COSOBoard of Directors
8/2/2019 Proposed Revisions to the COSO Framework
11/41
www.theiia.org
The Current Project:
Three Products
8/2/2019 Proposed Revisions to the COSO Framework
12/41
www.theiia.org
Stakeholder Survey
Over 700 responses Responses from wide range of
organizations/individuals Large, small and non-profit organizations 1 in 4 respondents are non-U.S.
Majority of respondents have been using theFramework for over 5 years
85% supported updating, but not a majoroverhaul of the Framework
8/2/2019 Proposed Revisions to the COSO Framework
13/41
www.theiia.org
III. About the Internal ControlIntegrated Framework
8/2/2019 Proposed Revisions to the COSO Framework
14/41
www.theiia.org
Internal Control IntegratedFramework
Defines:
Internal control andits components Purpose of internal
control
Components andcategories
Roles andresponsibilities
Internal Control IntegratedFramework
8/2/2019 Proposed Revisions to the COSO Framework
15/41
www.theiia.org
Internal Control Integrated
Framework The most-referenced framework for evaluating internal
control especially internal control over financialreporting
Influenced legislation and practice in many places Sarbanes-Oxley
Chinese Ministry of Finance
SEC of Japan Should work for greater harmonization
8/2/2019 Proposed Revisions to the COSO Framework
16/41
www.theiia.org
Internal Control - Integrated
Framework First published in 1992 Gained wide acceptance following financial control
failures of early 2000s Most widely-used framework in the U.S.
However Since 1992, the operating environment has evolved
Framework concepts are timeless, but context needs updating
8/2/2019 Proposed Revisions to the COSO Framework
17/41
www.theiia.org
Defining Internal Control
Internal control is a process, effected by anentitys board of directors, management, and otherpersonnel, designed to provide reasonable
assurance regarding the achievement ofobjectives in the following categories:
Effectiveness and efficiency of operations.
Reliability of reporting.
Compliance with applicable laws and regulations.
8/2/2019 Proposed Revisions to the COSO Framework
18/41
www.theiia.org
Key Points
Suitable for all types and sizes of organizations Impact will vary by organization
Suitable not only for financial reporting, but also foroperations and compliance objectives and activities
Principles-based approach allowing flexibility to be
applied at the entity, operating and functional levels.
8/2/2019 Proposed Revisions to the COSO Framework
19/41
www.theiia.org
A Changing Business Environment
Expectations for governanceoversight
Globalization of markets and
operations Changes in business models Demands and complexity of
rules, regulations andstandards
Expectations for competenciesand accountabilities
Use and reliance on evolvingtechnology
Drives updates
to the Framework
8/2/2019 Proposed Revisions to the COSO Framework
20/41
www.theiia.org
IV. About the Internal ControlIntegrated Framework
Proposed Changes
8/2/2019 Proposed Revisions to the COSO Framework
21/41
www.theiia.org
Refreshing the Framework
Enhancements are not intended to alter the core conceptsdeveloped in the original Framework
However, there may be changes pertaining to the applicationof these concepts that could impact how companies respond
Other project objectives include:
Adding more focus on operational and compliance controlobjectives
Explicitly identifying principles and attributes to provideefficiency and a basis for evaluating effectiveness
8/2/2019 Proposed Revisions to the COSO Framework
22/41
www.theiia.org
8/2/2019 Proposed Revisions to the COSO Framework
23/41
www.theiia.org
Much is Familiar
8/2/2019 Proposed Revisions to the COSO Framework
24/41
www.theiia.org
Examples of Significant
Changes The organization considers the potential for fraud relating to
material misstatement of reporting, inadequate safeguarding ofassets, and corruption in assessing risks to the achievement ofobjectives
The organization selects and develops general control activitiesover technology to support the achievement of objectives
The organization selects, develops, and performs ongoingand/or separate evaluations to ascertain whether thecomponents of internal control are present and functioning
8/2/2019 Proposed Revisions to the COSO Framework
25/41
www.theiia.org
Key Points
Identifies key attributes for each principle Considers relationship to enterprise risk
management, allowing for integration of boththe COSO ERM and ICIF models.
Changes are not major, but will nevertheless require reviewand potential updates to a number of processes, activities anddocumentation.
8/2/2019 Proposed Revisions to the COSO Framework
26/41
www.theiia.org
Objectives
8/2/2019 Proposed Revisions to the COSO Framework
27/41
www.theiia.org
Across the Organization
The overall entity,divisions,
subsidiaries,operating units, orfunctions
Business processessuch as sales,
purchasing,production,marketing
8/2/2019 Proposed Revisions to the COSO Framework
28/41
www.theiia.org
Specificity: The Principles
17 Principles drawn from the five components of theFramework
All 17 principles apply to each category of objective, as well asto individual objectives within the categories
It is generally expected that all principles will, to some extent, bepresent and functioning for a organization to have effectiveinternal control
When a principle is not being met, some form of internalcontrol deficiency exists
8/2/2019 Proposed Revisions to the COSO Framework
29/41
www.theiia.org
Specificity: The Principles
Control Environment
1.Demonstrates commitmentto integrity and ethical values
2.Exercises oversight
responsibility3.Establishes structure, authorityand responsibility
4.Demonstratescommitment tocompetence
5.Establishes accountability
8/2/2019 Proposed Revisions to the COSO Framework
30/41
www.theiia.org
Specificity: The Principles
Risk Assessment
6.Specifies relevant objectives
7.Identifies and assesses risk
8.Identifies and assessessignificant change
9.Assesses fraud risk
8/2/2019 Proposed Revisions to the COSO Framework
31/41
www.theiia.org
Specificity: The Principles
Control Activities
10.Selects and develops controlactivities
11.Selects and develops generalcontrols over technology
12.Deploys through policiesand procedures
8/2/2019 Proposed Revisions to the COSO Framework
32/41
www.theiia.org
Specificity: The Principles
Information & Communication
13.Generates relevant information
14.Communicates internally
15.Communicates externally
8/2/2019 Proposed Revisions to the COSO Framework
33/41
www.theiia.org
Specificity: The Principles
Monitoring Activities
16.Conducts ongoing andseparate evaluations
17.Evaluates and communicatesdeficiencies
8/2/2019 Proposed Revisions to the COSO Framework
34/41
www.theiia.org
Specificity: The Attributes
Each principle is supported by attributes,representing characteristics associated withthe principle
Each attribute generally is expected to be present
It may be possible to have a principle present andfunctioning without having every attribute
8/2/2019 Proposed Revisions to the COSO Framework
35/41
www.theiia.org
Example:A deficiency may or may not exist if
Control Environment Principle 2 Board of directors demonstrates independence of
management and exercises oversight for the development andperformance of internal control.
1. Establishes Board of Directors OversightResponsibilities Yes
2. Retains or Delegates Oversight Responsibilities Yes
3. Applies Relevant Expertise Yes
4. Operates IndependentlyThe board of directors has sufficient members who areindependent of the organization and demonstrate objectivity.
No
5. Provides Oversight Yes
8/2/2019 Proposed Revisions to the COSO Framework
36/41
www.theiia.org
V. Path Forward
8/2/2019 Proposed Revisions to the COSO Framework
37/41
www.theiia.org
Exposure Period:
Going, Going, Gone
Sept Jan Feb Oct Dec Mar Apr Dec
Assess & SurveyStakeholders
Design & Build Public Exposure Finalize
2010 2011 2012
8/2/2019 Proposed Revisions to the COSO Framework
38/41
www.theiia.org
When to Implement
Your circumstances dictate how fast changesshould be made
Final version to be issued in late 2012 Monitor for guidance by SEC or other regulators COSO, quite naturally, believes the advantages of
the updated Framework will drive adoption asquickly as possible.
8/2/2019 Proposed Revisions to the COSO Framework
39/41
www.theiia.org
COSO: Looking Ahead
Updating Internal Control Integrated Framework
Thought papers to assist the ERM stakeholders in advancing along thematurity curve of an effective ERM process.
Additional research and guidance on the control environment dealing
with behavioral issues and other soft side research issues likerationalization and overconfidence
Providing guidance on internal control in the public sector.
Coming soon:
Judgment Traps ERM and Cloud Computing
Advances in ERM Risk Assessment and Prioritization Approaches
8/2/2019 Proposed Revisions to the COSO Framework
40/41
www.theiia.org
Questions?
8/2/2019 Proposed Revisions to the COSO Framework
41/41
th ii
Questions?The Institute of Internal Auditors
Richard Chambers, CIA, CGAP, CCSA, CRMA
President & Chief Executive Officer
Twitter: @RFCHAMBERS
mailto:[email protected]:[email protected]