Top 10 lessons learned from COSO 2013 Implementation

© 2015 Protiviti Inc. An Equal Oppurtunity Employer M\F\D\V.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

1

Protiviti Webinar:Top Ten Lessons Learned From

Implementing COSO 2013


2

Housekeeping Items…

Following the webinar, all attendees will receive a link to a copy of the presentation and recording.

If you are experiencing technical difficulties during the webcast, let us know by submitting a question within the webinar screen. Please provide your email address for a swift reply.

If you are having trouble hearing the audio through the computer, separate phone lines are available.

International +1 734 385 2579United States +1 855 707 0664Conference ID 26627554


3

We are issuing 1.5 CPE credit for this presentation. To be eligible to receive CPE credit, please:

• Answer five (5) out of the six (6) polling questions throughout the duration of this webinar.

• Qualifying participants will receive their CPE certificates via e-mail within 4 weeks of the webinar

• In the resources area, you can access the following:

• Download The Updated COSO Internal Control Framework: Frequently Asked Questions

• Download The Bulletin: Top 10 Lessons Learned from Implementing COSO 2013

• Register for the May 21st webinar The New Revenue Recognition Rules: Systems, Data, Reporting and a Transparent Audit Trail

Trouble hearing the audio through the computer? Dial in! Phone: +1 855 707 0664, Conference ID: 26627554

CPE Credits and Supplemental Information


4

Jim DeLoach is a Managing Director in Protiviti’s Houston office. He has served on the COSO Advisory Council with respect several COSO projects since 2002, the most recent project being the Internal Control – Integrated Framework Update. He has worked with, and delivered numerous presentations on risk management to, hundreds of companies and groups in 30 countries. He writes Protiviti’s Flash Reports, The Bulletin and Board Perspectives: Risk Oversight. In addition, he writes a monthly blog on the online magazine of the National Association of Corporate Directors and a monthly column for Corporate Compliance Insights. He also wrote all four editions of Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements. E-mail: [email protected]

Jim DeLoach, Managing Director, Houston

Today’s Speakers



5

Keith Kawashima is a Managing Director in Protiviti’s Silicon Valley office. Keith has over 25 years of experience in finance and accounting including 15+ years with Protiviti/Arthur Andersen’s Internal Audit practice and more than 10 years corporate experience in both Finance and Operations prior to joining Protiviti. He has been involved in all aspects of a company’s internal audit function from establishing a charter and developing a risk-based internal audit plan, to developing and executing work programs, through reporting at the audit committee and board level. E-mail: [email protected]

Keith Kawashima, Managing Director, Northern California

Today’s Speakers



6

Shari Katz leads training and methodology development for Protiviti’s Internal Audit Solution and is based in Chicago. She develops curriculum and methodology, and facilitates knowledge management activities for the global internal audit practice. She has 20 years of experience in internal audit at Protiviti and Arthur Andersen. Her experience includes broad internal audit activity, from risk assessments and internal audit plan development to execution of audits and reporting of findings. It also includes Sarbanes Oxley compliance activities from establishing a first year project to supporting an ongoing program. She began her career in Andersen’s external audit practice. She is a CPA, CIA, CRMA and CGMA.E-mail: [email protected]

Shari Katz, Program Manager, Internal Audit Methodology and Training, Chicago

Today’s Speakers



7

Grounding Concepts

Additional Resources

Top 10 Lessons Learned

Today We Will Cover…



8

Grounding Concepts


9

COSO Internal Control - Integrated Framework

COSO Cube (2013 Edition)*

Source: Chapter 2 of COSO Internal Control: Integrated Framework (2013).

• The COSO 2013 Framework is a suitable framework for evaluating the effectiveness of internal control over financial reporting (ICFR)

• COSO no longer supports the 1992 Framework

• The majority of 12/31 issuers have completed the transition from the 1992 Framework to the 2013 Framework


10

Importance of a Top-Down, Risk-Based Approach

Still Applicable with the Implementation of the 2013 COSO Framework

Important for Setting Scope and Objectives

Not Employing this Approach Could Result in Going Overboard with Testing and Documentation


11

Top 10 Lessons Learned from Implementing COSO 2013


12

Lesson #1

Meet with Your Auditor Early and Often

2014 2015Q1 Q2 Q3 Q4 Q1

Develop project plan & inventory

existing documentation

Perform COSO 2013 Mapping

Update process documentation as

necessary

Document and/or design controls for COSO 2013 gaps

Perform phase I testing of key

controls

Perform phase II testing of key

controls

Perform year end testing of key controls including annual controls.Final gap remediation assessment, including significance of open gaps

(any warranting an MW or SD)

Refresh Internal Audit infrastructure Perform / Execute Internal Audit Work

program for selected Internal Audits Assess significance of remaining

gaps, if applicable.

Finalize prior year audit

Discussions with management to

evaluate prior year audit cycle and

plan current year audit cycle

Perform Phase I testing of key

controls

Perform Phase II testing of key

controls

External Audit willperform year end substantive audit

procedures

Discussions with management to

evaluate prior year audit cycle and

plan current year audit cycle

Phase I – Planning and Scoping Phase II – Assess/Analyze Design Effectiveness

Phase III – Implement/Assess Operational Effectiveness Phase IV – Monitoring/Testing/Remediation

External Auditor Checkpoints Internal Auditor Oversight Checkpoints

SOX

IA

CPA Firm


13

Lesson #1 (continued)

Upfront Planning Discussions

Significant changes to your

company

Current focus

areas of external

audit

• Mergers/acquisitions• Discontinued

operations• Changes to

organization hierarchy• Key management

judgments and accounting estimates

• Accounting policies

• Changes to internal controls

• Changes to IT infrastructure

• Changes in third party relationships

• PCAOB inspection results

• Areas of focus for the year

• Peer review results• New accounting

standards

• Updated disclosure requirements

• Changes in audit procedures / methodology

• COSO 2013 transition


14


Areas requiring review and agreement as part of effective planning:

• COSO 2013 mapping approach and format• Scoping and materiality• Approach to:

‒ Multi-locations / site visits‒ Inventory counts‒ Review of out-sourced third party providers‒ Application controls testing‒ Controls over / validation of EAE / IPE‒ One-time transactions‒ Year-end cut-off and roll-forward procedures

• Walkthrough performance• Deliverables• Reliance on the work of others (e.g. internal audit)• Use of specialists – areas of judgment• Areas requiring consultations


15

Lesson #2

Establish an Effective and Relevant Mapping Approach

• Identify whether the point of focus applies to the organization• Identify the key controls at the top level that relate to the point of focus, and

the control unit where they reside• Evaluate design effectiveness at two points – at the design of the control

itself, and then overall design effectiveness at the principle level• Evaluate operating effectiveness• Track and manage deficiencies• Write a memo outlining the approach the company took

Orientation Planning Assessment Remediation


16

Lesson #2 (Continued)

There is no one-size-fits-all solution for mapping controls to the 17 principles. The size, complexity, risks and operating style of each organization will have an impact on the process.

• Level of Effort depends on ‒ The level of depth of prior entity level

documentation

‒ The extent of testing previously performed on entity level documentation

‒ The accuracy and robustness of the controls documented


17


Extent of Gaps include:

• Some controls need to be more robust• Some controls exist but were not documented

for SOX• Some controls need to be built to address a

gap• Deficiencies in entity level controls have an

indirect connection to ICEFR, but need to be remediated in order to prevent them evolving into larger issues


18

Lesson #3

• Ongoing risk assessments need to explicitly consider the risk of fraud

• Anti-fraud controls need to be specifically identified and evaluated

• The level of depth and rigor applied to fraud risks and controls will vary by organization

Conduct a Substantive Fraud Risk Assessment

To address Principle 8 of the framework:


19


Elements of a Fraud Risk Management Program

Control Environment

• Board / Audit Committee Oversight • Management roles and responsibilities • Code of Business Conduct• Conflicts of Interest Policy• Fraud Control Policy• Investigation Protocols / Policy• Ombudsman Program• Whistleblower Policy

Risk Assessment • Fraud risk assessment (including corruption / bribery)

Control Activities • Due diligence (employees and third parties)

Information &Communication

• Reporting mechanisms, including hotline• Ethics training• Fraud awareness training

MonitoringActivities

• Continuous monitoring (i.e., management)• Fraud/ ethics audit procedures (i.e., Internal Audit, Compliance)• Investigation / case management system• Discipline / remediation• Quality assurance review


20

Lesson #4

Take a Broader View of Outsourced Processes Beyond the Service Organization Control (SOC) Report

• Scope in key controls over outsourced activities

• Ensure risk assessments consider risks and controls relating to the integrity of data sent to and received from outsourced service providers

• Use a systemic methodology to evaluate SOC 1 reports and management controls around outsourced service providers

We expect outsourced processes to receiveincreased focus in 2015


21


Evaluating a SOC Report

Assess the Scope

Map User Control Considerations (UCCs)

Evaluate the Opinion and Exceptions

Cover the Gap Period

• Ensure all significant areas included• Assess the impact of those excluded• Determine if additional procedures

are necessary

• Evaluate all exceptions and include in deficiency list if they are key

• If the opinion is qualified, determine if there are mitigating controls in place

• Compare your actual controls to the UCCs and identify any gaps

• Ensure you have controls to monitor the activities performed by the third party

• Compare the “as of” or “period end” date on the report to your fiscal year end date

• Perform additional procedures if necessary to cover the gap period


22

Lesson #5

Manage the Level of Depth When Testing Indirect Controls

• Ensure they are commensurate with and relevant to financial reporting risks

• Ensure they focus on the achievement of control objectives relating to financial reporting

• Do not expand the scope to cover non-ICFR related risks and controls


23

Lesson #6

Understand and Document Control Precision

• Ensure management review controls achieve a sufficient level of precision to detect material misstatements

• If management review controls do not achieve the prescribed level of precision, consider shifting to transaction level controls


24

Inquire of both the control owner and reviewer and corroborate with others

Observe the timely resolution/correction of unreconciled differences or errors identified by the reviewer

Participate in review meetings and document those matters reviewed and questions asked that initiated follow-up

Review draft versions of documents and items supporting the control

Inspect email correspondence of follow-up procedures performed, if available


Evaluating Control Precision


25

Verify that all the outliers or exceptions that should have been identified were, in fact, identified by the individual performing the control

Ensure all the outliers or exceptions were adequately followed up on and resolved


A lack of errors/exceptions may suggest that the control is not operating with sufficient precision.

Evaluating Errors/Exceptions Identified


26

• Information used in the execution of key controls (IPE) should be evaluated for completeness and accuracy

• The level of rigor required to validate IPE will vary from auditor to auditor and audit firm to audit firm

Lesson #7

Evaluate the Adequacy of Information Produced by Entity (IPE)

We expect further emphasis in the next round of PCAOB inspection reports on the reliance of key controls on IPE


27


Factors to consider when evaluating the completeness and accuracy and frequency of testing key reports:

Whether the report query logic has changed

Whether the relevant IT general controls are effective

Whether information that the report generates comes from multiple systems or databases, thereby increasing the risk to ICFR

Whether the control is sensitive to other business factors that may have changed, such as new GL accounts or sub-accounts

Whether the report is being used in a control with a higher risk of failure


28


End-User Computing/Spreadsheets Controls

Access Controls

• Stored in files or directories where access is restricted.

• Fields with formulas use cell protection to restrict the ability to make changes to formulas.

Input Controls

• Inputs are validated for accuracy and completeness when data is manually entered or imported.

• Control totals are reconciled upon data extraction from the source system and uploaded to the spreadsheet.

Calculation Controls

• Automation of the configured calculations.

• Fields with formulas use cell protection to restrict the ability to make changes to formulas.

• Reviews are completed to validate the appropriate-ness of important formulas.

Change Controls

• Version controls to track changes and differentiate versions.

• Require testing and approval of spreadsheet updates prior to deployment.

Monitoring Controls

• Use automated spreadsheet testing tools to evaluate the spreadsheet logic and input controls.

• Output is compared to another source (which may include an independent expectation) to identify potential variations or errors.


29

Lesson #8

Expect an Increase in Deficiency Evaluation Efforts

• More analysis is required to evaluate deficiencies identified, including compensating controls

• Assess deficiencies in a systemic manner to determine if they have broader implications when aggregated

• Internal control components “operate together” when they are “present and functioning” and internal control deficiencies, when aggregated, do not result in a major deficiency


30

Lesson #9

Adopt the Updated 2013 Framework “On Time”

Given that the majority of organizations have transitioned successfully, the SEC staff will not likely provide a “free pass” for fiscal years ended

after December 15, 2015


31

Lesson #10

Ask yourself – Is Limiting Your Focus on Applying the 2013 COSO Framework to SOX Compliance the Answer?

• Most organizations have only used the COSO 2013 framework for SOX, but there are benefits to using the COSO framework for other objectives (e.g., operations, compliance and other reporting)

• Other uses of the COSO 2013 framework should be segregated from SOX compliance


32

Meet with Your Auditor Early and Often

Establish an Effective and Relevant Mapping Approach1 2

Conduct a Substantive Fraud Risk Assessment

Take a Broader View of Outsourced Processes Beyond the Service Organization Control (SOC) Report

3 4

Manage the Level of Depth When Testing Indirect Controls

Understand and Document Control Precision5 6

Evaluate the Adequacy of Information Produced by Entity (IPE)

Expect an Increase in Deficiency Evaluation Efforts7 8

Adopt the Updated 2013 Framework “On Time”

Ask yourself – Is Limiting Your Focus on Applying the 2013 COSO Framework to SOX Compliance the Answer?

9 10

10 Lessons Learned from Implementing the COSO 2013 Framework


33

Additional Resources


34

Resources on COSO 2013

2013 Internal Control – Integrated Framework - Executive Summary

COSO Internal Control-Integrated Framework Frequently Asked Questions

The 2013 COSO Framework & SOX Compliance – One Approach to an Effective Transition

1

2

3

Access COSO Guidance and Thought Papers at: www.coso.org and click on ‘guidance’


35

Protiviti Resources on COSO 2013

The Updated COSO Internal Control Framework: Frequently Asked Questions 4

Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements –Frequently Asked Questions Regarding Section 404

5

Guide to the Sarbanes-Oxley Act: IT Risks and Controls6

Board Perspectives: Risk Oversight - COSO 2013: Why Should You Care7

Source: http://www.protiviti.com/en-US/Pages/Resource-Guides.aspx

Bulletin: Top 10 Lessons Learned from Implementing COSO 20138


36

Past Protiviti Webinars on COSO 2013

Title Date COSO 2013: What is New, What is Changed, Why Does it Matter and Other Frequently Asked Questions May 28, 2014

COSO 2013: Managing the Project for Success June 4, 2014

COSO 2013: Mapping Controls to Principles June 11, 2014

COSO 2013: The Implications to IT Controls June 18, 2014

COSO 2013: Assessing Fraud Risk in ICEFR and Implementation Insights Panel June 25, 2014

COSO 2013: Assessing Fraud Risk September 10, 2014

All of our webinars can be found on

www.protiviti.com.

Just click on Webinarson our home page


37

Confidentiality Statement and Restriction for Use

This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not

be distributed to third parties.

Top 10 lessons learned from COSO 2013 Implementation

Technology

protiviti webinar

companys internal use

webinar screen

coso projects

conference id

cpe credits

cpe certificates

managing director