10 Minutes

Are your controls keeping pace with your business?

Highlights Applying the Update can help you strengthen controls and bolster confidence in meeting your operational, reporting, and compliance objectives. New features in the Update help you uncover hidden risks and apply appropriate controls. The Update helps you identifyand potentially avoidhow people, technology, and processes can cause control breakdowns. Begin assessing how you can use the Update to build upon your current controls to address business changes.

on why the COSO Update deserves your attention

May 2013

Hidden exposures in businessthese are what effective internal control can help uncover. In recent years, weve witnessed and suffered the higher costs that can result when these threats remain unchecked. Where do the blind spots lurk in your business: In social media, where customer problems brew before a recall becomes necessary? In sprawling legal entities not monitored for satisfying compliance and reporting requirements? In high-frequency trading records that may conceal a staggering loss? The 1992 Internal Control-Integrated Framework developed by COSO has been widely adopted to support external financial reporting requirements. After 20 years, COSO decided it was time for a refresh. The 2013 update,1 authored by PwC, is designed to address reporting, compliance, and operational objectives. This provides businesses and their stakeholders with a common vocabulary for getting a handle on the ever-changing environment. As business evolves, leading companies evolve their internal control systems. The newly released framework provides the perfect opportunity to consider: Are your controls really keeping up?
1 Update to the Committee of Sponsoring Organizations Internal Control-Integrated Framework, http://coso.org/IC.htm.

A fresh look at controls may especially benefit your company if youre going through... A major change. Your growth, restructurings, or new markets, products, and partnersthey introduce new risks. Ongoing regulatory oversight and scrutiny. If youre complying with more regional or global requirements, there may be little room for error. Greater complexity in your operating model and structure. Taking on new service providers or other partners can create risks that may be far removed from the business. Expanding reliance on technology. New uses of existing technology and new tech investments may impact risks for internal and external interactions. New and evolving expectations for nonfinancial reporting. Stakeholders and regulators seek greater transparency and confidence in reporting. Business failures and brand-damaging events. Businesses in many industries need to re-build trust with customers and stakeholders.

At a glance

Effective internal control adapts to change

What are some changes in business and how does the COSO Update help? Regulatory scrutiny Increased reliance on technology Expectation for additional reporting Complex, interconnected business Accounts for a growing web of global regulations, like financial reporting requirements and environmental standards Provides a principle directed at controls over technology infrastructure, development, use, and links with other processes Extends to cover non-financial reporting objectives, like sustainability reports and customer satisfaction measures Helps you customize controls and see if theyre supporting multiple objectives and principles. And these updates will help you check whats covered and whats missing across the businessincluding dispersed and outsourced operations Provides principles that help you adapt controls for planned changes and unforeseen circumstancesand keep them in sync with the business Explicitly considers business models and helps you apply controls across management operating models and legal entity structures

Accelerating pace of businesses

Greater complexity in management models and legal structures

01
Gain confidence around what matters
How can you be sure your system of control remains up to the task? The COSO Framework was updated in three important ways to make it easier for your controls to evolve with the business. 1. Reflective of the current environment. The Update reflects how doing business has changed and provides guidance to assess risk and keep related controls current. For instance, the negative impact from a product defect can now be amplified through social media. However, if a company applies controls that enable it to monitor social channels, it could receive early warning. 2. Applicable to more business objectives. The Update helps you apply internal control to your growing list of objectives. It now addresses internal reporting, which can satisfy requirements set by senior management and boards. The Update also covers external non-financial reporting requirements driven by laws, regulations, or even heightened stakeholder expectations. As with its predecessor, the Update still applies to financial reporting to support your compliance with Sarbanes-Oxley and enables you to strengthen existing controls, often without significant modification.2 The Update makes it easier for you to address these objectives in an integrated waymore objectives dont necessarily translate into more work. For example, a biotech company may have compliance requirements around purity standards. It can apply controls to help prevent a breach in purity while at the same time meeting a second objective of bolstering confidence in its reporting. 3. Flexible and customizable. The Update is principles-based, making it more flexible, adaptable, and broadly applicable than a rulesbased framework. It provides 17 principles that formalize fundamental concepts in the original framework. These principles help you specify objectives, assess risks, and deploy controls that you can adapt to meet your unique requirements. They can also help you meet objectives across the organization. For example, principles that you apply to prevent and detect fraud in financial reporting could also help you address fraud risks in wide-ranging operations that, if left unchecked, could impact local compliance objectives. Ramp up in the right areas You can apply internal control to many aspects of your business, but the key is targeting where its really needed. The Update can help you clearly identify and communicate where there are important objectives and select the right controls to apply. For example, over half of CEOs say availability of key skills is a top priority.3 The Update has principles you can use to identify the specific, critical objectives that may be jeopardized if youre unable to find the right talent. This lets you target where other controls may be needed, like greater management oversight or use of technology.

Most businesses are planning changes that can impact controls Do you anticipate a major change at your company in the following areas over the next 12 months?

Customer strategies Managing talent Organizational structure M&A, joint venture or strategic alliance Technology investment

31%_ 23%_ 22%_ 22%_ 21%_

Base: 1,330 global CEOs. Source: PwC, 16th Annual Global CEO Survey, January 2013.

2 See PwCs Dataline (May 2013) for a discussion of implications of the Update for external financial reporting.

3 PwC, 16th Annual Global CEO Survey, January 2013.

02
Remove the blind spots
Without a full view of your business, hidden exposures can put you at risk. The Update is designed to help reveal risks you may be unaware of. Reaching deep to pinpoint problems The Update helps you focus on objectives, related risks, and controls in all reaches of your business its legal entities, divisions, operating units, and functions.
Most businesses have experienced recent changes that can impact controls Companies that have undergone a major business transformation in response to market shifts since mid-2011

The Update includes principles for identifying and assessing the impact of significant changes on internal control. For example, a manufacturer that acquires an online distributor might take on new inventory management risks. The company needs to determine if existing controls cover risks that could get in the way of achieving its operational objectives. Seeing across the business Risks can become problems far from where they begin. The Update can help you make sure your controls dont miss any of these. Suppose you invest in an emerging market. The new entity could bring unexpected risks from new rules of business, tax and regulatory requirements, and distant operations, to name a few. Just as youve used controls for complying with Sarbanes-Oxley, you can apply them here to help you identify and mitigate the most critical risks before they become problems. If internal control is applied to achieve multiple objectives, the Update helps you see the entire business and prevent domino effects. In one case, a companys financial reporting failure ultimately jeopardized its operations: A restatement of financial results drove down the stock price. This forced the company to break its debt covenants, and banks called in their loans, which led to a cash flow squeeze. The principles around risk assessment and monitoring activities help you identify potential problems before they happen.

Consider an executive whos responsible for a legal entity but lacks the authority over some operations that roll up to it. As weve seen in recent crises, public and regulatory backlash is directed at the nominal leaders, even if they didnt have authority over the operations where problems occurred. Controls should also keep business partners in clear view. One manufacturing company thought it had diversified its suppliersonly to discover that all the suppliers were actually buying from a single source. So when that single source broke down, it disrupted the manufacturers operations despite its efforts to diversify. The Update includes principles for specifying objectives and assessing risks across the business, and for establishing structures, authorities, and responsibilities that could head off issues like these. Keeping up with change Any changenew leaders and managers, new markets and products, growth, mergers and acquisitions, restructurings, or emerging technologiesintroduces risks.

67%

Base: Over 800 global executives and risk managers Source: PwC, Risk in reviewGlobal risk in the transformation age, 2013.

03
Take control through people, technology, information, and processes
Businesses need to shore up controls

The Updates principles can help you keep potential gaps from developing, often by looking at how controls intersect with how business gets done. Preparing your people Your control environment establishes the structures, standards, accountabilities, and oversight for carrying out your businesss internal control. Your role here and that of other company leaders is crucial. To see why, just scan the media reports of recent crises, which dug into executive emails to determine if leadership set the right example, even if the breakdowns were far removed. Principles guide you through establishing a solid control environment. The Update helps you address people at all levels of the organization. It includes a principle for attracting, developing, and retaining competent personnel. Managers with key roles in operating units and functions, like supply chain, IT security, and portfolio management, are closest to the risks and changes that could impact them. Theyre well-positioned to spot new risks, identify when issues are likely to occur, and select controls to mitigate risks. For instance, some financial services roles require professionals who can determine when transaction risk profiles are changing and take corrective actions. Understanding technology risks Even as technology is the engine of many businessesconnecting employees, partners, and customersoverreliance on technology can introduce risks and mask problems. This is

especially true for mobile, social, cloud, and other emerging technologies. The Update includes a principle explicitly focused on controls over the use of technology. Data theft, for example, has become commonplace and companies should be prepared for handling a breach. Yet many businesses that have experienced data theft dont have sufficient controls in place to even know how the breakdowns occurred and which systems or technologies made it vulnerable. Zeroing in on the right information and processes The Update includes several principles for using relevant information and communicating the right information to the right people. For example, a business could be surprised to find itself in a high risk position if it monitors only net financial positions without seeing the individual pieces that could push it into danger. The Update also addresses your significant processes and reminds businesses that they cannot delegate responsibility for achieving key objectives to business partners or service providers. For instance, many Internet-based businesses relied on a cloud service provider that experienced a service disruption. Those companies that had controls over the outsourced service with contingency plans in place kept operating; those that lacked such controls were forced to suspend operations. Principles address these kinds of situations and help you make sure controls support those processes relevant to achieving objectives across your business.

46% of boards have held

discussions regarding tone at the top, July 2011July 20121

Availability of key skills concerns 58% of CEOs2

Speed of technological change concerns 42% of CEOs2

10110010 10011101 10011010 01000111

57% of boards plan to

devote more time to information technology opportunities and issues1

1. Base: 860 public company directors. Source: PwC, Insights from the Boardroom, 2012. 2. Base: 1,330 global CEOs. Source: PwC, 16th Annual Global CEO Survey, January 2013.

04
Time to refresh your internal control
How can you bring your controls up to speed with the COSO Update? Consider these starting points and questions as you assess the controls you have today and determine where you need to focus your efforts.4 See the big picture Specify objectives that matter to your business and would benefit from applying a comprehensive, integrated control system. Which recent strategic, business, or operating decisions have introduced new risks? How do our controls adapt to change? Is our organization prepared to respond to change? Do we apply controls to objectives relating to internal reporting, non-financial reporting, operations, and compliance? Can any of our controls be applied to more reporting, compliance, or operational objectives? Have we considered the entire organization? Learn from the past Take a fresh look at your existing controls in relation to the risks of achieving objectives. What breakdowns have we experienced with our existing controls? Why didnt we anticipate them? What issues could have been prevented if we had greater internal control at the root cause? How can we strengthen our systems of internal control by better connecting objectives, risks, and controls? Look at your controls through the Update Map relevant principles to existing controls. Doing this now allows you to leverage the benefits of the Update for important objectives. It also prepares your internal control over financial reporting to use the updated framework, which COSO has announced will supersede the original in December 2014. How thoroughly have we implemented the fundamental concepts set out in the 1992 framework? Have we overlooked any principles? Lead the refresh Appoint a leader to marshal the transition to the updated framework. What is our boards view on broadening use of internal control and implementing the COSO Update? How can we use the COSO Update to re-engage executives and the board in strengthening our systems of internal control? How do we engage divisions, operating units, operations, internal audit, risk management, compliance, finance, technology, and human resources in adopting the updated framework?

4 See PwCs Resilience: A journal of strategy and risk (May 2013) for a discussion of how your business can use the Update to be more agile.

Upcoming 10Minutes topics

Prepare your balance sheet for new leasing rules The IASB and FASB are expected to issue their latest proposal on leases, and the potential impact could echo through the entire business. If your company uses leases, take notice: The proposed rules could change the way you present and recognize expenses in your income statement, make lease-vs- buy decisions, and execute agreements. And these changes could ultimately affect your companys financial performance. Managing tax uncertainty through operational effectiveness The tax function is an overlooked area for improvement. It is frequently bogged down by rigidity and antiquated systems, and unprepared for change. Even worse, its antiquated systems represent a hidden source of risk to the company and to the longevity of company CFOs. The tax function is ripe for systemic change, similar to how Lean, Six Sigma, and enterprise resource planning have transformed other company functions. The result: improved risk management, forecasting, analytical abilitieseven cash savings.

Getting eco-efficiency right Nearly half (48%) of global CEOs in PwCs 16th Annual Global CEO Survey say they plan to support eco-efficiency in the coming year by reducing environmental impacts. But chances are good these efforts will stall. Projects that are both costeffective and good for the environment may never get off the ground. In this 10Minutes well look at current approaches for making the business case for environmental initiatives, give examples of indirect benefits, and show how intangibles can be factored into your decisions.

How PwC can help

To have a deeper discussion about COSO Update and internal control, please contact: Author & Project Team Leaders Miles Everson Engagement Leader 646 471 8620 miles.everson@us.pwc.com Stephen Soske Project Lead Partner 617 530 5731 stephen.soske@us.pwc.com PwC Practice Leaders Tim Ryan Assurance US Leader 617 530 7376 tim.ryan@us.pwc.com Dean Simone Risk Assurance US Leader 267 330 2070 dean.c.simone@us.pwc.com Dennis Chesley Risk Advisory Global Leader 703 918 6154 dennis.l.chesley@us.pwc.com Jason Pett Internal Audit US Leader 410 659 3380 jason.pett@us.pwc.com

10Minutes are now available in 60 seconds. Download the FREE 10Minutes app. Learn more through videos, interactive graphics, slideshows, and podcasts.

Charles Harris Assurance Partner 973 236 5340 charles.e.harris@us.pwc.com Cara Beston Risk Assurance Partner 408 817 1210 cara.m.beston@us.pwc.com

2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. 10Minutes is a trademark of PwC US. PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 158 countries with more than 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com. ST-13-0050