COSO: Outlook for the New Internal Controls Framework

Richard F. Chambers CIA, Click to edit Master subtitle style CGAP, CCSA, CRMA President and CEO, The Institute of Internal Auditors and COSO Board Member
www.theiia.org

I. II. III. IV. V.

About COSO About the Update Process About the Framework About the Proposed Changes Path Forward

www.theiia.org

I. About COSO

www.theiia.org

About COSO

www.theiia.org

About COSO

www.theiia.org

A History of Thought Leadership

National Commission Report on Financial Fraud (1987) Internal Control Integrated Framework (1992) Internal Control Issues in Derivatives Usage (1996) Fraudulent Financial Reporting: 1987-1997 (1999) Enterprise Risk Management Integrated Framework (2004) Internal Control over Financial Reporting Guidance for Smaller Public Companies (2006) Guidance on Monitoring Internal Control Systems (2009) Fraudulent Financial Reporting: 1998-2007 (2010)

www.theiia.org

External Developments Affecting the Mission

SOX 404 requirement public reporting on internal control effectiveness Recent financial crisis focus on risk management inadequacies pressure on boards to become more involved in risk management Ongoing concerns about fraudulent financial reporting

www.theiia.org

II.About the Update Process for the Internal Control Integrated Framework
www.theiia.org

Why Update What Works?

ICIF works well today COSOs Internal Control Integrated Framework (1992 Edition)
Address significant changes to the business environment and associated risks Codify criteria to use in the development and assessment of systems of internal control Increase focus on operations, compliance and non-financial reporting objectives

Refresh objectives

Enhancement s ICIF will work better tomorro w

www.theiia.org

Updated, enhanced and clarified Framework

Principles Attributes

Expanded internal and non-financial reporting guidance

COSOs Internal Control Integrated Framework (Draft, 2012 Edition)

COSO Board of Directors Project Team PricewaterhouseCoopers

COSO Advisory Council (nominated by the COSO Board)

Companies and Other Stakeholders

AICPA AAA IIA FEI IMA Regulatory Observers Public Accounting Firms Others

Industry Associations Academia Not-for-profit, government entities Professional associations Risk management professionals Lawyers Regulators Other rule-makers

www.theiia.org

The Current Project: Three Products

www.theiia.org

Stakeholder Survey

Over 700 responses Responses from wide range of organizations/individuals

Large, small and non-profit organizations 1 in 4 respondents are non-U.S. Majority of respondents have been using the Framework for over 5 years

85% supported updating, but not a major overhaul of the Framework

www.theiia.org

III. About the Internal Control Integrated Framework

www.theiia.org

Internal Control Integrated Framework

Defines:

Internal control and its components Purpose of internal control Components and categories Roles and responsibilities

Internal Control Integrated Framework

www.theiia.org

Internal Control Integrated Framework

The most-referenced framework for evaluating internal control especially internal control over financial reporting Influenced legislation and practice in many places

Sarbanes-Oxley Chinese Ministry of Finance SEC of Japan Should work for greater harmonization

www.theiia.org

Internal Control - Integrated Framework

First published in 1992 Gained wide acceptance following financial control failures of early 2000s Most widely-used framework in the U.S.
However

Since 1992, the operating environment has evolved Framework concepts are timeless, but context needs updating

www.theiia.org

Defining Internal Control

Internal control is a process, effected by an entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations. Reliability of reporting. Compliance with applicable laws and regulations.

www.theiia.org

Key Points

Suitable for all types and sizes of organizations

Impact will vary by organization

Suitable not only for financial reporting, but also for operations and compliance objectives and activities Principles-based approach allowing flexibility to be applied at the entity, operating and functional levels.

www.theiia.org

A Changing Business Environment

Expectations for governance oversight Globalization of markets and operations Changes in business models Demands and complexity of rules, regulations and standards Expectations for competencies and accountabilities Use and reliance on evolving technology

Drives updates to the Framework

www.theiia.org

IV. About the Internal Control Integrated Framework Proposed Changes

www.theiia.org

Refreshing the Framework

Enhancements are not intended to alter the core concepts developed in the original Framework However, there may be changes pertaining to the application of these concepts that could impact how companies respond Other project objectives include: Adding more focus on operational and compliance control objectives Explicitly identifying principles and attributes to provide efficiency and a basis for evaluating effectiveness

www.theiia.org

www.theiia.org

Much is Familiar

www.theiia.org

Examples of Significant Changes

The organization considers the potential for fraud relating to material misstatement of reporting, inadequate safeguarding of assets, and corruption in assessing risks to the achievement of objectives The organization selects and develops general control activities over technology to support the achievement of objectives The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning

www.theiia.org

Key Points

Identifies key attributes for each principle Considers relationship to enterprise risk management, allowing for integration of both the COSO ERM and ICIF models.

Changes are not major, but will nevertheless require review and potential updates to a number of processes, activities and documentation.

www.theiia.org

Objectives

www.theiia.org

Across the Organization

The overall entity, divisions, subsidiaries, operating units, or functions

Business processes such as sales, purchasing, production, marketing

www.theiia.org

Specificity: The Principles

17 Principles drawn from the five components of the Framework All 17 principles apply to each category of objective, as well as to individual objectives within the categories It is generally expected that all principles will, to some extent, be present and functioning for a organization to have effective internal control

When a principle is not being met, some form of internal control deficiency exists

www.theiia.org

Specificity: The Principles

Control Environment
Demonstrates commitment to integrity and ethical values 2.Exercises oversight responsibility 3.Establishes structure, authority and responsibility
1.

Demonstrates commitment to competence

4.
5.

Establishes accountability

www.theiia.org

Specificity: The Principles

Risk Assessment
Specifies relevant objectives 7.Identifies and assesses risk 8.Identifies and assesses significant change 9.Assesses fraud risk
6.

www.theiia.org

Specificity: The Principles

Control Activities
Selects and develops control activities 11.Selects and develops general controls over technology 12.Deploys through policies and procedures
10.

www.theiia.org

Specificity: The Principles

Information & Communication

Generates relevant information 14.Communicates internally 15.Communicates externally
13.

www.theiia.org

Specificity: The Principles

Monitoring Activities
Conducts ongoing and separate evaluations 17.Evaluates and communicates deficiencies
16.

www.theiia.org

Specificity: The Attributes

Each principle is supported by attributes, representing characteristics associated with the principle

Each attribute generally is expected to be present It may be possible to have a principle present and functioning without having every attribute

www.theiia.org

Example: A deficiency may or may not exist if

Control Environment

Principle 2 Board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control. Establishes Board of Directors Oversight Responsibilities Retains or Delegates Oversight Responsibilities Applies Relevant Expertise Operates Independently
The board of directors has sufficient members who are independent of the organization and demonstrate objectivity.

1.

Yes Yes Yes No Yes

2. 3. 4. 5.

Provides Oversight

www.theiia.org

V. Path Forward

www.theiia.org

Exposure Period: Going, Going, Gone

2010
Sept Jan Assess & Survey Stakeholders

2011
Feb Oct Design & Build Dec Mar Public Exposure

2012
Apr Dec Finalize

www.theiia.org

When to Implement

Your circumstances dictate how fast changes should be made

Final version to be issued in late 2012 Monitor for guidance by SEC or other regulators COSO, quite naturally, believes the advantages of the updated Framework will drive adoption as quickly as possible.

www.theiia.org

COSO: Looking Ahead

Updating Internal Control Integrated Framework Thought papers to assist the ERM stakeholders in advancing along the maturity curve of an effective ERM process. Additional research and guidance on the control environment dealing with behavioral issues and other soft side research issues like rationalization and overconfidence Providing guidance on internal control in the public sector. Coming soon: Judgment Traps ERM and Cloud Computing Advances in ERM Risk Assessment and Prioritization Approaches

www.theiia.org

Questions?

www.theiia.org

Questions?
The Institute of Internal Auditors Richard Chambers, CIA, CGAP, CCSA, CRMA President & Chief Executive Officer richard.chambers@theiia.org Twitter: @RFCHAMBERS

www.theiia.org