Professional Documents
Culture Documents
Richard F. Chambers CIA, Click to edit Master subtitle style CGAP, CCSA, CRMA President and CEO, The Institute of Internal Auditors and COSO Board Member
www.theiia.org
About COSO About the Update Process About the Framework About the Proposed Changes Path Forward
www.theiia.org
I. About COSO
www.theiia.org
About COSO
www.theiia.org
About COSO
www.theiia.org
National Commission Report on Financial Fraud (1987) Internal Control Integrated Framework (1992) Internal Control Issues in Derivatives Usage (1996) Fraudulent Financial Reporting: 1987-1997 (1999) Enterprise Risk Management Integrated Framework (2004) Internal Control over Financial Reporting Guidance for Smaller Public Companies (2006) Guidance on Monitoring Internal Control Systems (2009) Fraudulent Financial Reporting: 1998-2007 (2010)
www.theiia.org
SOX 404 requirement public reporting on internal control effectiveness Recent financial crisis focus on risk management inadequacies pressure on boards to become more involved in risk management Ongoing concerns about fraudulent financial reporting
www.theiia.org
II.About the Update Process for the Internal Control Integrated Framework
www.theiia.org
Refresh objectives
Principles Attributes
AICPA AAA IIA FEI IMA Regulatory Observers Public Accounting Firms Others
Industry Associations Academia Not-for-profit, government entities Professional associations Risk management professionals Lawyers Regulators Other rule-makers
www.theiia.org
www.theiia.org
Stakeholder Survey
Large, small and non-profit organizations 1 in 4 respondents are non-U.S. Majority of respondents have been using the Framework for over 5 years
www.theiia.org
Defines:
Internal control and its components Purpose of internal control Components and categories Roles and responsibilities
www.theiia.org
The most-referenced framework for evaluating internal control especially internal control over financial reporting Influenced legislation and practice in many places
Sarbanes-Oxley Chinese Ministry of Finance SEC of Japan Should work for greater harmonization
www.theiia.org
First published in 1992 Gained wide acceptance following financial control failures of early 2000s Most widely-used framework in the U.S.
However
Since 1992, the operating environment has evolved Framework concepts are timeless, but context needs updating
www.theiia.org
Effectiveness and efficiency of operations. Reliability of reporting. Compliance with applicable laws and regulations.
www.theiia.org
Key Points
Suitable not only for financial reporting, but also for operations and compliance objectives and activities Principles-based approach allowing flexibility to be applied at the entity, operating and functional levels.
www.theiia.org
Expectations for governance oversight Globalization of markets and operations Changes in business models Demands and complexity of rules, regulations and standards Expectations for competencies and accountabilities Use and reliance on evolving technology
www.theiia.org
Enhancements are not intended to alter the core concepts developed in the original Framework However, there may be changes pertaining to the application of these concepts that could impact how companies respond Other project objectives include: Adding more focus on operational and compliance control objectives Explicitly identifying principles and attributes to provide efficiency and a basis for evaluating effectiveness
www.theiia.org
www.theiia.org
Much is Familiar
www.theiia.org
The organization considers the potential for fraud relating to material misstatement of reporting, inadequate safeguarding of assets, and corruption in assessing risks to the achievement of objectives The organization selects and develops general control activities over technology to support the achievement of objectives The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
www.theiia.org
Key Points
Identifies key attributes for each principle Considers relationship to enterprise risk management, allowing for integration of both the COSO ERM and ICIF models.
Changes are not major, but will nevertheless require review and potential updates to a number of processes, activities and documentation.
www.theiia.org
Objectives
www.theiia.org
www.theiia.org
17 Principles drawn from the five components of the Framework All 17 principles apply to each category of objective, as well as to individual objectives within the categories It is generally expected that all principles will, to some extent, be present and functioning for a organization to have effective internal control
When a principle is not being met, some form of internal control deficiency exists
www.theiia.org
Establishes accountability
www.theiia.org
www.theiia.org
Control Activities
Selects and develops control activities 11.Selects and develops general controls over technology 12.Deploys through policies and procedures
10.
www.theiia.org
www.theiia.org
Monitoring Activities
Conducts ongoing and separate evaluations 17.Evaluates and communicates deficiencies
16.
www.theiia.org
Each principle is supported by attributes, representing characteristics associated with the principle
Each attribute generally is expected to be present It may be possible to have a principle present and functioning without having every attribute
www.theiia.org
Principle 2 Board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control. Establishes Board of Directors Oversight Responsibilities Retains or Delegates Oversight Responsibilities Applies Relevant Expertise Operates Independently
The board of directors has sufficient members who are independent of the organization and demonstrate objectivity.
1.
2. 3. 4. 5.
Provides Oversight
www.theiia.org
V. Path Forward
www.theiia.org
2011
Feb Oct Design & Build Dec Mar Public Exposure
2012
Apr Dec Finalize
www.theiia.org
When to Implement
Final version to be issued in late 2012 Monitor for guidance by SEC or other regulators COSO, quite naturally, believes the advantages of the updated Framework will drive adoption as quickly as possible.
www.theiia.org
Updating Internal Control Integrated Framework Thought papers to assist the ERM stakeholders in advancing along the maturity curve of an effective ERM process. Additional research and guidance on the control environment dealing with behavioral issues and other soft side research issues like rationalization and overconfidence Providing guidance on internal control in the public sector. Coming soon: Judgment Traps ERM and Cloud Computing Advances in ERM Risk Assessment and Prioritization Approaches
www.theiia.org
Questions?
www.theiia.org
Questions?
The Institute of Internal Auditors Richard Chambers, CIA, CGAP, CCSA, CRMA President & Chief Executive Officer richard.chambers@theiia.org Twitter: @RFCHAMBERS
www.theiia.org