COSO Placemat Deloitte PDF

Preview

Summary

COSO...

Description

COSO 2013 Framework on Internal Control Prepare for the changes

On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated 2013 Internal Control-Integrated Framework “2013 Framework”. The 2013 Framework retains the core definition of internal control and the five components of internal control, while at the same time includes enhancements and clarifications intended to ease use and application. One of the most significant changes in the 2013 Framework is that the key fundamental concepts introduced in the original framework are now principles, which are associated with the five components, providing clarity for designing and implementing systems of internal control and for understanding requirements for effective internal control. The 2013 Framework presumes that because the 17 principles are fundamental concepts of the five components, all 17 are relevant to all entities and need to be present, functioning, and operating together in an integrated manner to have an effective system of internal control.

The five components of internal control and related 17 principles Control environment

Control activities

Division

Risk assessment

Entity level

Function

Control environment

Operating unit

1.

2.

3.

Information and communication

4.

Monitoring activities 5. Client considerations and next steps: The four-step approach

The organization demonstrates a commitment to integrity and ethical values. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Management establisheswith board oversightstructures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk assessment 6.

7.

8.

9.

The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The organization considers the potential for fraud in assessing risks to the achievement of objectives. The organization identifies and assesses changes that could significantly impact the system of internal control.

Information and communication

Control activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

2013 Framework and guidance — Key areas of focus Specific significant enhancements to internal control concepts included in the 2013 Framework Assess

Plan and implement Risk assessment

• More detailed discussions about risk assessment concepts, including those related to inherent risk, risk tolerance, how risks may be managed, and linkage between risk assessment and control activities

Outsources service providers (OSPs)

• Considerations related to OSPs are included throughout the framework, including 12 out of 17 principles

• Considering the potential for fraud risk when assessing risks to the achievement of an organization’s objectives

• Requires management to specifically consider how OSPs are monitored Understand and educate

• Considerations related to IT are included in 14 out of 17 principles Communicate

Information technology (IT)

• Discussion of using IT to assist in continuous monitoring within the system of internal control (i.e., use of data analytics) • Requirements for ensuring quality of information (i.e., data integrity) Key contacts

COSO will continue to make available the 1992 Framework until December 15, 2014, after which time it will consider it to be superseded. Companies applying and referencing COSO’s internal control framework for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002 should consider COSO’s transition guidance.

Rich Milo AERS Principal [email protected] Deloitte & Touche LLP

John G. Giakouminakis AERS Senior Manager [email protected] Deloitte & Touche LLP

Traci Mizoguchi AERS Senior Manager [email protected] Deloitte & Touche LLP

Jimmy Yu AERS Senior Manager [email protected] Deloitte & Touche LLP

17 COSO principles and related 87 points of focus (i.e., characteristics that may assist in designing, implementing, and conducting internal control and in assessing the whether the principles are present and functioning) Control environment Principles

Control activities Points of focus

1. The organization demonstrates a commitment to integrity and ethical values.

• • • •

Sets the tone at the top Establishes standards of conduct Evaluates adherence to standards of conduct Addresses deviations in a timely manner

2. The board of directors demonstrates independence • Establishes oversight responsibilities from management and exercises oversight of the • Applies relevant expertise development and performance of internal control. • Operates independently • Provides oversight for the system of internal control 3. Management establishes, with board oversight, • Considers all structures of the entity structures, reporting lines, and appropriate authorities • Establishes reporting lines and responsibilities in the pursuit of objectives. • Defines, assigns, and limits authorities and responsibilities 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

• • • •

Establishes policies and practices Evaluates competence and addresses shortcomings Attracts, develops, and retains individuals Plans and prepares for succession

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

• • • • •

Enforces accountability through structures, authorities, and responsibilities Establishes performance measures, incentives, and rewards Evaluates performance measures, incentives, and rewards for ongoing relevance Considers excessive pressures Evaluates performance and rewards or disciplines individuals

Objectives

Operations Objectives

External Financial 6. The organization specifies Reporting Objectives objectives with sufficient clarity to enable the identification and External Non-Financial assessment of risks relating Reporting Objectives to objectives.

Points of focus • • • •

Reflects management’s choices Considers tolerances for risk Includes operations and financial performance goals Forms a basis for committing of resources

• Determines dependency between the use of technology in business process and technology general controls • Establishes relevant technology infrastructure control activities • Establishes relevant security management process control activities • Establishes relevant technology acquisition, development, and maintenance process control activities

12. The organization deploys control activities through • Establishes policies and procedures to support deployment of management’s directives policies that establish what is expected and procedures that put policies into action. • Establishes responsibility and accountability for executing policies and procedures • Performs in a timely manner • Takes corrective action • Performs using competent personnel • Reassesses policies and procedures Information and communication Points of focus

13. The organization obtains or generates and uses • Identifies information requirements relevant, quality information to support the functioning • Captures internal and external sources of data of internal control. • Processes relevant data into information • Maintains quality throughout processing • Considers costs and benefits • • • •

Communicates internal control information Communicates with the board of directors Provides separate communication lines Selects relevant method of communication

• Complies with externally established standards and frameworks • Considers the required level of precision • Reflects entity activities

15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

• • • • •

Communicates to external parties Enables Inbound Communications Communicates with the board of directors Provides separate communication lines Selects relevant method of communication

Compliance Objectives

• Reflects external laws and regulations • Considers tolerances for risk • • • • •

Includes entity, subsidiary, division, operating unit, and functional levels Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified Determines how to respond to risks

8. The organization considers the potential for fraud in • Considers various types of fraud assessing risks to the achievement of objectives. • Assesses incentive and pressures • Assesses opportunities • Assesses attitudes and rationalizations • Assesses changes in the external environment • Assesses changes in the business model • Assesses changes in leadership

About Deloitte Deloitte refers to one or more of Deloitte Touché Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touché Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright © 2013 Deloitte Development LLC. All rights reserved. Member of Deloitte Touché Tohmatsu Limited

11. The organization selects and develops general control activities over technology to support the achievement of objectives.

Integrates with risk assessment Considers entity-specific factors Determines relevant business processes Evaluates a mix of control activity types Considers at what level activities are applied Addresses segregation of duties

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

• Reflects management’s choices • Considers the required level of precision • Reflects entity activities

9. The organization identifies and assesses changes that could significantly impact the system of internal control.

• • • • • •

• Complies with applicable accounting standards • Considers materiality • Reflects entity activities

Internal Reporting Objectives

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

Points of focus

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Principles

Risk assessment Principles

Principles

Monitoring activities Principles

Points of focus

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

• • • • • • •

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

• Assesses results • Communicates deficiencies • Monitors corrective actions

Considers a mix of ongoing and separate evaluations Considers rate of change Establishes baseline understanding Uses knowledgeable personnel Integrates with business processes Adjusts scope and frequency Objectively evaluates

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document....