COSO 2013InternalControlIntegrated

Framework
Denese Cahill, Partner, Moss Adams LLP

The material appearing in this presentation is for informational purposes

only and is not legal or accounting advice. Communication of this
information is not intended to create, and receipt does not constitute, a
legal relationship, including, but not limited to, an accountantclient
relationship. Although these materials may have been prepared by
professionals, they should not be used as a substitute for professional
services. If legal, accounting, or other professional advice is required, the
services of a professional should be sought.

MOSS ADAMS LLP | 2

Why is this Session Important?

COSO1992hasbeenthemostcommonlyutilized
frameworkforSarbanesOxley(SOX)complianceand
willbesupersededbyCOSO2013laterthisyear.
Thissessionwillprovideapracticalapproachto
integratingCOSO2013intoyourexistingSOX
complianceeffortstohelppreventmaterial
weaknessesandpromoteefficiencywith your
auditor.

Session Objectives
Understand key aspects of COSO 2013
Identify the differences between the 1992 and
2013 frameworks and the areas most widely
impacted by these changes
Provide information and resources to help
transition to COSO 2013 in a costeffective manner
while reducing the chances of material
weaknesses

Agenda
Background
What is COSO?
Reasons for a New COSO Framework

COSO 2013 Framework

What Hasnt Changed? What Has Changed?

COSO 2013 Implementation Approach

Phased Implementation Approach and Integration with SOX
Compliance
Practical Implementation Techniques, Common Gaps and
Misconceptions

SEC Disclosure and Compliance Requirements

Summary
Questions
5

Sarbanes Oxley Act Background

Public Law 107-204, 107th Congress
Section 404, Management Assessment of Internal
Controls, specifies that the SEC is to prescribe annual
reporting rules that require a statement of the
responsibility of management for establishing and
maintaining an adequate internal control structure
and procedures for financial reporting.
Most public filers picked the COSO 1992 Framework
to define their internal control structure.

Background What Is COSO?

InternalControl Integrated
Frameworkisafourvolume
reportfirstpublishedin1992.
Becametheacceptedframework
followingfinancialcontrolfailures
oftheearly2000s.
MostwidelyadoptedSOX404
frameworkintheU.S.asa
suitable,recognizedcontrol
framework.
UseunderSOX404focusedsolely
ontheCOSOFinancial
Reportingobjective.

Original COSO 1992 Cube

Background Reasons for a New

COSO Framework
COSO 1992 was nearly 20 years old and becoming outdated.
Changes in underlying business environment and associated risks including:

Increased business risks; changing business models

Greater use of shared services and outsourced service providers
Complexity and change in rules, regulations and standards
Reliance on evolving technology
Higher expectations for governance oversight, risk management, and
detection and prevention of fraud from regulators and stakeholders

Ongoing development and application of internal control framework such as:

Enrichment of corporate governance and control concepts
Significant practical implementation of the COSO 1992 Framework
Expansion beyond the strictly financial reporting component
Transition to a principlesbased approach; codify prior implicit concepts

Background Reasons for a New

COSO Framework
Refreshed Objective

Enhancement

Address significant
changes to the business
environment and
associated risks

Updated, enhanced and

clarified Framework

Codify criteria to use in

the development and
assessment of systems
of internal control

Added principles and

points of focus

Increase focus on
operations, compliance
and nonfinancial
reporting objectives

Expanded internal and

nonfinancial reporting
guidance

Result

COSO
2013

COSO 2013 Framework Overview

SponsoredandfundedbythesamefiveorganizationsasCOSO
1992andauthoredbyPricewaterhouseCoopers
Significantpubliccommentandrevisionstoexposuredrafts,in
additiontothesurveyofover700stakeholdersandusersof
COSO1992
COSO2013wasreleasedinMay2013andsupersedesthe
1992FrameworkeffectiveDecember15,2014
TransitionsCOSO1992toaprinciplesbasedframework
Intendedtoincludeenhancementsandclarificationonthe
1992Framework,includingbothstructuralandpractical
applicationchanges
SOX404complianceisnotthesoleorprimaryaudience/
purposeforCOSO2013;broadenstheconceptofreporting
10

COSO 2013 Framework Overview

What hasnt changed...

What has changed...

Core definition of internal control

Changes in business and operating

environments considered

Three categories of objectives and

five components of internal control
Each of the five components of
internal control are required for
effective internal control
Important role of judgment in
designing, implementing and
conducting internal control, and in
assessing its effectiveness

Operations and reporting objectives

expanded
Fundamental concepts underlying
five components articulated as
PRINCIPLES
Additional approaches and
examples relevant to operations,
compliance, and non-financial
reporting objectives added

11

COSO 2013 Framework What Has Changed?

17explicitly articulatedprinciplesassociatedwiththe5
internalcontrolcomponents
Objective:ToincreaseManagementsunderstandingastowhat
constituteseffectiveinternalcontrol

Addedpointsoffocusundereachprinciple
Representimportantcharacteristicsthatsupporteachprinciple
Provideguidancetoassistmanagementinassessingwhetherthe
componentsofinternalcontrolarepresent,functioning,and
operatingtogetherwithintheorganization
Provideamuchmoregranularapproach,includingmoredetailand
clarityonimplementation
12

COSO 2013 Framework What Has Changed?

AVisualExampleoftheStructuralHierarchy
3Objectives
5Components
17Principles
87PointsofFocus

Anentitycanachieveeffectiveinternalcontrol ifallprinciplesare
presentandfunctioningandthecontrolcomponentsareoperating
together
13

COSO 2013 Framework What Has Changed?

Principles

Components
Control Environment

Risk Assessment

Control Activities

1.

Demonstrates commitment to integrity and ethical values

2.

Exercises oversight responsibility

3.

Establishes structure, authority, and responsibility

4.

Demonstrates commitment to competence

5.

Enforces accountability

6.

Specifies relevant objectives

7.

Identifies and analyzes risk

8.

Assesses fraud risk

9.

Identifies and analyzes significant change

10. Selects and develops control activities

11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information and
Communication

13. Uses relevant information

14. Communicates internally
15. Communicates externally

Monitoring Activities

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

14

COSO 2013 Framework What Has Changed?

Pointsoffocusrepresentimportantcharacteristicsofthe
respectiveprinciplesandprovidesupporttotheprinciplesto
whichtheypertain.
Documentingorassessingpointsoffocusisnotrequiredfor
effectiveinternalcontrol.
NotallofthepointsoffocusrelatetoSOXconsiderations.

15

COSO 2013 Framework What Has Changed?

Control Environment

1. Demonstrateacommitmenttointegrityandethical
values.

PointsofFocus
a. Setsthetoneatthetop
b. Establishesstandardsofconduct
c. Evaluatesadherencetostandardsofconduct
d. Addressesdeviationsinatimelymanner
Approaches
a. Leadingbyexample
b. Evaluatesmanagementandotherpersonnel
c. Evaluatesoutsideserviceproviders
d. DevelopprocesstoreportandpromptlyactondeviationsfromStandardsof
Conduct

16

COSO 2013 Framework What Has Changed?

Increasestheimportanceoftheriskassessment
Emphasizestheuseofmanagementjudgment
Increasesrelevanceoftechnology
Enhancesdiscussionofgovernanceconcepts
Board of Directors, Subcommittees of the Board (Audit Committees,
Compensation Committees, Governance
Committees, etc.)

Expandsreportingcategory
Includes both internal and external financial and nonfinancial
reporting objectives
Establishes term internal control over external financial reporting
(ICEFR) as found in the Compendium

17

COSO 2013 Framework What Has Changed?

Enhancesconsiderationofantifraudexpectations
Considers the potential causes of fraud as a separate principle of
internal control

Increasesthefocusonnonfinancialreportingobjectives
Expanded focus on operations, compliance and nonfinancial
reporting objectives

Increaseddiscussionontheimpactofotherservice
organizations(e.g.,serviceorganizations,jointventures,etc.)
Enhancesconsiderationsfortheuseofrelevantandquality
information

18

COSO 2013 Implementation Approach

Phase I:
Develop Awareness
and Alignment
Understand changes in the
COSO Framework
Establish objectives for
performing the COSO 2013
implementation
Identify implications of the
new Framework on the
companys internal control
structure
Determine the extent of
evaluation needed for SOX
404 compliance
Communication with
external auditor

Phase II:
Conduct Assessment

Phase III:
Update Documentation

Map the Frameworks 5

components and 17 principles
to the existing internal key
controls

Update the internal control

documentation

Evaluate whether the 5

components and 17 principles
exist and are operating
individually and together
Document result of assessment
and identify control gaps (if
any)
Identify and assess required
changes (if any) in the
companys internal controls

Update the assessment and

testing plan
Conduct testing in
conjunction with SOX 404
compliance testing (as
needed) to determine if
principles are present and
functioning
Communication with
external auditor

Communication with external

auditor
19

COSO 2013 Implementation Approach

A Practical Step-by-Step Guide
1. Create a
matrix identifying
relevant COSO
components,
principles and
points of focus

3. Identify where
principles are not
addressed by
existing key
controls or
documentation

2. Map existing
entity-level key
controls (ELCs)
to the relevant
COSO 2013
principles, using
the points of
focus for
additional detail /
description

5. Document
controls that
map to each
principle and
conduct testing
as part of SOX

4. Develop a
remediation plan
to address
design or
documentation
gaps

20

Common Gaps Identified During COSO

2013 Mapping Implementation
LackofadocumentedriskassessmentoutsideofInternalControlOver
FinancialReporting(ICFR)(Principle7)
Notperformingafraudriskassessment;fraudhasbeenidentifiedasa
separateprincipleofinternalcontrol(Principle8)
Inappropriaterelianceonsystemgenerateddataandreports,including
nonfinancialdataandthirdpartydata(Principle13);alsoconsistentwith
thetrendsfromthePCAOB

Overdependence on thirdparty reporting (what COSO considers different business

models) without evaluation of the underlying controls performed at the third party

Informalevaluationandalackofdocumentation/testingoftheCOSO
componentsotherthanControlActivities
InadequateevaluationofinternalcontrolunderCOSOrequirementsof
presentandfunctioningandworkinginanintegratedmanner
21

Misconceptions About COSO 2013

Myth: COSO 2013 requires a clean slate approach to
SOX and all new controls.
False. Many controls will remain unchanged. SOX business
process and general computer controls fit in the Control
Activities component of COSO which is largely unchanged by
COSO 2013. Existing entitylevel controls should cover many
(but not all) of the other COSO components.

Myth: COSO 2013 is focused on management review

controls and reports.
False. This is a specific focus area of the PCAOB. While COSO
2013 is consistent with some of the PCAOB findings (e.g.,
system generated reports and data), it is different from the
areas recently identified by the PCAOB as SOX 404 audit
deficiencies.

22

Misconceptions About COSO 2013

Myth: You can use all of your existing entitylevel
control documentation to address COSO 2013 and no
testing is required.
False. Additional controls may be needed or require
documentation based on your COSO 2013 mapping and
assessment. Key controls will need to be tested, and COSO
principles will need to be assessed to determine if they are
present and functioning.

Myth: COSO 2013 will change your SOX testing

methodology.
False. Neither COSO 1992 nor COSO 2013 specify SOX testing
methodologies (sample sizes, sample period, etc.).

23

Misconceptions About COSO 2013

Myth: No changes are required to comply with COSO
2013.
False. At a minimum, implementing COSO 2013 will require a
mapping to the new framework. Implementation could
include expanding efforts over certain COSO principles or
points of focus.

Myth: You absolutely will not receive an SEC comment

letter if you dont adopt COSO 2013.
False. We have found no evidence to indicate that the SEC will
not provide further guidance on the implementation of COSO
2013 or that issuers will be exempt from comment letters
when not adopting the most current COSO Framework.

24

SEC Disclosure and Compliance Requirements

AspartoftheCOSO2013releaseinMay2013,COSOincludeda
transitionperiodfromreleasethroughDecember15,2014.
TheSECstatedlastyear:
Thelongerissuerscontinuetousethe1992framework,themorelikelythey
aretoreceivequestionsfromthestaffaboutwhethertheissuersuseofthe
1992frameworksatisfiestheSECsrequirementtouseasuitable,recognized
framework(particularlyafterDecember15,2014,whenCOSOwillconsider
the1992frameworktohavebeensupersededbythe2013framework).2

Companiesmustclearlydiscloseintheirinternalcontrolreport
whichframeworkwasutilizedduringthecurrenttransitionperiod.
For example criteria established in the Internal Control Integrated
Framework 2013 issued by the Committee of Sponsoring Organizations
of the Treadway Commission (COSO).
Management and external auditor use the same framework.

Companiesmustdisclosematerialchangesininternalcontrol.
2http://

www.thecaq.org/docs/reportsandpublications/2013septembe25jointmeetinghls.pdf

25

Summary
After10yearsofSOX404,companiesknowtheirkeycontrols.
BecauseCOSO2013providesmoredetailintheformof17
principlesand87pointsoffocus,amappingofexistingcontrolsto
theprinciplesneedstobeperformedandgapsneedtobe
remediated.
TheMossAdamsapproachistomapexistingcontrolstothenew
principlesbasedframework,identifygaps,remediateandthentest
similartoentitylevelcontrolsinprioryears.
Thereisworktobecompleted,butitdoesnotrequireafreshstart
toSOXbyeithermanagementortheexternalauditors.
WithCOSO1992retiringsoonandtheSECexpectingcalendarfilers
touseanddisclosetheiruseofCOSO2013in2014,management
needstocompletethemappingduringQ3inordertoallowtimeto
remediatedeficienciesandcoordinatewiththeexternalauditors.

26

Resources Internal Control-Integrated

Framework
Threevolumes:
ExecutiveSummary
FrameworkandAppendices
IllustrativeToolsforAssessing
EffectivenessofaSystemof
InternalControl

Setsout:
Definitionofinternalcontrol
Categoriesofobjectives
Componentsandprinciplesof
internalcontrol
Requirementsfor
effectiveness

27

Resources Internal Control over

External Financial Reporting
Illustratesapproachesand
examplesofhowprinciplesare
appliedinpreparingfinancial
statements
Considerschangesinbusiness
andoperatingenvironments
duringpasttwodecades
Providesexamplesfroma
varietyofentities public,
private,notforprofit,and
government
Aligns withtheupdated
Framework

28

Questions?
Denese Cahill
(209) 9556104
Denese.Cahill@mossadams.com