COSO新框架COSOInternal Control–Integrated Framework.ppt

May2013 InternalControl IntegratedFramework TableofContents COSO ProjectOverviewInternalControl IntegratedFrameworkIllustrativeDocumentsIllustrativeToolsforAssessingEffectivenessofaSystemofInternalControlInternalControloverExternalFinancialReporting ACompendiumofApproachesandexamplesTransition ImpactRecommendedActionsQuestions Comments COSO ProjectOverview COSOOverview InternalControlPublications 1992 2006 2009 2013 OriginalFramework COSO sInternalControl IntegratedFramework 1992Edition RefreshObjectives UpdatedFramework COSO sInternalControl IntegratedFramework 2013Edition Whyupdatewhatworks TheFrameworkhasbecomethemostwidelyadoptedcontrolframeworkworldwide UpdatesContext Enhancements Reflectchangesinbusiness operatingenvironments Expandoperationsandreportingobjectives Projecttimetable Assess SurveyStakeholders Design Build PublicExposure Assess Refine Finalize 2010 2011 2012 2013 Projectparticipants COSOBoardofDirectors COSOAdvisoryCouncilAICPAAAAFEIIIAIMAPublicAccountingFirmsRegulatoryobservers SEC GAO FDIC PCAOB Others IFAC ISACA others PwCAuthor ProjectLeader StakeholdersOver700stakeholdersinFrameworkrespondedtoglobalsurveyduring2011Over200stakeholderspublicallycommentedonproposedupdatestoFrameworkduringfirstquarterof2012Over50stakeholderspublicallycommentedonproposedupdatesinlastquarterof2012 Projectdeliverable 1 InternalControl IntegratedFramework 2013Edition Consistsofthreevolumes ExecutiveSummaryFrameworkandAppendicesIllustrativeToolsforAssessingEffectivenessofaSystemofInternalControlSetsout DefinitionofinternalcontrolCategoriesofobjectivesComponentsandprinciplesofinternalcontrolRequirementsforeffectiveness Projectdeliverable 2 InternalControloverExternalFinancialReporting ACompendium IllustratesapproachesandexamplesofhowprinciplesareappliedinpreparingfinancialstatementsConsiderschangesinbusinessandoperatingenvironmentsduringpasttwodecadesProvidesexamplesfromavarietyofentities public private not for profit andgovernmentAlignswiththeupdatedFramework InternalControl IntegratedFramework Updateexpectedtoincreaseeaseofuseandbroadenapplication COSOCube 2013Edition Updateconsiderschangesinbusinessandoperatingenvironments ControlEnvironment RiskAssessment ControlActivities Information Communication MonitoringActivities Updatearticulatesprinciplesofeffectiveinternalcontrol DemonstratescommitmenttointegrityandethicalvaluesExercisesoversightresponsibilityEstablishesstructure authorityandresponsibilityDemonstratescommitmenttocompetenceEnforcesaccountability SpecifiessuitableobjectivesIdentifiesandanalyzesriskAssessesfraudriskIdentifiesandanalyzessignificantchange Selectsanddevelopscontrolactivities11 SelectsanddevelopsgeneralcontrolsovertechnologyDeploysthroughpoliciesandprocedures UsesrelevantinformationCommunicatesinternallyCommunicatesexternally Conductsongoingand orseparateevaluationsEvaluatesandcommunicatesdeficiencies ControlEnvironment Updatearticulatesprinciplesofeffectiveinternalcontrol continued Theorganizationdemonstratesacommitmenttointegrityandethicalvalues Theboardofdirectorsdemonstratesindependencefrommanagementandexercisesoversightofthedevelopmentandperformanceofinternalcontrol Managementestablishes withboardoversight structures reportinglines andappropriateauthoritiesandresponsibilitiesinthepursuitofobjectives Theorganizationdemonstratesacommitmenttoattract develop andretaincompetentindividualsinalignmentwithobjectives Theorganizationholdsindividualsaccountablefortheirinternalcontrolresponsibilitiesinthepursuitofobjectives 6 Theorganizationspecifiesobjectiveswithsufficientclaritytoenabletheidentificationandassessmentofrisksrelatingtoobjectives 7 Theorganizationidentifiesriskstotheachievementofitsobjectivesacrosstheentityandanalyzesrisksasabasisfordetermininghowtherisksshouldbemanaged 8 Theorganizationconsidersthepotentialforfraudinassessingriskstotheachievementofobjectives 9 Theorganizationidentifiesandassesseschangesthatcouldsignificantlyimpactthesystemofinternalcontrol RiskAssessment Updatearticulatesprinciplesofeffectiveinternalcontrol continued 10 Theorganizationselectsanddevelopscontrolactivitiesthatcontributetothemitigationofriskstotheachievementofobjectivestoacceptablelevels 11 Theorganizationselectsanddevelopsgeneralcontrolactivitiesovertechnologytosupporttheachievementofobjectives Theorganizationdeployscontrolactivitiesthroughpoliciesthatestablishwhatisexpectedandproceduresthatputpoliciesintoplace ControlActivities Updatearticulatesprinciplesofeffectiveinternalcontrol continued 13 Theorganizationobtainsorgeneratesandusesrelevant qualityinformationtosupportthefunctioningofinternalcontrol 14 Theorganizationinternallycommunicatesinformation includingobjectivesandresponsibilitiesforinternalcontrol necessarytosupportthefunctioningofinternalcontrol Theorganizationcommunicateswithexternalpartiesregardingmattersaffectingthefunctioningofinternalcontrol Information Communication Updatearticulatesprinciplesofeffectiveinternalcontrol continued 16 Theorganizationselects develops andperformsongoingand orseparateevaluationstoascertainwhetherthecomponentsofinternalcontrolarepresentandfunctioning Theorganizationevaluatesandcommunicatesinternalcontroldeficienciesinatimelymannertothosepartiesresponsiblefortakingcorrectiveaction includingseniormanagementandtheboardofdirectors asappropriate MonitoringActivities Updatearticulatesprinciplesofeffectiveinternalcontrol continued Updateclarifiesrequirementsforeffectiveinternalcontrol Effectiveinternalcontrolprovidesreasonableassuranceregardingtheachievementofobjectivesandrequiresthat EachcomponentandeachrelevantprincipleispresentandfunctioningThefivecomponentsareoperatingtogetherinanintegratedmannerEachprincipleissuitabletoallentities allprinciplesarepresumedrelevantexceptinraresituationswheremanagementdeterminesthataprincipleisnotrelevanttoacomponent e g governance technology ComponentsoperatetogetherwhenallcomponentsarepresentandfunctioningandinternalcontroldeficienciesaggregatedacrosscomponentsdonotresultinoneormoremajordeficienciesAmajordeficiencyrepresentsaninternalcontroldeficiencyorcombinationthereofthatseverelyreducesthelikelihoodthatanentitycanachieveitsobjectives Updatedescribesimportantcharacteristicsofprinciples e g Pointsoffocusmaynotbesuitableorrelevant andothersmaybeidentifiedPointsoffocusmayfacilitatedesigning implementing andconductinginternalcontrolThereisnorequirementtoseparatelyassesswhetherpointsoffocusareinplace ControlEnvironment Theorganizationdemonstratesacommitmenttointegrityandethicalvalues PointsofFocus SetstheToneattheTopEstablishesStandardsofConductEvaluatesAdherencetoStandardsofConductAddressesDeviationsinaTimelyManner Updatedescribestheroleofcontrolstoeffectprinciples TheFrameworkdoesnotprescribecontrolstobeselected developed anddeployedforeffectiveinternalcontrolAnorganization sselectionofcontrolstoeffectrelevantprinciplesandassociatedcomponentsisafunctionofmanagementjudgmentbasedonfactorsuniquetotheentityAmajordeficiencyinacomponentorprinciplecannotbemitigatedtoanacceptablelevelbythepresenceandfunctioningofothercomponentsandprinciplesHowever understandingandconsideringhowcontrolseffectmultipleprinciplescanprovidepersuasiveevidencesupportingmanagement sassessmentofwhethercomponentsandrelevantprinciplesarepresentandfunctioning Updatedescribeshowvariouscontrolseffectprinciples e g ControlEnvironment 1 Theorganizationdemonstratesacommitmenttointegrityandethicalvalues ComponentPrincipleControlsembeddedinothercomponentsmayeffectthisprinciple HumanResourcesreviewemployees confirmationstoassesswhetherstandardsofconductareunderstoodandadheredtobystaffacrosstheentityControlEnvironment Managementobtainsandreviewsdataandinformationunderlyingpotentialdeviationscapturedinwhistleblowerhot linetoassessqualityofinformationInformation Communication InternalAuditseparatelyevaluatesControlEnvironment consideringemployeebehaviorsandwhistleblowerhotlineresultsandreportsthereonMonitoringActivities Summaryofpublicexposureofproposedupdate Interestacrossgeographicregions approximately50 ofrespondentsfromNorthAmericaand50 frominternationalregionsProposedupdatestoFrameworkreleasedforpubliccomments December20 2011toMarch31 2012September18 2012toDecember4 2012COSOsoughtcommentsfromthegeneralpubliconproposedupdates includingwhetherthe RequirementsofeffectiveinternalcontrolareclearlysetforthRolesofcomponents principles andpointsoffocusareclearlysetforthFrameworkremainssound logical andusefultomanagementofentitiesofalltypesandsizesPubliccommentlettersavailableatwww ic coso orguntilDec 31 2013 Updatesareresponsivetopubliccomments PrinciplesProvideclarityregardingtheroleofprinciplesindesigning implementing andconductinginternalcontrol andassessingitseffectivenessClarifydescriptionsofsomeprinciples butnoadditionalprinciplesEffectivenessRecognizeeffectiveinternalcontrolcanprovidereasonableassuranceofachievingeffectiveandefficientoperationsobjectives asnotedbefore ClarifyrequirementthateachofthecomponentsandrelevantprinciplesmustbepresentandfunctioningandcomponentsmustoperatingtogetherRemovepresumptionthatpointsoffocusarepresentandfunctioning andclarifythatnoseparateassessmentofpointsoffocusisrequiredStandardizeclassificationofinternalcontroldeficiencies andclarifyuseofonlyrelevantcriteriaestablishedinlaws rules regulationsandstandards Updatesareresponsivetopubliccomments continued ObjectiveSettingRetainfivecomponentsofinternalcontrolRetainspecificationofobjectivesasaprincipleofeffectiveinternalcontrol butobjectivesettingmaybedrivenbylaws rules regulations orexternalstandardsthatareoutsideasystemofinternalcontrolObjectivesRetainviewthatsafeguardingofassetsprimarilyrelatestooperationsobjectives andrecognizeitsconsiderationwithinreportingandcomplianceAcknowledgesomelawsrules regulationsandstandardsestablishsafeguardingofassetsasaseparatecategoryofobjectivesRetainviewthatstrategicobjectivesisnotpartofinternalcontrolRetainoperations reporting andcomplianceobjectivecategories andexpanddescriptions Updatesareresponsivetopubliccomments continued EnterpriseRiskManagement ERM RetaindistinctionbetweenERMandinternalcontrol andacknowledgetheseframeworksarecomplementaryRetainviewthatstrategy setting strategicobjectives andriskappetiteareaspectsofERM notInternalControl IntegratedFrameworkRetaindiscussionofriskappetiteandapplicationofrisktoleranceSmallerEntitiesandGovernments Provideadditionalguidancespecifictosmallerentitiesandgovernments AppendixC TechnologyExpanddiscussioninthepointsoffocusandinseveralchaptersDeclinesuggestiontoaddressriskassociatedwithspecifictechnologiesbecauseoftherapidpaceofchange Updatesareresponsivetopubliccomments continued StructureandLayout Retainviewthatallchapters1 10comprisetheFrameworkDueProcess COSObelievestherehasbeenasubstantivedueprocessefforttocaptureviewsonproposedupdateSurveyedstakeholderstoascertainpreferencesconcerningnatureandextentofneededupdates 700responses December2010toSeptember2011 ConductedelevenmeetingswithCOSOAdvisoryCouncilProvidedexposuredraftsofproposedupdatesforpubliccomments December2011toMarch2012 andSeptembertoDecember2012 Participatedinmanyconferences webinars andseminarswithmembershipofCOSOtoseekviewsofstakeholders January2011toJanuary2013 IllustrativeDocuments IllustrativeToolsforAssessingEffectivenessofaSystemofInternalControlInternalControloverExternalFinancialReporting ACompendiumofApproachesandExamples IllustrativeToolsforAssessingEffectivenessofaSystemofInternalControl AssistuserswhenassessingeffectivenessofinternalcontrolbasedontherequirementssetforthintheFrameworkTemplatesillustrateapossiblesummaryofassessmentresultsScenariosillustratepracticalexamplesofhowthetemplatescanbeusedtosupportanassessmentandimportantconsiderationsinperforminganassessmentFocusonevaluatingcomponentsandrelevantprinciples nottheunderlyingcontrolsthataffectrelevantprinciplesCannotsatisfycriteriaestablishedthroughlaws rules regulations orexternalstandardsforevaluatingtheseverityofinternalcontroldeficienciesCancustomizelevelandamountofdetailincludedinthetemplatesasmanagementmaydeemnecessary InternalControloverExternalFinancialReporting ICEFR ACompendiumofApproachesandExamples ApproachesandExamplesillustratehowvariouscharacteristicsofprinciplesmaybepresentandfunctioningwithinasystemofinternalcontrolrelatingtoexternalfinancialreportingApproachesaredesignedtogiveasummary leveldescriptionofactivitiesthatmanagementmayconsiderastheyapplytheFrameworkExamplesillustrateoneormorepointsoffocusofaparticularprinciple Theyarenotdesignedtoprovideacomprehensive end to endexampleofhowaprinciplemaybefullyappliedinpractice SelectedapproachesandexamplesdonotillustrateallaspectsofcomponentsandrelevantprinciplesthatwouldbenecessaryforeffectiveinternalcontrolStakeholdersshouldrefertotheFrameworkfortherequirementsofeffectiveinternalcontrolCompendiumsupplementsandcanbeusedinconcert SummaryofpublicexposureoftheIllustrativeDocuments ProposedInternalControloverExternalFinancialReporting CompendiumofApproachesandExampleswasreleasedforpubliccommentfromSeptember18 2012toDecember4 2012InconjunctionwiththepublicexposureofICEFRCompendium COSOmadeavailablerevisedversionsofthepreviouslyexposedFrameworkandAppendicesandExecutiveSummaryCOSOmadeavailabletheproposedIllustrativeToolsforAssessingEffectivenessofaSystemofInternalControlCOSOsoughtcommentsfromthegeneralpubliconrelevanttopicsPubliccommentlettersavailableatwww ic coso orguntilDec 31 2013 Illustrativedocumentsareresponsivetopubliccomments ICEFR ACompendiumofApproachesandExamplesAddorclarifyspecificexamples including EstablishingresponsibilitiesforreviewingfinancialstatementsMonitoringinvestigationandreportingofwhistleblowerallegationsMonitoringidentificationandprotectionofsensitivefinancialinformationMonitoringidentificationandanalysisofriskofmaterialmisstatementduetofraudAddressarisk basedapproachforachievingexternalfinancialreportingobjectivesSpecifysuitableobjectivesforexternalfinancialreportingRiskstoachievingsuitableobjectivesResponsestorisks Transition Impact Transition Impact UsersareencouragedtotransitionapplicationsandrelateddocumentationtotheupdatedFrameworkassoonasfeasibleUpdatedFrameworkwillsupersedeoriginalFrameworkattheendofthetransitionperiod i e December15 2014 Duringthetransitionperiod externalreportingshoulddisclosewhethertheoriginalorupdatedversionoftheFrameworkwasusedImpactofadoptingtheupdatedFrameworkwillvarybyorganizationDoesyoursystemofinternalcontrolneedtoaddresschangesinbusiness Doesyoursystemofinternalcontrolneedtobeupdatedtoaddressallprinciples DoesyourorganizationapplyandinterprettheoriginalframeworkinthesamemannerasCOSO Isyourorganizationconsideringnewopportunitiestoapplyinternalcontroltocoveradditionalobjectives Transition Impact continued Theprinciples basedapproachprovidesflexibilityinapplyingtheFrameworktomultiple overlappingobjectivesacrosstheentityEasiertoseewhatiscoveredandwhatismissingFocusonprinciplesmayreducelikelihoodofconsideringsomethingthat sirrelevantUnderstandingtheimportanceofspecifyingsui