Transcription of COSO Framework 2013 SOX Compliance - ISACA
1 coso Framework 2013 & SOX Compliance Roxanne L. Halverson, CISM, CGEIT Atlanta ISACA Geek Week August 19, 2013 2 What s Happened On May 14, 2013 , after a little more than 20 years the Committee of Sponsoring Organizations of the Treadway Commission (a/k/a as coso ) has revised its widely used 1992 Framework to update it for the modern realities of how business is carried out two decades later, especially with respect to how technology is used in business. coso specifically set its transition date and determined it will no longer make its earlier version available after December 15, 2014 to facilitate a transition.
2 3 Call to Action Each publicly traded company subject to SOX Section 404 Compliance must gain senior management s alignment & support, assess the impact of the Framework on existing SOX Compliance activities and then complete a timely transition to the updated Framework no later than December 15, 2014 4 Background Authored by PwC under the direction of coso Widely adopted by organizations around the world coso developed the related illustrative documents to provide tools to assist companies in implementing or evaluating their system of internal control & offer specific approaches & examples as to how the Framework applies to external financial reporting.
3 5 Drivers Behind coso s Refresh Project Result of a significant multi-year project 2 rounds of public exposure Lessons Learned from applying the original Framework Included lengthy discussions of internal control concepts that are not institutional knowledge Concepts of internal control principles may have been embedded in the original Framework , the principles themselves were hidden within the details Practitioners have used the Framework primarily for internal control over financial reporting yet the Framework encompasses 3 major categories of objectives, including operations, overall reporting.
4 And Compliance objectives Objective was to keep coso relevant & streamline the original Framework Clarify the requirement of effective internal control Update the context for applying internal control to many changes in business an operating environments Broaden its application by expanding the operations and reporting objectives Enhancing usability 6 Newly Release coso Documents Internal Control-Integrated Framework Executive Summary Provides a high-level overview of the 2013 Framework & is intended for the CEO & other senior management, BODs and regulators Internal Control-Integrated Framework & Appendices 175 pages that defines the Framework in detail Defines internal control, underlying principles & direction for all levels of mgt.
5 Internal Control-Integrated Framework Illustrated Tools for Assessing Effectiveness of a System of Internal Control Provides templates and scenarios to support mgt. in applying the Framework , specifically in terms of assessing effectiveness. Internal Control over External Financial Reporting: A Compendium of Approaches & Examples Provides practical approaches & examples illustrating how the components & principles in the Framework can be applied in preparing external financial statements. Intended to be used as a resource to research on specific principles vs.
6 Being read cover to cover 7 Case for Transition coso Board emphasized that the key concepts and principles defined in the original Framework remain fundamentally sound for designing, implementing, & maintaining systems of internal controls & assessing effectiveness Next slides review Fundamentals Retained 8 Fundamentals Retained Report s general organization structure & component chapter structure Formal definition of internal control coso Cube 5 components that work together in an integrated manner Control environment Risk Assessment Control Activities Information & communication Monitoring Activities 9 Fundamental remaining page 2 Emphasis that internal control is a process effected by people that can only
7 Provide reasonable vs. absolute assurance and has inherent limitations Internal control is geared toward achieving specified objectives Internal control can be applied at the entity level or any of an entity s units Concepts relating to cost-benefit analysis Mgt needs to use judgment but cost alone is not an acceptable reason to avoid implementing internal controls Discussion of appropriate documentation Relationship between the management process & internal control Importance of management s judgment in designing, implementing, and conducting internal control, and assessing its effectiveness 10 One Transition Approach Step 1: Develop Awareness, Expertise & Alignment Step 2: Conduct Preliminary Impact Assessment Step 3: Facilitate Broad Awareness, Training, and Comprehensive Assessment Step 4: Develop and Execute coso Transition Plan for SOX Compliance Step 5.
8 Drive Continuous Improvement 11 Step 1- Develop Awareness, Expertise & Alignment Provide awareness to senior management so gain their support Initial audience coso /SOX subject matter experts in your company Obtain & review newly released publications (listed on prior slide) In addition to those go to coso website ( ) which includes press releases and Frequently Asked Questions document 12 Step 1 Other resources Webinars Articles External auditor Networking & building connections with peers at similar companies can benefit you & your teams.
9 13 coso Timeless Concepts Updated coso Cube Internal Controls is a process effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and Compliance Still provides for 3 categories of objectives: Operations Reporting Compliance Still provides 5 integrated components Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities Continues to allow a company to consider internal controls from an entity, division, operating unit or function like a shared service center/center of excellence 14 Expanded Reporting Category Under objective categories.
10 The reporting category was expanded to include not only external reporting but internal reporting and nonfinancial reporting objectives Explicitly permits use in these other reporting situations even though they aren t directly relevant from a SOX perspective 15 The most significant enhancement is the formulation of 17 Principles of internal control which serve as the criteria for determining whether an entity s internal control is effective 1992 Framework conceptually introduced 17 relevant principles associated with the 5 components of internal control They are essential in assessing that the 5 components are present & functioning These concepts are now explicitly articulated in the 17 principles coso Board believes each principle adds value & is suitable to all entities presumed relevant Document the rationalization if a principle isn t relevant CONTROL ENVIRONMENT 1.
