Recent COSO Internal Control and Risk Management Developments
1. Recent COSO Internal Control and
Risk Management Developments
IFAC and ISO Panel Discussion
September 24, 2013
David L. Landsittel
Former Chair - COSO
2. About COSO
• Formed in 1985 to sponsor a group to make
recommendations on Fraudulent Financial Reporting
• A joint initiative of five private sector organizations:
▫ American Accounting Association (AAA)
▫ American Institute of Certified Public Accountants
(AICPA)
▫ Financial Executives International (FEI)
▫ Institute of Management Accountants (IMA)
▫ The Institute of Internal Auditors (IIA)
3. Mission
COSO’s Mission is “To provide thought leadership
through the development of comprehensive frameworks
and guidance on enterprise risk management,
internal control and fraud deterrence designed to
improve organizational performance and governance
and to reduce the extent of fraud in organizations.”
COSO’s Fundamental Principle
Good risk management and internal control are
necessary for long term success of all organizations
4. COSO’s Three Areas of Focus
1. Internal Control
2. Enterprise Risk Management
3. Fraud Deterrence
5. Timeline
2010: Fraud Study II Fraudulent Financial
Reporting: 1998-2007
2004: Enterprise Risk
Management Framework
1987: Treadway
Commission Report
2009: Guidance on
Monitoring Internal
Control Systems
1996: Internal Control
Issues in Derivatives
1985
1990
1995
2000
1999: Fraud Study I Fraudulent Financial
Reporting: 1987-1997
1992: Internal Control –
Integrated Framework
2005
2006: Guidance
for Smaller
Businesses on
Internal Control
over Financial
Reporting
2010
2010-2013:
Recent ERM
thought
papers on
current issues
6. COSO Internal Control Framework
• First published in 1992
• Gained wide acceptance following
financial control failures of early 2000’s
• Most widely used framework in the US
• Also widely used around the world – translated into 7
languages
7. Why Update What Works?
ICIF Works
Well Today
COSO’s Internal Control–Integrated Framework (1992 Edition)
Enhancements
ICIF Will Work
Better
Tomorrow
Reflect changes in
to facilitate effective
business & operating
internal control
Update
Objectives
Articulate principles
environments
Clarifies Requirements
Updates Context
Expand operations and
reporting objectives
Broadens Application
COSO’s Internal Control–Integrated Framework (2013 Edition)
9. Project Participants
COSO
Board of Directors
PwC
Author and Project Leader
COSO Advisory Council
Stakeholder Input
•
•
•
•
•
•
•
•
•Survey of over 700 stakeholders and users of the
1992 Internal Control – Integrated Framework
AICPA
AAA
FEI
IIA
IMA
Public Accounting Firms
Regulatory observers
Others (IFAC, ISACA, others)
•Public Exposures of updated Framework draft and
supporting documents
•Webcasts, round tables, direct correspondence via
icif@us.pwc.com et al
10. Summary of Updates
…
What is not changing...
What is changing...
1. Definition of internal control
1. Updated to reflect the current
business environment
2. Five components of internal
control
3. The fundamental criteria used to
assess effectiveness of systems
of internal control
4. Use of judgment in designing
and implementing controls and
in evaluating the effectiveness of
systems of internal control
2. Formalized fundamental
concepts underlying the five
components as principles
3. Expanded financial reporting
objective to address internal and
external, financial and nonfinancial reporting objectives
4. Increased focus on operations
and compliance objectives based
on user input
11. 11
Summary of Updates
A changing business environment...
Expectations for governance oversight
Globalization of markets and operations
Changes in business models
Demands and complexity of rules,
regulations and standards
Expectations for competencies and
accountabilities
Use and reliance on evolving technology
Expectations for preventing and detecting fraud
Drives updates to the Framework...
12. 17 Principles of the Updated ICIF
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1.
2.
3.
4.
5.
Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
6.
7.
8.
9.
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
13. Update Articulates Principles of
Effective Internal Control
Control Environment
1. The organization demonstrates a commitment to
integrity and ethical values.
2. The board of directors demonstrates independence
from management and exercises oversight of the
development and performance of internal control.
3. Management establishes, with board oversight,
structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of
objectives.
4. The organization demonstrates a commitment to
attract, develop, and retain competent individuals
in alignment with objectives.
5. The organization holds individuals accountable for
their internal control responsibilities in the pursuit
of objectives.
14. Project Deliverables: Internal ControlIntegrated Framework
• Consists of three volumes:
▫ Executive Summary
▫ Framework and Appendices
▫ Illustrative Tools: Assessing
Effectiveness of a System of
Internal Control
• Sets out:
▫ Definition of internal control
▫ Categories of objectives
▫ Components of internal control
▫
and related principles and points
of focus
Requirements for Effectiveness
15. Project Deliverables: Internal Control over
External Financial Reporting: A Compendium
• Provides approaches and
Examples illustrating how
principles are applied in
preparing financial statements
for external purposes
• Is relevant for variety of
entities – public, private, notfor-profit, and government
• Is consistent with and does not
modify the updated Framework
16. The ERM Framework
• Published in 2004
• Based upon a framework
with similarities to the
COSO 92 framework
• Widely recognized, but
not as widely adopted as
COSO 92
• Implementation not as
robust as COSO 92
17. Some Current ERM Challenges
• Uneven support to adopt any formal risk management
process
• Less than robust ERM implementation
• Difficulty “getting started” with ERM implementation
• Difficulty aligning ERM with top management view
• Inadequate board oversight of risk management – and
regulatory pressure mounting for better oversight
• Immature development of risk appetite
• Failure to consider low likelihood but high impact risks –
overconfidence
18. 18
COSO ERM Response
Our objective – to assist stakeholders in moving up
“maturity curve” of an effective ERM process
Publication of a series of thought papers
19. 19
COSO ERM “Thought Papers”
•
Four Papers issued in 2009 surveying ERM practices – and particularly
practices and recommendations related to board of director oversight
•
Four Papers in 2011 and 2012 focusing on difficult ERM process
implementation issues:
▫ “Getting Started”
▫ Developing Key Risk Indicators
▫ Understanding and Communicating Risk Appetite
▫ Risk Assessment Practices
•
Two Papers in 2012-2013 dealing with applying ERM to current
Management issues:
▫ “Cloud” Computing Risks
▫ Sustainability Risks
•
A Behavioral Paper in 2012 dealing with Judgment Biases