Diving into the

2013 COSO
Framework
Presented by: Ronald A.
Mission To provide thought
Conrad
leadership through the development
of comprehensive frameworks and
guidance on enterprise risk
management, internal control and
fraud deterrence designed to improve
organizational performance and
governance and to reduce the extent
of fraud in organizations.

Objectives
Obtain an understanding of why the COSO
Framework has been updated
Understand how the framework has changed
Identify the Principles of the new framework and
the associated Points of Focus
Consider how the new Framework may affect
your organization
Discuss next steps to implement the new
framework

General Definition of Internal

Control
Process for assuring achievement of objectives in operational
effectiveness and efficiency, reliable reporting and compliance
Everything that controls risks to an organization
Means by which resources are directed, maintained and
measured
Important role in preventing and detecting fraud and
protecting resources
Continues to expand and change
New controls address new ways of breaking old controls
Enhancements of methodologies to address, such as
COSO framework
Fraud triangle

The Fraud Triangle

Internal Control---Fraud
Detection Methods

2012 by the Association of Certified Fraud Examiners, Inc.

Internal Control-New Draft

Florida House and Senate
Bill
House and Senate Bills currently in draft form that will add a
new subsection 3 to Florida Statute 218.33, requiring local
governments to establish and maintain internal controls
designed to:
Prevent and detect fraud, waste and abuse
Promote and encourage compliance with laws rules, contracts,
grant agreements and best practices
Support economic and efficient operations
Ensure reliability of financial records and reports
Safeguard assets

Internal Control for Grants---New Uniform Grant Guidance

The new Super Circular requirements for grants provides that
internal controls over grant compliance should be in
compliance with
Internal Control Integrated Framework, issued by the
Committee of Sponsoring Organizations of the Treadway
Commission (COSO)

Uniform Grant FAQ 200.303-1

Question - Should vs Must and Internal Controls
According to auditing standards, "should" really means "must
unless there is a well-documented reason why not". Is this the
case in the Uniform Guidance? Does the "should" in section
200.303 referencing guidance provided by GAO and COSO
really mean "must"?

Answer
No. The word must is used throughout part 200 to indicate
requirements. The word should is used to indicate best
practices or recommended approaches that the COFAR wanted
non-Federal entities to be aware of, but not necessarily required
to comply with.
8

About COSO
Committee of Sponsoring Organizations
Formed in 1985 to sponsor the National Commission on
Fraudulent Financial Reporting
AKA the Treadway Commission

Joint initiative of five private sector organizations

Mission
To provide thought leadership through the development of
comprehensive frameworks and guidance on enterprise risk
management, internal control and fraud deterrence
designed to improve organizational performance and
governance and to reduce the extent of fraud in
organizations.

COSO - Sponsoring Organizations

How Does COSO Help?

Provides a means to apply internal control to any
type of entity, regardless of industry or legal
structure, at the levels of entity, operating unit, or
function
Provides flexibility and allows for judgment in
designing, implementing, conducting internal
controlcan be applied at the entity, operating,
and functional levels
A means to identify and analyze risks, and to
develop and manage appropriate responses to
risks within acceptable levels and with a greater
focus on anti-fraud measures

COSO is Principles Based

The Framework does not prescribe
controls to be selected, developed,
and deployed for effective internal
control.
An organizations selection of
controls to effect relevant principles
and associated components is a
function of management judgment
based on factors unique to the
entity.

The Original Framework

First published in 1992
Gained wide acceptance in early 2000s with
passage of Sarbanes Oxley
Most widely used internal control framework in U.S.
Widely used around the world

COSO Framework (1992)

Categories of Objectives:
Operations Achievement of an entitys basic
mission and vision
Financial Reporting Preparation of financial
reports for use by external organizations and
stakeholders
Compliance Actions taken to comply with
applicable laws and regulations

The 5 COSO Components (1992)

1. Control Environment Governing Body,
Organizational Structure
2. Risk Assessment Risk Identification and
Analysis
3. Control Activities Policies and Procedures,
Change Management
4. Information and Communication Quality of
Information and Effectiveness of Communication
5. Monitoring On-going Monitoring, Evaluations

Why The Update?

Responded to Changes in Business,

Operating and Regulatory Environments
Use of, and reliance on, evolving technologies
Changes in business models
Changes and greater complexities of business
Expectations relating to preventing and detecting fraud
Globalization of markets and operations
Expectations for governance oversight
Demands and complexity in laws, rules, regulations, and
standards
Expectations for competencies and accountabilities

Technology Then and Now

1992

2013

Technology Then and Now

1992

2013

Focus on Fraud
Putting fraud right out in the forefront.
A business's control structure must now address
issues of fraud directly.

Outsourcing
More companies are outsourcing
key portions of their business
processes or controls to third
parties.
It includes expanded guidance
and considerations relating to
outside resources, such as thirdparty processors.

22

Changes
Update considers changes in business and operating
environments
Environments changes...

have driven Framework updates

Expectations for governance oversight

Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules,
regulations, and standards
Expectations for competencies and
accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and
detecting fraud

COSO Cube (2013

Edition)

Update expected to increase

ease of use and broaden application
What is not changing...

What is changing...

. Core definition of internal control

. Changes in business and operating

environments considered

. Three categories of objectives and

five components of internal control
. Each of the five components of
internal control are required for
effective internal control
. Important role of judgment in
designing, implementing and
conducting internal control, and in
assessing its effectiveness

. Operations and reporting

objectives expanded
. Fundamental concepts underlying
five components articulated as
principles
. Additional approaches and
examples relevant to operations,
compliance, and non-financial
reporting objectives added

Core Definition of Internal

Control
Retains core definition of internal control
Internal control is a
process,
effected by an entitys board of directors, management, and
other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives relating to operations,
reporting, and compliance.

COSO Comparison
COSO Internal Control Integrated Framework (1992 2013)

COSO Comparison
COSO Internal Control Integrated Framework (1992 2013)

Objectives
Operations Objectives effectiveness and efficiency of
the entitys operations, including operational and
financial performance goals, and safeguarding assets
against loss
Reporting Objectives internal and external financial
and non-financial reporting and may encompass
reliability, timeliness, transparency, or other terms set
forth by regulators, recognized standard setters, or the
entitys policies
Compliance Objectives adherence to laws and
regulations to which the entity is subject

Objectives
Reporting objectives may relate to financial or
non-financial reporting and to internal and
external reporting
Financial Reporting

Non-Financial Reporting

External

Annual Financial
Statements
Interim Financial
Statements
Earnings Releases

Internal Control Report

Sustainability Report
Supply Chain / Custody of
Assets

Internal

Divisional Financial
Statements
Cash Flow / Budgets
Bank Covenant
Calculations

Staff / Asset Utilization

Customer Satisfaction
Surveys
Key Risk Indicator
Dashboards

Components & Principles

Principles
Each principle is suitable to all
entities
All principles are presumed
relevant except in rare
situations where management
determines that a principle is
not relevant to a component
(e.g., governance, technology)

Relationship of Objectives
& Components
A direct relationship
exists between
objectives,
components and
organizational
structure

Points of Focus
Points of focus may not be
suitable or relevant, and others
may be identified
Points of focus may facilitate
designing, implementing, and
conducting internal control
There is no requirement to
separately assess whether
points of focus are in place

Points of Focus

Principle 1 (control
environment)
Demonstrates a commitment to
integrity and ethical values
Points of Focus:

Sets the Tone at the Top

Establishes Standard of Conduct
Evaluates Adherence to Standards of Conduct
Addresses Deviations in a Timely Manner

Principle 1 Example Questions

Are standards of conduct established and followed?
Do standards cover key areas of risk and control objectives?
Should the standards be modified to address matters that
have occurred or may occur?
Is there a whistle-blower policy?
What happens if standards of conduct are not followed?
Are deviations from conduct standards recurring?

36

Principle 2 (control
environment)
Exercises Oversight Responsibility
Points of Focus:

Establishes Oversight Responsibilities

Applies Relevant Experience
Operates Independently
Provides Oversight for System of Internal
Control

37

Principle 2 Example Questions

Are methods of oversight adequate to timely identify and
address matters?
Is the structure for oversight adequate, including
independence?
Is there evaluation as to whether oversight is properly
functioning?

38

Principle 3 (control
environment)
Establishes Structure, Authority and
Responsibility
Points of Focus:
Considers All Structures of the Entity
Establishes Reporting Lines
Defines, Assigns, and Limits
Authorities & Responsibilities

39

Principle 3 Example Questions

Are structures adequate to provide reasonable assurance
control objectives are met?
Are reporting lines clearly established?
Are roles and responsibilities clearly established?
Are control objectives adequately covered by roles and
responsibilities?
Is anyone monitoring changes to requirements?

40

Principle 4 (control
environment)
Demonstrates Commitment to
Competence
Points of Focus:
Establishes Policies and Practices
Evaluates Competence and Addresses
Shortcomings
Attracts, Develops and Retains Individuals
Plans and Prepares for Succession

41

Principle 4 Example Questions

Is the work environment positive?
Is personnel retention appropriate?
Are policies and procedures in place to ensure an
environment that furthers competence?

Hiring practices
Training
Collaboration
Job descriptions and policies and procedures manuals
Evaluations and plans for development
Cross-training of functions

Principle 5 (control
environment)
Enforces Accountability
Points of Focus:
Enforces Accountability through Structures,
Authorities and Responsibilities
Establishes Performance Measures,
Incentives, and Rewards
Considers Excessive Pressures
Evaluates Performance and Rewards or
Disciplines Individuals

Principle 5 Example Questions

Is there appropriate reporting and monitoring to ensure
accountability?
Is it readily apparent where accountability lies?
Are performance measures adequately established?
Are there appropriate incentives to meet performance measures?

Principle 6 (risk assessment)

Specifies Suitable Objectives
Points of Focus:
Reflects Managements Choices
Considers Tolerances for Risk
Includes Operations and Financial Performance Goals
Forms a Basis for Committing of Resources
Complies with Applicable Accounting Standards
Considers Materiality
Reflects Entity Activities
Complies with Externally Established Standards and
Frameworks
Considers the Required Level of Precision
Reflects External laws and Regulations

Principle 6 Example Questions

Is a risk assessment program in place?
Are risks identified sufficient to cover control objectives and
operational and performance goals?
Are risks periodically evaluated?
Is risk tolerance and costs versus benefits sufficiently
considered?
Is a risk assessment formally documented?

46

Risk Assessment
Potential objectives (House and Senate Draft Bill)
Prevent and detect fraud, waste and abuse
Promote and encourage compliance with laws rules, contracts,
grant agreements and best practices
Support economic and efficient operations
Ensure reliability of financial records and reports
Safeguard assets
Possible other objectives
Report information within applicable deadlines
Limit negative public perceptions

Principle 7 (risk assessment)

Identifies and Analyzes Risk
Points of Focus:
Includes Entity, Subsidiary, Division,
Operating Unit, and Functional Levels
Analyzes Internal and External Factors
Involves Appropriate Levels of
Management
Estimates Significance of Risks Identified
Determines How to Respond to Risks

48

Principle 7 Example Questions

Is there appropriate personnel involvement to adequately
identify risks?
Are risks identified by level of significance?
Is the risk assessment sufficiently comprehensive?
Is there a plan for respond to risks identified?

Risk Assessment Considerations

Identification and analysis of risk, including risk due to change
and fraud risk
Risks due to regulatory change (e.g. Uniform Grant
Requirements, accounting requirements and statutory changes)
Risks related to contract compliance (e.g., grants and debt
49
covenants)
Risks related to personnel changes, off-site communications or
structural changes
Risks related to recording of routine transactions (e.g., receipts
and disbursements) and non-routine transactions (e.g., journal
entries)
Changing risks associated with information technology

Risk Assessment Considerations

Other typical areas of identified risks
Basic controls over information technology
Debt covenant compliance
Accounting and compliance considerations for new regulatory
requirements
Unusual estimates
Related party transactions
Inadequate segregation of duties
Areas particularly prone to public scrutiny

51

Principle 8 (risk assessment)

Assesses Fraud Risk
Points of Focus:
Considers Various Types of
Fraud
Assesses Incentive and
Pressures
Assesses Opportunities
Assesses Attitudes and
Rationalizations

52

Fraud Prevention and Detection

Techniques
Train employees in fraud prevention
warning signs of suspicious behavior
procedures for reporting suspicious activities
basic fraud prevention techniques
through live training and ongoing communications

Conduct audits, including high risk areas and

surprise audits
Hotlines, mandatory vacations, job rotation

53

Principle 9 (risk assessment)

Identifies and Analyzes Significant
Change
Points of Focus:
Assesses Changes in External
Environment
Assesses Changes in the Business
Model
Assesses Changes in Leadership

Principle 10 (control activities)

Selects and Develops Control
Activities
Points of Focus:
Integrates with Risk Assessment
Considers Entity-Specific Factors
Determines Relevant Business
Processes
Evaluates a Mix of Control Activity
Types
Considers at What Level Activities
are Applied
Addresses Segregation of Duties

55

Principle 11 (control activities)

Selects and Develops Controls Over
Technology
Points of Focus:
Determines Dependency between the
Use of Technology in Business
Processes and Technology General
Controls
Establishes Relevant Technology
Infrastructure Control Activities
Establishes Relevant Security
Management Process Control Activities
Establishes Relevant Technology
Acquisition, Development, and
Maintenance Process Control Activities

56

Principle 12 (control activities)

Deploys Through Policies and
Procedures
Points of Focus:
Establishes Policies and Procedures to
Support Deployment of Management
Directives
Establishes Responsibility and
Accountability for Executing Policies and
Procedures
Performs in a Timely Manner
Takes Corrective Action
Performs Using Competent Personnel
Reassesses Policies and Procedures

Control Activities
Considerations
Selection and development

Risk considerations
Preventive and detective controls to address identified risks
Levels of involvement
Need for consultation

Controls over technology requirements

Policies and procedures

Timely performance, accountability, prevention and

detection controls and corrective actions

Principle 13 (information/comm)
Uses Relevant Information
Points of Focus:
Identifies Information Requirements
Captures Internal and External
Sources of Data
Processes Relevant Data into
Information
Maintains Quality throughout
Processing
Considers Costs and Benefits

Principle 14 (information/comm)
Communicates Internally
Points of Focus:
Communicates Internal
Control Information
Communicates with the Board
of Directors
Provides Separate
Communication Lines
Selects Relevant Method of
Communication

Principle 15 (information/comm)
Communicates Externally
Points of Focus:
Communicates to External Parties
Enables Inbound Communications
Communicates with the Board of
Directors
Provides Separate Communication
Lines
Selects Relevant Method of
Communication

Principle 16 (monitoring
activities)
Conducts Ongoing and Separate
Evaluations
Points of Focus:
Consider a Mix of Ongoing and
Separate Evaluations
Considers Rate of Change
Establish baseline understandings
Uses knowledgeable personnel
Integrates with Business
Processes
Adjusts Scope and Frequency
Objectively evaluates

Principle 17 (monitoring
activities)
Evaluates and Communicates
Deficiencies
Points of Focus:
Assesses Results
Communicates deficiencies
Monitors corrective actions

63

Monitoring Activities-Additional
Considerations
Documentation
Scope and frequency
Responsibilities for monitoring
Assessing results
Communicating results
Off-site activities
Compliance inspections

COSO Appendix B on OSPs

COSO has a separate Appendix B that discusses application
of framework to Outsourced Service Providers (OSPs)
Control environment should provide standards of conduct,
tolerance levels, compliance procedures, performance
measures
Risk assessment should consider corruption, fraud, IT related
matters, interactions with the ISP
Control activities should consider OSP processes and functions
and controls related to information provided to OSPs
Information and communication should evaluate adequacy of
reporting and communications and complexities
Monitoring should include procedures to evaluate OSPs, such as
SSAE16 reports and separate evaluations and reviews
64

65

COSO Appendix C on
Information and
Communication

COSO has a separate Appendix C that discusses application

of the framework to information technology
Control Environment should assess new IT capabilities, assign
appropriate responsibilities and segregation of duties, establish
policies and procedures, ensure competent personnel
Risk assessment should consider ability to manipulate
information, effectiveness of systems, personnel turnover
Control activities should consider access rights, acquisition,
development and maintenance, safeguard controls
Information and communication should assess information
retention, external parties, complexity, volume, methods, nature
Monitoring should consider use of IT as an objective method

66

Implementing the 2013 COSO Framework

67

COSO Effective Internal Control

Effective internal control provides reasonable assurance
regarding the achievement of objectives and requires that:
Each component and each relevant principle is present and
functioning
Present refers to design of internal control
Functioning refers to the conduct of internal control
The five components are operating together in an integrated
manner
Effectively reduce, to an acceptable level, the risk of not
achieving an objective
External parties are not part of an internal control system

68

Three Dimensions
Objectives
Operations
Reporting
Compliance

5 Components

Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities

Organizational Structure

Entity
Division
Operating Unit
Function

Components & Principles

Control Environment

Risk Assessment

Control Activities

Information &
Communication

Monitoring Activities

1.Demonstrates commitment to integrity and ethical values

2.Exercises oversight responsibility
3.Establishes structure, authority and responsibility
4.Demonstrates commitment to competence
5.Enforces accountability
6.Specifies suitable objectives
7.Identifies and analyzes risk
8.Assesses fraud risk
9.Identifies and analyzes significant change
10.Selects and develops control activities
11. Selects and develops general controls over technology
12.Deploys through policies and procedures
13.Uses relevant information
14.Communicates internally
15.Communicates externally
16.Conducts ongoing and/or separate evaluations
17.Evaluates and communicates deficiencies

How COSO Framework may

affect your organization
Comparison of components and principles to current
internal controls, considering points of focus, may identify
Additional considerations of control environment
More detailed discussions about risk assessment and
documentation of risk assessment
Further consideration of potential fraud risk
Potential additional control activities and monitoring as a result of
risk assessment
Further consider controls over Outsourcing to Service Providers
Possible additional considerations related to IT

Five Step Transition Plan

Step 1 Develop Awareness

Gain senior leadership and
board alignment and support
Build awareness and expertise
Educate management

Step 2 Preliminary Impact

One significant factor - how well
principles are currently functioning
Map principles to existing controls
Assess gaps where principles are not
adequately addressed

Step 3 Facilitate Awareness

Engage broader organization
Compliance efforts may occur centrally, or there may be
multiple layers of assessment
Conduct Training
Pressure test preliminary impact assessment

Step 4 Execute Plan

Phase 1: Documentation and
Evaluation
Phase 2: Validation Testing and
Gap Remediation

Step 5 Continuous
Improvement
Drive continuous improvement
Theres a difference between an adequate and a best-in-class
system of internal control

Common Issues
When going through the mapping exercise, organizations do
not have controls in place to meet all 17 principles.
Organizations may have controls in place, but they are
undocumented / not formalized.
Lack of fraud risk assessment.
Lack of knowledge of outsourcing controls.

Limitations of COSO
No such thing as absolute assurance
The framework comments on limitations of internal control, which results
from:
Quality and suitability of objectives established as a precondition
to internal control
Potential for flawed human judgment in decision-making
Managements consideration of the relative costs and benefits in
responding to risk and establishing controls
Potential for breakdowns that can occur because of human failures
(such as simple errors or mistakes)
Possibility that controls can be circumvented by collusion of two or
more people
Ability of management to override internal control functions and
decisions

Ronald A. Conrad [email protected]