Chicagoland IASA Spring Conference CNA Insurance 2013 COSO Framework April 17, 2014
Today’s Goals The goals of today’s presentation are to help you better understand: • The updates to the COSO Framework, including the 17 principles required to be in placeand functioning within the 5 components of internal control • Key steps for transitioning to the new framework • Lessons learned from CNA’s adoption efforts
Agenda • COSO Framework: • Overview & Background • 2013 Update • CNA’s Approach: • Project Plan • Initial Gap Analysis • Lessons Learned • Questions / Discussion
What is COSO? • Committee of Sponsoring Organizations (COSO) of the Treadway Commission • Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (aka the Treadway Commission) • Joint initiative of five private sector organizations • American Accounting Association (AAA) • American Institute of Certified Public Accountants (AICPA) • Financial Executives International (FEI) • Institute of Management Accountants (IMA) • The Institute of Internal Auditors (IIA) • COSO established Framework over Internal Control (IC) in 1992 Source: COSO
1992 Framework 5 Components of Internal Control: • Control Environment- tone at the top; integrity and ethical values of the organization. • Risk Assessment- identifying and analyzing risks within the organization. • Control Activities- policies and procedures to mitigate risk. • Information & Communication- information required to carry out IC activities. • Monitoring Activities- on-going evaluation to assess IC. COSO Cube Source: COSO
ICFR Attestation • 1992 Framework is widely used today to comply with Section 404 of Sarbanes Oxley Act of 2002 in the certification of internal control over financial reporting.
What is changing • Source: COSO
1992 vs. 2013 Framework 1992 Framework 2013 Framework
Seventeen Principles Source: COSO
Effective Systems of Internal Control For effective internal control: • Each of the 5 components and 17 principles must be present and functioning. • Present is defined as “the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives.” • Functioning is defined as “the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.” • The five components must operate together in an integrated manner to reduce risk to an acceptable level.
Points of Focus • For each principle COSO has identified points of focus to assist management in designing, implementing, and maintaining internal control. • The points of focus may (or may not) be relevant and there is no requirement to perform a separate evaluation. Presumption is for a sophisticated organization that most would be relevant.
COSO/AICPA Reference Materials Project deliverable #1 – Internal Control-Integrated Framework (2013 Edition) • Consists of three volumes: • Executive Summary • Framework and Appendices • Illustrative Tools for Assessing Effectiveness of a System of Internal Control • Sets out: • Definition of internal control • Categories of objectives • Components and principles of internal control • Requirements for effectiveness Source: COSO
COSO/AICPA Reference Materials Project deliverable #2 – Internal Control over External Financial Reporting: A Compendium.... • Illustrates approaches and examples of how principles are applied in preparing financial statements • Considers changes in business and operating environments during past two decades • Provides examples from a variety of entities – public, private, not-for-profit, and government • Aligns with the updated framework Source: COSO
Transition • Transition period ending December 15, 2014. • After which time COSO will consider the 1992 Framework to be superseded. • Any reporting between now and the end of the transition period should disclose which version of the Framework is being used.
CNA’s Project Plan • Step 1Develop Awareness, Expertise, and Alignment • Step 2Conduct Preliminary Impact Assessment • Step 3Facilitate Broad Awareness, Training, and Comprehensive Assessment • Step 4Develop and Execute COSO Transition Plan for SOX Compliance / Best Practice • Step 5Drive Continuous Improvement
CNA’s Project Plan Step 1Develop Awareness, Expertise, and Alignment • Gain senior leadership and board alignment and support • Build awareness and expertise • Educate management • Map principles to existing controls • Identify opportunities to expand applications of internal control
CNA’s Project Plan Step 2Conduct Initial Analysis • Evaluate the existing framework • Leverage the original mapping of components to controls • Identify key business owners • Identify COSO updates which may impact your framework • Identify gaps / opportunities for improvement
CNA’s Project Plan Step 3Facilitate Broad Awareness, Training, and Comprehensive Assessment • Identify potential gaps and/or documentation enhancement opportunities • Engage business to enhance existing controls and/or add new controls to meet the update’s requirements
CNA’s Project Plan Step 4Develop and Execute COSO Transition Plan for SOX Compliance • Phase 1: Formalize Framework (Documentation & Evaluation) • Phase 2: Validation: Business Acceptance and Auditor Acceptance • Phase 3: Establish Test Plan for 2014 • Phase 4: Testing of 2014 Framework and External Review
CNA’s Project Plan Step 5Drive Continuous Improvement • There is a difference between an adequate and a best-in-class system of internal control
LessonsLearned • Limited Gaps • Refinement and Enhancement of Documentation • Non-SOX Participants • Education of IC and Attestation Process • Need Business to be Owners of the Process • No “Requirement” for Compliance and Operational Risks (Best Practice) • Financial Reporting Requirement from SOX