top 5 pitfalls to avoid implemeting coso 2013
DESCRIPTION
Learn about the 5 pitfalls you should avoid when implementing COSO's 2013 framework. This presentation will provide you with background on what could go wrong for SOX testing and other pitfalls to be aware of.TRANSCRIPT
2012 Regulatory update
Compliance Made Simple ©
Compliance Made Simple © 2
Agenda
COSO 2012 Massive ProjectMajor Concerns - ACTop 5 PitfallsHow to WIN!
Compliance Made Simple © 3
COSO 2012 Project Participants
COSO Board of Directors
COSO Advisory Council
• AICPA• AAA• IIA• FEI• IMA• Regulatory Observers• Public Accounting Firms• Others (IFAC, GAVI Alliance,
ISACA)
PwCAuthor and Project
Leader
Stakeholder Input
Survey of over 700 stakeholders and users of the 1992 Internal Control – Integrated Framework
Compliance Made Simple © 4
What’s Staying & What’s Leaving?
What is not changing... What is changing...
1. Definition of internal control
2. Five components of internal control
3. The fundamental criteria used to assess effectiveness of systems of internal control
4. Use of judgment in evaluating the effectiveness of systems of internal control
1. Codification of principles with universal application for use in developing and evaluating the effectiveness of systems of internal control
2. Expanded financial reporting objective to address internal and external, financial and non-financial reporting objectives
3. Increased focus on operations, compliance and non-financial reporting objectives based on user input
Compliance Made Simple © (see appendix for AICPA Toolkit changes)
5
A changing business environment...
Drives updates to the Framework...
Expectations for governance oversight
Globalization of markets and operations
Changes in business models
Demands and complexity of rules, regulations and standards
Expectations for competencies and accountabilities
Use and reliance on evolving technology
Expectations for preventing and detecting fraud
Updated COSO Cube
COSO-2012: Summary of UpdatesNot
limited to FINANCIA
L
Compliance Made Simple © 6
Agility
Cla
rity
Confidence
Benefits of the Updated Framework Management
and Board of Directors
Other
Users
External Parties
Performance
• Improve governance
• Expand use beyond financial reporting
• Improve quality of risk assessment
• Strengthen anti-fraud efforts
• Adapt controls to changing business needs
• Greater applicability for various business models
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
COSO 2012: CODIFICATION OF 17 PRINCIPLES
1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability6.Specifies relevant objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change
10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures
13.Uses relevant information14.Communicates internally15.Communicates externally
16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies
C O M P L I A N C E M A D E S I M P L E © 7
COSO 2006 Vs. 2012 (proposed)
COSO 2006 Vs. 2012 (proposed)
Compliance Made Simple © 10
New Fraud Considerations Changes to “Oversight functions” In-Depth questions regarding forecasting
impact of changes to ICFR and Operations
Major Impact to A/C
Compliance Made Simple © 11
AICPA Gold StandardPart I: Audit Committee Administration Audit Committee Roles and ResponsibilitiesAudit Committee Charter MatrixAudit Committee Financial Expert Decision TreeSample Request for Proposal Letter for CPA Services (Public Company)AICPA Peer Reviews and PCAOB Inspections of CPA Firms: An OverviewGuidelines for Hiring the Chief Audit Executive (CAE)Engaging Independent Counsel and Other Advisers
Part II: Key Responsibilities Part III: Performance Evaluation Part IV: Other Tools
Template Type of Change that may be Expected
#1 AC Member role & responsibilities.
Minor updates related to AC members role to assist the BOD in its role of oversight for internal control and other whistleblower findings and their investigation and related action implementation including the consideration of the impact of a board members continued social relationship with company executives.
#2 AC Charter Minor updates related to investigative authority and its implementation by the AC.
#7 Engaging CouncilMinor updates as they relate to consideration of long standing social relations and their impact on independence in the light of the current SEC filings based on the Dodd-Frank Act.
#8 Internal Control Major updates to align the principles and attributes under each of the 5 areas of COSO based on the new Integrated Framework.
#9 – Fraud Responsibilities Minor (core issues have already been addressed)
#10 WhistleblowerModerate –(needs to include in the template/log how to track when SEC investigations have come to attention of Audit Committee)
#12 Executive SessionMinor updates to the suggested questions to include queries related to assessment and impact of significant changes on the internal controls.
#14 Responding to ID of Material Weakness
Moderate – (needs to update language for needs of Dodd-Frank related issues)
#15 – Evaluating the Internal Audit Team
Moderate (currently no mention of Whistleblower complaint analysis or material weakness follow-up, this could be issues for AC given the new Dodd-Frank act)
#17 Self Evaluation Minor update related to AC responsibilities per the Dodd Frank Act.
Appendix A
Dodd-Frank Act: PoteAICPA Tool Kit Impact on AC Toolkit by AICPA
Compliance Made Simple © 13
Top 5 Implementation Pitfalls
1.Pitfall – Deliverables Not Defined
40% of projects fail completely (failure defined as not delivered expectations or unusable1)
1 Standish Group's 1996 IT survey
Compliance Made Simple © 14
Top 5 Implementation Pitfalls
2. Pitfall – No Link
Over 90% of strategies never meet fulfillment of original intent2.
Primary driver – planning never linked to key deliverables and overall quantifiable impact. (i.e. # of key controls drops by 10%, External auditor use of IA work increase by 15%, ELC controls reduce 25% of detailed transaction testing)
Key Success formula Motivation=Project SUCCESS!2a
2 JP Kotter, “Leading Change: Why Transformation Efforts Fail,” Harvard Business Rev., Mar.-Apr. 1995, pp. 59-672 a Data on 290 completed projects from software engineering practitioners based in Australia, Chile, and USA. By June Verner
Compliance Made Simple © 15
Top 5 Implementation Pitfalls
3. Pitfall – CultureMulti-Location Organizations have over 80% of
projects fail because of cultural issues3. (Rolls Royce Case Study)
Primary drivers 1. People don’t do as they say2. Ineffective leaders3. Competing Priorities4. Insufficient resources
3 Enterprise information systems projectimplementation:: A case study of ERP in Rolls-Royce Yahaya Yusufa, , , A Gunasekaranb, Mark S Abthorpec
Compliance Made Simple © 16
Top 5 Implementation Pitfalls
4. Pitfall – Insufficient Resources
People are the most unstable set of resources (i.e. change position, turnover, CPE, life changes) and major projects typically under estimate over 86% the need of “human resources) on all project4.
Primary drivers 1. Budget – Ineffective (incorrect assumptions)2. Infrequent Timeline reviews3. Timeliness of budget vs. actual corrections
4 Project management effectiveness: The Choice - formal or informal controls, University of Canberra, Susilo, A. Heales, J. Rohde, F.
Compliance Made Simple © 17
Top 5 Implementation Pitfalls
5. Pitfall – “Team B” Syndrome
87% of C-Level Execs know the team leader function but NOTHING ELSE.5
Staff augmentations without clear sense of futureSubcontactors never fully integrated within the
project much less the organization
5 “Modern Approach” by Petty, 2009; Juli, 2010
Compliance Made Simple © 18
1. Discuss cultural issues upfront (what will work and what won’t…& “why”)
2. Create low & high estimates with checks & balances on estimates
3. Accountability structures for project leader and team members
4. Never use Team B for a Top priority project
5. Clearly define deliverables
6. Link Deliverables to people’s performance and overall corporate goals (quantify major categories)
7. Updates on timelines and ETC (estimate to complete by person, by task)
8. Get “perceived percentages” from team members and “weed out” weak players
9. Frequent project updates (more in the beginning and fewer towards end)
10.Present deliverables in a GRAND way!
How to win the COSO Implementation Project?
Compliance Made Simple © 19
Sonia Luna, President, [email protected]
700 S. Flower Street #1100Los Angeles, CA 90017P: (213) 250-5700 x206
Contact Information