《COSO新框架COSOInternalControlIntegratedFramework》由会员分享,可在线阅读,更多相关《COSO新框架COSOInternalControlIntegratedFramework(39页珍藏版)》请在金锄头文库上搜索。
1、COSO新框架新框架COSOInternal ControlIntegrated Framework1Table of Contents2COSO & Project Overview3COSO Overview Internal Control Publications19922006200920134Original FrameworkCOSOs Internal ControlIntegrated Framework (1992 Edition)Refresh ObjectivesUpdated FrameworkCOSOs Internal ControlIntegrated Fram
2、ework (2013 Edition)Broadens ApplicationClarifies RequirementsArticulate principles to facilitate effective internal control Why update what works The Framework has become the most widely adopted control framework worldwide. Updates ContextEnhancements Reflect changes in business & operating environ
3、mentsExpand operations and reporting objectives5Project timetableAssess & Survey StakeholdersDesign & BuildPublic Exposure, Assess & RefineFinalize20102011201220136Project participantsCOSO Board of DirectorsCOSO Advisory CouncilAICPAAAAFEIIIAIMAPublic Accounting FirmsRegulatory observers (SEC, GAO,
4、FDIC, PCAOB)Others (IFAC, ISACA, others)PwCAuthor &Project LeaderStakeholdersOver 700 stakeholders in Framework responded to global survey during 2011Over 200 stakeholders publically commented on proposed updates to Framework during first quarter of 2012Over 50 stakeholders publically commented on p
5、roposed updates in last quarter of 20127Project deliverable #1 Internal Control-Integrated Framework (2013 Edition) Consists of three volumes:Executive SummaryFramework and AppendicesIllustrative Tools for Assessing Effectiveness of a System of Internal ControlSets out: Definition of internal contro
6、lCategories of objectivesComponents and principles of internal controlRequirements for effectiveness8Project deliverable #2 Internal Control over External Financial Reporting: A Compendium.9Internal ControlIntegrated Framework10Update expected to increase ease of use and broaden applicationWhat is n
7、ot changing.What is changing.Core definition of internal controlThree categories of objectives and five components of internal controlEach of the five components of internal control are required for effective internal controlImportant role of judgment in designing, implementing and conducting intern
8、al control, and in assessing its effectiveness Changes in business and operating environments consideredOperations and reporting objectives expandedFundamental concepts underlying five components articulated as principlesAdditional approaches and examples relevant to operations, compliance, and non-
9、financial reporting objectives added11Environments changes.have driven Framework updatesExpectations for governance oversightGlobalization of markets and operationsChanges and greater complexity in businessDemands and complexities in laws, rules, regulations, and standardsExpectations for competenci
10、es and accountabilitiesUse of, and reliance on, evolving technologiesExpectations relating to preventing and detecting fraud COSO Cube (2013 Edition)Update considers changes in business and operating environments12Control EnvironmentRisk AssessmentControl ActivitiesInformation & CommunicationMonitor
11、ing ActivitiesUpdate articulates principles of effective internal control1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability6.Specifies suita
12、ble objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures13.Uses relevant information14.Communicates intern
13、ally15.Communicates externally16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies13Control EnvironmentUpdate articulates principles of effective internal control (continued)1.The organization demonstrates a commitment to integrity and ethical values. 2.The board
14、 of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.3.Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4.The org
15、anization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5.The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.146. The organization specifies objectives with sufficient
16、 clarity to enable the identification and assessment of risks relating to objectives.7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential
17、for fraud in assessing risks to the achievement of objectives.9. The organization identifies and assesses changes that could significantly impact the system of internal control. Risk AssessmentUpdate articulates principles of effective internal control (continued)1510. The organization selects and d
18、evelops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12.The organization deploys control activities t
19、hrough policies that establish what is expected and procedures that put policies into place.Control ActivitiesUpdate articulates principles of effective internal control (continued)1613. The organization obtains or generates and uses relevant, quality information to support the functioning of intern
20、al control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15.The organization communicates with external parties regarding matters affecting the functioning of intern
21、al control. Information & CommunicationUpdate articulates principles of effective internal control (continued)1716. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17.The organiz
22、ation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Monitoring ActivitiesUpdate articulates principles of effective internal control (conti
23、nued)18Update clarifies requirements for effective internal controlEffective internal control provides reasonable assurance regarding the achievement of objectives and requires that:Each component and each relevant principle is present and functioningThe five components are operating together in an
24、integrated mannerEach principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e.g., governance, technology)Components operate together when all components are present and functi
25、oning and internal control deficiencies aggregated across components do not result in one or more major deficienciesA major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives19Update describes imp
26、ortant characteristics of principles, e.g.,Points of focus may not be suitable or relevant, and others may be identifiedPoints of focus may facilitate designing, implementing, and conducting internal controlThere is no requirement to separately assess whether points of focus are in placeControl Envi
27、ronment1.The organization demonstrates a commitment to integrity and ethical values. Points of Focus:Sets the Tone at the TopEstablishes Standards of ConductEvaluates Adherence to Standards of ConductAddresses Deviations in a Timely Manner20Update describes the role of controls to effect principlesT
28、he Framework does not prescribe controls to be selected, developed, and deployed for effective internal controlAn organizations selection of controls to effect relevant principles and associated components is a function of management judgment based on factors unique to the entityA major deficiency i
29、n a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principlesHowever, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting managements assessment of whether componen
30、ts and relevant principles are present and functioning21Update describes how various controls effect principles, e.g., Control Environment1. The organization demonstrates a commitment to integrity and ethical values. ComponentPrincipleControls embedded in other components may effect this principleHu
31、man Resources review employees confirmations to assess whether standards of conduct are understood and adhered to by staff across the entityControl EnvironmentManagement obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of i
32、nformationInformation & CommunicationInternal Audit separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon Monitoring Activities22Summary of public exposure of proposed updateInterest across geographic regions approximately 50%
33、of respondents from North America and 50% from international regionsProposed updates to Framework released for public comments:December 20, 2011 to March 31, 2012September 18, 2012 to December 4, 2012COSO sought comments from the general public on proposed updates, including whether the:Requirements
34、 of effective internal control are clearly set forthRoles of components, principles, and points of focus are clearly set forth Framework remains sound, logical, and useful to management of entities of all types and sizesPublic comment letters available at www.ic.coso.org until Dec. 31, 201323Updates
35、 are responsive to public comments Principles Provide clarity regarding the role of principles in designing, implementing, and conducting internal control, and assessing its effectivenessClarify descriptions of some principles, but no additional principlesEffectiveness Recognize effective internal c
36、ontrol can provide reasonable assurance of achieving effective and efficient operations objectives (as noted before)Clarify requirement that each of the components and relevant principles must be present and functioning and components must operating togetherRemove presumption that points of focus ar
37、e present and functioning, and clarify that no separate assessment of points of focus is requiredStandardize classification of internal control deficiencies, and clarify use of only relevant criteria established in laws, rules, regulations and standards24Updates are responsive to public comments (co
38、ntinued)Objective Setting Retain five components of internal controlRetain specification of objectives as a principle of effective internal control, but objective setting may be driven by laws, rules, regulations ,or external standards that are outside a system of internal controlObjectivesRetain vi
39、ew that safeguarding of assets primarily relates to operations objectives, and recognize its consideration within reporting and complianceAcknowledge some laws rules, regulations and standards establish safeguarding of assets as a separate category of objectivesRetain view that strategic objectives
40、is not part of internal controlRetain operations, reporting, and compliance objective categories, and expand descriptions25Updates are responsive to public comments (continued)Enterprise Risk Management (ERM)Retain distinction between ERM and internal control, and acknowledge these frameworks are co
41、mplementaryRetain view that strategy-setting, strategic objectives, and risk appetite are aspects of ERM, not Internal Control-Integrated FrameworkRetain discussion of risk appetite and application of risk tolerance Smaller Entities and Governments Provide additional guidance specific to smaller ent
42、ities and governments (Appendix C)TechnologyExpand discussion in the points of focus and in several chaptersDecline suggestion to address risk associated with specific technologies because of the rapid pace of change26Updates are responsive to public comments (continued)Structure and Layout Retain v
43、iew that all chapters 1-10 comprise the FrameworkDue Process COSO believes there has been a substantive due process effort to capture views on proposed updateSurveyed stakeholders to ascertain preferences concerning nature and extent of needed updates; 700 responses (December 2010 to September 2011)
44、 Conducted eleven meetings with COSO Advisory CouncilProvided exposure drafts of proposed updates for public comments (December 2011 to March 2012, and September to December 2012) Participated in many conferences, webinars, and seminars with membership of COSO to seek views of stakeholders (January
45、2011 to January 2013)27Illustrative Documents:-Illustrative Tools for Assessing Effectiveness of a System of Internal Control -Internal Control over External Financial Reporting: A Compendium of Approaches and Examples28Illustrative Tools for Assessing Effectiveness of a System of Internal ControlAs
46、sist users when assessing effectiveness of internal control based on the requirements set forth in the FrameworkTemplates illustrate a possible summary of assessment resultsScenarios illustrate practical examples of how the templates can be used to support an assessment and important considerations
47、in performing an assessment Focus on evaluating components and relevant principles, not the underlying controls that affect relevant principlesCannot satisfy criteria established through laws, rules, regulations, or external standards for evaluating the severity of internal control deficienciesCan c
48、ustomize level and amount of detail included in the templates as management may deem necessary 29Internal Control over External Financial Reporting (ICEFR): A Compendium of Approaches and ExamplesApproaches and Examples illustrate how various characteristics of principles may be present and function
49、ing within a system of internal control relating to external financial reportingApproaches are designed to give a summary-level description of activities that management may consider as they apply the FrameworkExamples illustrate one or more points of focus of a particular principle. They are not de
50、signed to provide a comprehensive, end-to-end example of how a principle may be fully applied in practice.Selected approaches and examples do not illustrate all aspects of components and relevant principles that would be necessary for effective internal controlStakeholders should refer to the Framew
51、ork for the requirements of effective internal control Compendium supplements and can be used in concert30Summary of public exposure of the Illustrative DocumentsProposed Internal Control over External Financial Reporting: Compendium of Approaches and Examples was released for public comment from Se
52、ptember 18, 2012 to December 4, 2012In conjunction with the public exposure of ICEFR Compendium, COSO made available revised versions of the previously exposed Framework and Appendices and Executive SummaryCOSO made available the proposed Illustrative Tools for Assessing Effectiveness of a System of
53、 Internal ControlCOSO sought comments from the general public on relevant topicsPublic comment letters available at www.ic.coso.org until Dec. 31, 201331Illustrative documents are responsive to public commentsICEFR: A Compendium of Approaches and ExamplesAdd or clarify specific examples, including:E
54、stablishing responsibilities for reviewing financial statementsMonitoring investigation and reporting of whistleblower allegationsMonitoring identification and protection of sensitive financial informationMonitoring identification and analysis of risk of material misstatement due to fraud Address a
55、risk-based approach for achieving external financial reporting objectivesSpecify suitable objectives for external financial reportingRisks to achieving suitable objectivesResponses to risks32Transition & Impact33Transition & ImpactUsers are encouraged to transition applications and related documenta
56、tion to the updated Framework as soon as feasible Updated Framework will supersede original Framework at the end of the transition period (i.e., December 15, 2014) During the transition period, external reporting should disclose whether the original or updated version of the Framework was usedImpact
57、 of adopting the updated Framework will vary by organizationDoes your system of internal control need to address changes in business?Does your system of internal control need to be updated to address all principles?Does your organization apply and interpret the original framework in the same manner
58、as COSO?Is your organization considering new opportunities to apply internal control to cover additional objectives?34Transition & Impact (continued)The principles-based approach provides flexibility in applying the Framework to multiple, overlapping objectives across the entityEasier to see what is
59、 covered and what is missingFocus on principles may reduce likelihood of considering something thats irrelevantUnderstanding the importance of specifying suitable objectives focuses on those risks and controls most important to achieving these objectives. Focusing on areas of risk that exceed accept
60、ance levels or need to be managed across the entity may reduce efforts spent mitigating risks in areas of lesser significance. Coordinating efforts for identifying and assessing risks across multiple, overlapping objectives may reduce the number of discrete risks assessed and mitigated. 35Transition
61、 & Impact (continued) Selecting, developing, and deploying controls to effect multiple principles may also reduce the number of discrete, layered-on controls. Applying an integrated approach to internal control - encompassing operations, reporting, and compliance may lessen complexity.In assessing s
62、everity of internal control deficiencies, use only the relevant classification criteria as set out in the Framework or by regulators, standard-setting bodies, and other relevant third parties, as appropriate.36Recommended ActionsRead COSOs updated Framework and illustrative documentsEducate the audi
63、t committee, C-suite, operating unit and functional managementEstablish a process for identifying, assessing, and implementing necessary changes in controls and related documentation Develop and implement a transition plan timely to meet key objectives e.g., apply updated Framework by December 31, 2
64、014 for external reporting37Getting COSOs PublicationsThe updated Framework and related Illustrative documents are available in 3 layouts1.E-book This layout is ideally suited for those wanting access in electronic format for tablet use. An e-book reader from the AICPA is required to view this layou
65、t. Printing is restricted in this layout.Purchase through 2.Paper-bound This layout is ideally suited for those wanting a hard copy.Purchase through 3.PDF This layout is ideally suited for organizations interested in licensing multiple copies.Contact the AICPA at copyrightaicpa.org 38Questions & Comments
