Transcription
Fine tuning your internal controlswith COSO14 June 2019
tsThe CPAs role in maintaining security and promoting data privacyPwCSummary ofkey updatesImpact ofCOSO tobusinessQ&A
ProtectionLet us know, whichamong the wordscomes into yourmind first when youthink about rrideFine tuning your internal controls with COSOPwC3
Internal control is aprocess, effected by anentity’s board of directors,management, and otherpersonnel designed toprovide reasonableassurance regarding theachievement of objectivesrelating to operations,reporting and complianceDefinition under the 2013 COSO Internal Control – IntegratedFrameworkFine tuning your internal controls with COSOPwCGeared to theachievement of objectivesA processEffected by peopleProvide reasonable assuranceAdaptable to the entitystructure4
What is COSO InternalControl IntegratedFramework?In 1992, COSO published the original IC Framework (authoredby PwC), which allows the management of an organization to establish, monitor, evaluate, and report on internal control.The original IC Framework has gained widespread acceptanceand use worldwide.In 2013, COSO published the updated IC Framework (alsoauthored by PwC) to ease use and application, considering changes in business and operatingenvironments, articulating principles and clarifying requirements foreffective internal control, and encouraging users to apply internal control to additionalobjectives.Fine tuning your internal controls with COSOPwC5
COSO’s Internal Control and Enterprise Risk FrameworksInternal Control – IntegratedFramework (2013)Enterprise Risk Management –Integrated Framework (2018) Both framework adopt principles driven approach thus are suitable to most entities Geared towards seeking greater transparency and accountability Consider the increasing complexity and technological advancements of business environmentFine tuning your internal controls with COSOPwC6
Updated IC framework eases use and applicationDemonstrates commitmentto integrity and ethical valuesExercises oversightresponsibilityDemonstrates commitmentto competenceEnforces accountabilitySpecifies suitableobjectivesIdentifies and analyzesrisksAssess fraud riskIdentifies and assessessignificant changesControl ActivitiesSelects and developscontrol activitiesSelects and developsgeneral controls overtechnologyDeploys controlsthrough policies andproceduresInformation andCommunicationGenerates/obtains anduses nallyMonitoring ActivitiesPerforms ongoing and/orseparate controlevaluationsEvaluates andcommunicates controldeficienciesControl EnvironmentRisk AssessmentFine tuning your internal controls with COSOPwCEstablishesstructure, authority,and responsibility7
Summary of key updates Core definition of internal controlWhat is NOT fundamentallychanging? Three categories of objectives and five componentsof internal control Each of the five components of internal control arerequired for effective internal control Important role of judgment in designing,implementing and conducting internal control, and inassessing its effectivenessFine tuning your internal controls with COSOPwC8
Summary of key updatesUpdate articulates principles as important characteristics of the components of internal control Principles are suitable and presumed relevant for all entities5Components Principles can support achievement of a single, multiple, oroverlapping objectives17 PrinciplesPoints of focusControlsFine tuning your internal controls with COSOPwC When principles are present and functioning, objectives arespecified with sufficient clarity to assess risk and deploycontrols to mitigate risk to acceptable level Applying principles provides a basis for checking what’scovered and what’s missing across the business—includingdispersed and outsourced operations9
Summary of key updates – what IS changing?ControlEnvironment Governance- Management’s philosophy and operating style Linkages between various components of internal control Organizational structure Integrity and ethical values Linking risk and performance Organizational complexities Roles and responsibilities alignmentFine tuning your internal controls with COSOPwC10
Summary of key updates – what IS changing?Risk Assessment Risk assessment process Risk severity Risk tolerances Impact of internal and external factors Fraud riskFine tuning your internal controls with COSOPwC11
Summary of key updates – what IS changing?Control Activities Evolution of technology Automated controls vs. general controls over technology Control techniques General technology controls Policies and procedures vs. control activitiesFine tuning your internal controls with COSOPwC12
Summary of key updates – what IS changing?Information andCommunication Information quality External reporting information Information protection and reliability Information volumes and sources Impact of technology Communication with third partiesFine tuning your internal controls with COSOPwC13
Summary of key updates – what IS changing?Monitoring Monitoring activities terminology Establishing evaluations Technology and service providers useFine tuning your internal controls with COSOPwC14
What are drivingthe focus oninternal controls?Impact ofCOSO toyourbusiness,stakeholders,and usersFine tuning your internal controls with COSOPwCConsequencesof control ng paceof businesschangeComplex,interconnectedbusinesses andsystemsComplexity of“extendedenterprise”These factors are pushing us to rethink about controlsDesire forcommonstandards (andefficiencies)Increasedregulatoryscrutiny dvancements15
01. Structure and Governance02. Communication, culture and trainingDesign principles of atarget operatingmodel for internalcontrols03. Roles and responsibilities04. Processes05. Tools, technology and reporting06. Working groups and integration07. Accountability and performancemanagementFine tuning your internal controlsPwC16
01. Structure and governanceDesign principles of atarget operatingmodel for internalcontrols Clear responsibility for oversight and assurance ofbusiness controls. Divorcing control operation and control review providingreliable and quantifiable independent assurance that issuitable for audit leverage. A simplified structure that reduces the risk createdthrough multiple hand-offs.Fine tuning your internal controls with COSOPwC17
02. Communication, culture and trainingDesign principles of atarget operatingmodel for internalcontrols A behaviour and cultural shift in line with the seven criticalbehaviours. Business sees value in controls through greaterunderstanding. Clear understanding of process and control principles(e.g. detective/preventative and good control design).Fine tuning your internal controls with COSOPwC18
03. Roles and responsibilitiesDesign principles of atarget operatingmodel for internalcontrols Risk owners have clear understanding of the risk andhow this is mitigated through controls. Clear roles and responsibilities for controls going throughbusiness change. SMART objectives set, and agreed, for each Risk andControl resourceFine tuning your internal controls with COSOPwC10
04. ProcessesDesign principles of atarget operatingmodel for internalcontrols Consistent approach and focus to the management ofrisks and controls across the business. Documentation standards and guidelines. Fundamental processes captured and operational (e.g.Business change, reporting, incident management,training etc.).Fine tuning your internal controls with COSOPwC11
05. Tools, technology and reportingDesign principles of atarget operatingmodel for internalcontrols Effective use of an appropriate tool(s). Leveraging existing sources of best practice. Company technology resources and future systemlandscape. Automation of control. Effective dashboard reporting.Fine tuning your internal controls with COSOPwC21
06. Working groups and integrationDesign principles of atarget operatingmodel for internalcontrols An awareness and clarity of the risk and responsemanaged by the 1st line. Transparency in process and reporting so there is oneview of the truth that is appropriate at all levels. Strong relationships and engagement within the business.Fine tuning your internal controls with COSOPwC22
07. Accountability and performance management Clear accountability for controls and control failures within1st lineDesign principles of atarget operatingmodel for internalcontrols Clear accountability for risks (understanding of riskappetite and risk impact to the business). Incremental steps to embedding accountability andchanging the culture. Progress mapped against thesesteps. Consistent reporting of leading indicators in control designand effectiveness. Internal control objectives within Business Unit plans andDirector objectives as appropriateFine tuning your internal controls with COSOPwC23
AccountingandreportingchangesThese are thepotential leadindicators forcontrol failuresReliance onselfassessmentGovernanceFine tuning your internal controls with COSOPwCPwCUsuallyprolongedsuccessReliance ce on3rd line ofdefenseWide scopefor teresourcing24
Identifying controlsObjectiveFine tuning your internal controls with COSOPwCRiskControlAlignment25
In practice,stakeholderengagement andcontrol design arekey in achievingcontrol effectivenessFine tuning your internal controls with COSOPwC1. Context andstakeholderengagementUnderstand thecurrent state,engage withstakeholders, agreethe processobjectives and riskappetite2. Process, riskand controlsreview3. Interpret,feedback andvalidation4. Update andreportWalkthrough endto-end processand identify risksources.Understand keycontrols currentlyin place at theprocess levelDetermine the rightcontrols, using riskassessment,appetite and controlobjectives. Identifypotentialimprovements, gapsor incompletecontrolsA process forupdating, iteratingand improving thecontrolenvironment2626
A strategicperspectiveon internalcontrolFine tuning your internal controls with COSOPwCInternal controlempowersemployeesInternal controlhelps in achievingimportant objectivesInternal control isdynamic and changeswith the business2727
Questions?
Thank you!pwc.com/phThis publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon theinformation contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy orcompleteness of the information contained in this publication, and, to the extent permitted by law, Isla Lipana & Co., its members, employees and agents do not acceptor assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained inthis publication or for any decision based on it. 2019 Isla Lipana & Co. All rights reserved. In this document, “PwC” refers to Isla Lipana & Co. which is the Philippine member firm of PwC network, each member firmof which is a separate legal entity. Please see www.pwc.com/structure for further details.
Framework? In 1992, COSO published the original IC Framework (authored by PwC), which allows the management of an organization to establish, monitor, evaluate, and report on internal control. The original IC Framework has gained widespread acceptance and use worldwide. In 2013, COSO published the updated IC Framework (also
