Transcription
Ramifications of the New COSOFramework & Recent PCAOBActions
Panelists Moderator – Bob Meyer, Senior Vice President of Finance &Corporate Controller, American Tower Joann Cangelosi, Partner, Grant Thornton LLP Lori Silverstein, Vice President, Controller, Boston Properties Marc Panucci, Partner, PriceWaterhouseCoopers2
Discussion Topics The COSO 2013 framework and implications on a company’sinternal controls Update on PCAOB initiatives and actions Trends in auditing3
The COSO 2013 Framework Key differences between the 2013 framework and the original 1992framework– 5 framework components– 17 principles– 81 points of focus Transitioning to the new framework– Timing– Methodology Key areas of focus Where you can find more information– www.coso.org44
PCAOB Initiatives and Actions The Public Company Accounting Oversight Board issued a StaffConsultation Paper on standard-setting activities related to auditingaccounting estimates and fair value measurements for publiccomment on August 19, 2014. An update on the proposal to change the auditor's reporting modelissued in 2013 Feedback on recent PCAOB reviews Where you can find more information– www.pcaobus.org55
DisclaimerNAREIT does not intend this presentation to be a solicitation related to any particularcompany, nor does it intend to provide investment, legal or tax advice. Investors shouldconsult with their own investment, legal or tax advisers regarding the appropriateness ofinvesting in any of the securities or investment strategies discussed in this presentation.Nothing herein should be construed to be an endorsement by NAREIT of any specificcompany or products or as an offer to sell or a solicitation to buy any security or otherfinancial instrument or to participate in any trading strategy. NAREIT expressly disclaimsany liability for the accuracy, timeliness or completeness of data in this presentation.Unless otherwise indicated, all data are derived from, and apply only to, publicly tradedsecurities. Any investment returns or performance data (past, hypothetical, or otherwise)are not necessarily indicative of future returns or performance.For more information, visit: www.reit.com6
No. US2014-16August 22, 2014PCAOB issues staff consultation paper seekingcomment on auditing accounting estimatesand fair value measurementsWhat happened?At a glanceThe staff of the PCAOB’sOffice of the Chief Auditoris evaluating whetherexisting PCAOBstandards relating toauditing accountingestimates and fair valuemeasurements can andshould be improved.On August 19, 2014, the Public Company Accounting Oversight Board (“PCAOB”) issuedfor public comment a staff consultation paper on standard-setting activities related toauditing accounting estimates and fair value measurements. The staff consultation paperdiscusses and solicits comment on certain issues related to auditing accounting estimatesand fair value measurements in order to assist the PCAOB staff in evaluating whether theexisting PCAOB auditing standards can and should be improved. The PCAOB staff isspecifically seeking feedback on: (i) the potential need for changes to the PCAOB’sexisting auditing standards to better address changes in the financial reportingframeworks related to accounting estimates and fair value measurements, (ii) currentaudit practices that have evolved to address issues relating to auditing accountingestimates and fair value measurements, (iii) a possible approach to changing existingauditing standards, and the requirements of a potential new standard, and (iv) relevanteconomic data about potential economic impacts to inform the PCAOB's economicanalysis associated with standard setting in this area.Overview of the approach being considered by the PCAOB staffAlthough the PCAOB staff identified a number of alternative approaches that the PCAOBmay wish to consider, the PCAOB staff is considering developing a single standardrelated to auditing accounting estimates and fair value measurements instead of separatestandards that exist today. The staff consultation paper discusses that the potential newstandard could be designed to: Align with the PCAOB’s risk assessment standards Generally retain the approaches to internal control and substantive testing from theexisting standards, but include requirements that apply to both accountingestimates and fair value measurements Establish more specific audit requirements related to the use of third parties indeveloping accounting estimates and fair value measurements, and Create a more comprehensive standard related to auditing accounting estimatesand fair value measurements to promote greater consistency and effectiveness inapplicationUse of third partiesA new standard could include the existing requirement related to testing assumptions forfair value measurements developed by a company’s specialist, but apply it more broadlyto information provided for accounting estimates. As such, if a company uses a specialistto develop an accounting estimate, a new standard could direct the auditor to test thatinformation as if it were produced by the company. In this case, the auditor would beNational Professional Services Group CFOdirect Network – www.cfodirect.pwc.comIn brief1
required, as applicable, to evaluate the appropriateness of the methods, test the dataused, and evaluate the reasonableness of significant assumptions, with respect to theinformation provided by the specialist.Additionally, the PCAOB staff is considering how a potential new standard could addressaudit evidence obtained from third-party sources, such as pricing services and brokerdealers. Given the differences in how values of financial instruments are derived andobtained, the PCAOB staff is exploring whether a new standard should set forth specificrequirements for evaluating information from third-party pricing sources as part ofevaluating the reliability and relevance of the evidence. For example, to evaluatereliability, the auditor could take into account the methods used by a third-party indetermining fair value and whether the methodology used is in conformity with theapplicable financial reporting framework. As it relates to evaluating the relevance, theauditor could determine, among other matters, when there are no transactions either forthe asset or liability or comparable assets or liabilities, how the information wasdeveloped, including whether the inputs developed represent the assumptions thatmarket participants would use when pricing the asset or liability, if applicable.Why is this important?Financial statements and disclosures of most companies include accounting estimatesand fair value measurements.What's next?Comments on the staff consultation paper are due on November 3, 2014. Additionally,the PCAOB announced it will host a meeting of its Standing Advisory Group (“SAG”) onOctober 2, 2014, in Washington, D.C., to discuss matters related to auditing accountingestimates and fair value measurements. The agenda and meeting logistics will beannounced closer to the meeting date.Questions?Authored by:PwC clients who have questions about thisIn brief should contact their engagementpartner. Engagement teams who havequestions should contact the NationalProfessional Services Group (1-973-2367800).Neil WeingartenPartnerPhone: 1-973-236-5862Email: neil.weingarten@us.pwc.comSarah KennyDirectorPhone: 1-973-236-5925Email: sarah.kenny@us.pwc.com 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to thePwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and shouldnot be used as a substitute for consultation with professional advisors. To access additional content on financial reporting issues, visit www.cfodirect.pwc.com, PwC’s onlineresource for financial executives.
Corporate GovernorProviding vision and advice for management, boards of directors and audit committees Summer 2014New COSO Framework linksIT and business processMichael Rose, Partner, Business Advisory ServicesIn May 2013, the Committee of SponsoringOrganizations of the Treadway Commission(COSO), a joint initiative of private sectororganizations dedicated to providing thoughtleadership on enterprise risk management, internalcontrol and fraud deterrence, issued its updatedInternal Control – Integrated Framework1(2013 Framework). The 2013 Framework is expectedto be used by most public companies listed in theUnited States as well as other companies in variousjurisdictions starting Dec. 31, 2014, and possiblyearlier, in assessing the effectiveness of their internalcontrol over financial reporting (ICFR) and byauditors in reporting on ICFR when required.1 See www.coso.org for more information.The 2013 Framework does not fundamentally alterthe key concepts of the original 1992 Frameworkconsisting of five components: control environment,risk assessment, control activities, information andcommunication, and monitoring. Instead, it clarifiesand builds on core strengths by (1) formalizing theconcepts embedded within the five components into17 principles, (2) considering changes in businessand operating environments, and (3) expandingthe financial reporting objective to address otherimportant forms of reporting2.The 2013 Framework also includes “points of focus”that describe each principle’s characteristics andhelp users evaluate whether a principle is presentand functioning. Points of focus aren’t explicitrequirements. You don’t need a separate evaluation ofpoints of focus in order to demonstrate that a relevantprinciple is present and functioning. Management maydetermine that some points of focus are not suitableor relevant; they may also identify and consider othersbased on company circumstances. Points of focusmay be particularly helpful in assisting managementand auditors in evaluating principles that weren’t asthoroughly developed in the 1992 Framework, such asthose relating to fraud prevention and to the use of IT.
New COSO Framework links IT and business processPrinciple 11 points of focusThe 2013 Framework recognizes the importanceof technology in achieving operations andcompliance objectives, as well as reporting objectives.Principle 11 and its points of focus address theimportance of IT controls.1. Determines dependency between the use oftechnology in business processes and technologygeneral controlsManagement must understand the linkages betweenits business processes, general technology controlsand controls that are automated in its controlactivities. Control activities are the tasks that ensurethe existing technology continues to function asoriginally designed. Technology general controlsare also referred to as general computer controls,general controls or IT controls. The overall reliabilityof technology in business processes, which wouldinclude automated controls (controls embedded inan application), will result from an effective designupfront, and then continued execution of generalcontrol activities over technology from an operatingeffectiveness perspective.Technology general controls operating as designedwill support automated controls and ensure that theyare functioning properly. An example of an automatedcontrol would be the three-way match amongpurchasing, receiving and invoicing. The technologygeneral controls determine that the correct filesare being matched and the process is complete andaccurate. In addition, the security control activitiesmake sure that only authorized individuals have accessto the files.2Principle 11The organization selects and develops general controlactivities over technology to support the achievementof objectives.The following points of focus highlight importantcharacteristics relating to this principle: Determines dependency between the use oftechnology in business processes and technologygeneral controls Establishes relevant technology infrastructurecontrol activities Establishes relevant security management processcontrol activities Establishes relevant technology acquisition,development and maintenance processcontrol activitiesThe COSO model for technology general controlstouches all five components of the 2013 Framework,as evidenced in the following list. The emphasis here isillustrative as it relates to the five components.Control environment Tone from the top, IT governance identifyingcontrols as important Technology policies and procedures andinformation security policies Various committees established fortechnology governance ead more about the new framework and 17 principles in CorporateGovernor Summer 2013. See advisory/2013/BAS-GRC-Updated-COSO-Framework.aspx for details.2 CorporateGovernor – Summer 2014
New COSO Framework links IT and business processRisk assessment IT risk assessments link to corporate and businessrisk assessments IT controls determined for high-risk businessunits and functions IT risk assessment for IT information securityidentifying threats and matching to vulnerabilities Risk assessment for business continuityControl activities Approval of IT plans and system architecture Committee approval for change management Compliance with information andsecurity standardsInformation and communication IT corporate communications Best-practice IT communication Review of user access to information and reports IT and security trainingMonitoring Review of periodic technology assessments2. Establishes relevant technology infrastructurecontrol activitiesTechnology general controls include control activitiesover technology infrastructure, networks, operatingsystems, data management and applications. Theyapply to mainframe computers, clients/servers,desktops, end-user computing, portable computersand mobile device technology to operationaltechnology. The control activities over each of thesewill depend on a number of factors, including riskas it relates to the underlying business processes,complexity of technology and overall outside threats.The technology general controls could be manualor automated. Following are control activities overnewer technologies. These are some areas of interestwith some control objectives attached, and are notmeant to be all-inclusive.End-user computing (EUC) Identification of all EUC as it relates to criticalbusiness processes in the organization Monitored security and access to where theEUC is located Integrity of change management process forchanges made, tested, reviewed and approved Review of technology organization Accuracy and completeness of all informationin the EUC Review of high-risk IT areasMobile devices Review of technology metrics Mobile device policies and procedures are in placeAdditional control activities may be selected ordesigned to be used in the mitigation of specific risksin the overall use of technology processes. Access control and encryption for mobile devicesare in place and provide adequate coverage Non-company owned mobile devicesare segregated for data in a complete andeffective manner Mobile device incident management processes andcontrols are in place and effectively functioning3 CorporateGovernor – Summer 2014
New COSO Framework links IT and business processCloud Prepare a clear governance model to follow,including policies and procedures Assess service levels, infrastructure andapplications used, and related metricsand outcomes Understand cloud vendor management ability,including people’s skills and competencies,processes and technology Review cloud security and compliancerequirements Agree on service-level metrics, outcomes andeffectiveness of services Identify where risks are present and integrate intoexisting risk assessment Review results criteria periodically, and have amechanism to document exceptions and gaps anda process to correct issues3. Establishes relevant security managementprocess control activitiesThe security management process includes all controlactivities over access to an organization’s technology,including transaction processing, data, operatingsystems, network applications and physical access.Security controls over access prevent the unauthorizedaccess and use of systems, changes to the system,and changes to data and program integrity fromcommon error or malicious intent. It protects againstsegregation of duties to eliminate an individual havingaccess to incompatible functions within the system,and it also reduces the likelihood of 101011111111114 CorporateGovernor – Summer 2014Security risks are both internal and external. Externalthreats can come in many different forms, depend ontelecommunication networks and use the Internet.A company has customers, employees, vendorsand others using its system. The pervasive use oftechnology in business operations presents significantthreats on a daily basis. Internal threats come fromwithin the organization through former or disgruntledemployees who have extensive knowledge of theorganization’s security system and are better equippedbecause of this to succeed. Here are a few preventiveactions to consider:External cybersecurity threats Establish cybersecurity governance, includingpolicies and procedures Classify all information based on its restrictionof privacy Determine what applications use highlyprivate information Perform a vulnerability analysis on thesehigher-risk applications Identify potential threats to these applications Understand vendor access anddetermine safeguards Perform a risk assessment regarding the highestrisks based on the above Determine where investments are needed toprotect private information Identify and treat attacks and breaches in a timelyand appropriate manner Monitor cybersecurity activity and report tosenior management
New COSO Framework links IT and business processInternal threats Develop policies and procedures regardingemployees’ access to data and applications andtermination of those rights when employees leavethe organizationOrganizations need some basic controls thatare similar in all systems acquisition anddevelopment work. User requirements are always documented andresults measured. Identify all employees that have accessto incompatible data and applications inhigh-risk transactions A formal process should be followed for systemdesign to determine that user requirements andcontrols are designed in the system. When access can’t be changed, provide amonitoring process/review of transactions thoseemployees perform System development is carried out in a formalmanner to ensure that design features are includedin the final product. Periodically review access rights of employees Testing should include users, the functionalityis reviewed and system interfaces operateas intended.4. Establishes relevant technology acquisition,development and maintenance processcontrol activitiesThe technology general controls should supportthe life cycle of technology throughout acquisition,development and maintenance. Organizations rarelyuse one methodology for all systems developmentprojects, and they choose a methodology basedon factors such as size of the project. The chosenmethodology should provide controls over changesto technology: acquiring the appropriate approvalsfor a change, reviewing the change, testing resultsand implementing a process to make sure the changesare completed properly. The methodology providesa structure for system design and implementation.It outlines requirements such as documentation,approvals and controls over the technology life cycle.5 CorporateGovernor – Summer 2014 Maintenance processes should ensure that changesin application systems are controlled and changemanagement has a validation process. All outsourced system development work wouldbe reviewed and determined to have a similar setof controls over the entire process. All work must be under project managementcontrol, whether it’s developed in-houseor outsourced. A communication and reporting mechanism mustbe in place to ensure that all projects are completedin a timely manner and on budget.
New COSO Framework links IT and business processConclusionContactCOSO recognizes the importance of technology inachieving operations and compliance objectives, andit wrote Principle 11 of the 2013 Framework to linkbusiness processes to technology general controls. Thepoints of focus can help users evaluate whether theprinciple is present and functioning properly. Whilethese points of focus aren’t explicit requirements, usethem as a tool to thoroughly address your IT controls.IT controls are pervasive throughout an organization,so it is critical to have a strong control environmentacross all business units.Michael RosePartner, BusinessAdvisory ServicesT 215.376.6020E michael.rose@us.gt.comEditorEvangeline Umali HannumE evangeline.umalihannum@us.gt.comAbout the newsletterCorporateGovernor is published by Grant Thornton LLP. The people in the independent firms of Grant Thornton International Ltd provide personalized attention and thehighest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one ofthe world’s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership,as each member firm is a separate and distinct legal entity.Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issuesdiscussed, consult a Grant Thornton LLP client service partner or another qualified professional.Connect with horntonus“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not aworldwide partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does notprovide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts oromissions. Please visit grantthornton.com for details. 2014 Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd
In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a joint initiative of private sector organizations dedicated to providing thought leadership on enterprise risk management, internal control and fraud deterrence, issued its updated . Internal Control - Integrated Framework. 1 (2013 Framework).
