WIXLIB

COSOImplementationAn Experiential Viewfrom the Trenches1016 Washington St., Gloucester, MA 01930Tel. 978.495.0915www-navis-group.com

COSO Implementation – An Experiential View from the nknee- financialreporting.Within,weaddressthefollowing:Ø FDICIA/SOX/COSOo Definingtheacronymso Identifyingtherequirementso TheCOSOprinciplesandfocuspointso nagementØ SequencingtheImplementationofthePrincipleso COSOPrinciples10–12- ‐TheProcess–identifyingkeycontrols§ riences§ eportingintegrity§ Policesandprocedureso COSOPrinciples1–5§ What’srequired§ Whatwehavefound§ Whatwethinkweshouldbefinding§ Howaninstitutionmightenhancethecultureofintegrityo COSOPrinciples6–9§ Identifyingrisk/fraudmechanisms§ Gettingfrominformaltoformalwithrespecttorisko COSOPrinciples13–17§ Communications§ Monitoringo tationØ AppendixA- ‐COSO’sPrinciples&FocusPointsØ dification 2016THE NAVIS GROUP2

COSO Implementation – An Experiential View from the TrenchesFDICIA / SOX / COSO – Expanding the kswithassetsexceeding liancewas llowingyear.SOX(theSarbanes- ‐OxleyActof2002)isanon- heEnronera.SOXroll- levelof attookeffecton12/15/14.FDICIA Compliance – How COSO is “Dictated”Forbankswithassetsinexcessof ceviaFIL33- esses.Thisisaself- acceptable,ifnotpreferred,frameworkandbest- t- din“back- ‐handed”languageIDsCOSOastheonlychoice). 2016THE NAVIS oloverfinancialreporting.3

COSO Implementation – An Experiential View from the TrenchesFDICIAmaybeaself- eirauditrequirements(alsopartofFIL33- ‐2009)aspeer- nisincludedhereinasAppendixA.Roles & dit!!!Here’sthetypical“best- lflow gtheflowchart ptheAuditCommitteeintheloop,havecontrolownersign- ‐offs“roll- tyear- ‐end.What’stheprocess?Seenextpage 2016THE NAVIS GROUPCFOand4

COSO Implementation – An Experiential View from the TrenchesStarting with COSO Principles 10 – 12 – The Process – Identifying Key departmentalprocesses.Best- thesub- trees–processandfinancialaspects.Herearethesteps .1. lapproachassomeprocesses"straddle"departments)2. Identifythekeycontrolsgoverningtheprocess3. . Establishfinancialreportingobjectives(sequence Footnotes)Here’showwehaveapproachedtheseprojects .DistillingtheControlLibraryfrom773to100 Whetherweareworkingwithanewly- cesforCOSO2013refreshingandre- lignment,westartedwithasetof30- py- trolActivities–includesPrinciples10- putpoliciesintoaction. 2016THE NAVIS GROUP5

COSO Implementation – An Experiential View from the om100- ‐120controls( /- isdocumented(moreonthislater),whoowns/co- andsignificanceControlssometimeslosetheirway thdocumentaryevidenceleftHere’sanexampleofareal- e?Let’sexplore.astandardExcel- rback- ‐expensewillproperlyreflecttheinflatedpay- adjustmentonourhands;asort- nge- ‐documentation.Isane- erates?Isane- ethertheymissedthee- ‐mail/documentornot? 2016THE NAVIS GROUP6

COSO Implementation – An Experiential View from the erystraight- fythefollowinginvestmentcontrols: ocumented. sauthorizedbymanagement. edandsummarizedincontrolaccounts. rsoftheinvestment(and/orALM)policy,howthepre- ntinggetsdone(investmentaccountingsub- ftheauditableevidencethatthetesters- reasingly,anoutsidefirm- oanops,ALLLandproblemloans,retail,e- quatingcontrolquantitieswithtestingdollars emost,likelyhasanover- ewerperyear.Assigninganhourlycostof tingcostsatroughly clientbankthatWe’reoftenaskedwhetherornotour100- hanrelyonthisclichéargumentwepointtoour20 by la toreviewingeffort.costoftestingthecontrolslibrary. 2016THE NAVIS GROUP7

COSO Implementation – An Experiential View from the ethanthis.Inourkick- tors,butw avethekick- ‐offmeetingwiththatall- ‐too- enafunnythinghappens:post- eofhours,withaburdensomeadd- wegenerallyseeoptimizationoftheendresult. 2016THE NAVIS GROUP8

COSO Implementation – An Experiential View from the TrenchesThe Heart of the Matter - COSO Principles 1 thru uralunderpinnings;“tone- ‐from- ‐the- reofCompliance”,theUSSCindicates: ndtheBoardofDirectors. hicsandcomplianceprogram. TEGRITY“honest- thestatus 2016THE NAVIS GROUP9

COSO Implementation – An Experiential View from the llerorganizationswithouttheresourcesforafull- interviewaskedthekeyfollow- ‐upquestion- rneditfrommyfellowemployees”.Follow- �whatotherrulescanbeignoredorby- hesestudiesaredocumentedbi- anethicshotlineavailabletoyouremployeesona24- ‐7- ‐365basis.Sarbanes- speakstothisissueaswell.Therearenumerous 2016THE NAVIS GROUP10

COSO Implementation – An Experiential View from the areofWillfulBlindnessThisiswhereitcan

COSO Implementation An Experiential View from the Trenches 1016 Washington St., Gloucester, MA 01930 Tel. 978.495.0915 www-navis-group.com !!!