CNA – 2013 COSO Framework NOT for distribution. 1 Chicagoland IASA Spring Conference CNA Insurance...
-
Upload
rafe-hoover -
Category
Documents
-
view
223 -
download
5
Transcript of CNA – 2013 COSO Framework NOT for distribution. 1 Chicagoland IASA Spring Conference CNA Insurance...
1
CNA – 2013 COSO Framework
NOT for distribution.
Chicagoland IASA Spring Conference
CNA Insurance2013 COSO Framework
April 17, 2014
2
CNA – 2013 COSO Framework
NOT for distribution.
Today’s Goals
The goals of today’s presentation are to help you better understand:
• The updates to the COSO Framework, including the 17 principles required to be in place and functioning within the 5 components of internal control
• Key steps for transitioning to the new framework
• Lessons learned from CNA’s adoption efforts
3
CNA – 2013 COSO Framework
NOT for distribution.
• COSO Framework:- Overview & Background- 2013 Update
• CNA’s Approach:- Project Plan- Initial Gap Analysis- Lessons Learned
• Questions / Discussion
Agenda
4
CNA – 2013 COSO Framework
NOT for distribution.
COSO Overview & Background
5
CNA – 2013 COSO Framework
NOT for distribution.
What is COSO?
• Committee of Sponsoring Organizations (COSO) of the Treadway Commission
• Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (aka the Treadway Commission)
• Joint initiative of five private sector organizations– American Accounting Association (AAA)– American Institute of Certified Public Accountants (AICPA)– Financial Executives International (FEI)– Institute of Management Accountants (IMA) – The Institute of Internal Auditors (IIA)
• COSO established Framework over Internal Control (IC) in 1992
Source: COSO
6
CNA – 2013 COSO Framework
NOT for distribution.
5 Components of Internal Control:• Control Environment- tone at the
top; integrity and ethical values of the organization.
• Risk Assessment- identifying and analyzing risks within the organization.
• Control Activities- policies and procedures to mitigate risk.
• Information & Communication- information required to carry out IC activities.
• Monitoring Activities- on-going evaluation to assess IC.
COSO Cube
Source: COSO
1992 Framework
7
CNA – 2013 COSO Framework
NOT for distribution.
ICFR Attestation
• 1992 Framework is widely used today to comply with Section 404 of Sarbanes Oxley Act of 2002 in the certification of internal control over financial reporting.
8
CNA – 2013 COSO Framework
NOT for distribution.
2013 Update to Framework
9
CNA – 2013 COSO Framework
NOT for distribution.
What is changing
Source: COSO
10
CNA – 2013 COSO Framework
NOT for distribution.
1992 vs. 2013 Framework
1992 Framework
2013 Framework
11
CNA – 2013 COSO Framework
NOT for distribution.
Seventeen Principles
Source: COSO
12
CNA – 2013 COSO Framework
NOT for distribution.
Effective Systems of Internal ControlFor effective internal control:• Each of the 5 components and 17 principles must be
present and functioning.– Present is defined as “the determination that components and
relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives.”
– Functioning is defined as “the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.”
• The five components must operate together in an integrated manner to reduce risk to an acceptable level.
13
CNA – 2013 COSO Framework
NOT for distribution.
Control BreakoutAssertion Coverage
Contr
ol
Envi
ronm
ent
Indirect (5)
Ris
k A
ssess
ment
Indirect / Direct (4)
Info
rmati
on a
nd
Com
munic
ati
on
Indirect / Direct (3)
Monit
ori
ng
Act
ivit
ies
Indirect / Direct (2)
Contr
ol
Act
ivit
ies
Direct (3)
Control Type
CO
SO
'sC
om
ponents
of In
tern
al C
ontr
ol
Entity
Leve
l C
ontr
ols
Hig
her Leve
l and T
ransa
ctio
n L
eve
l C
ontr
ols
Genera
l IT
Contr
ols
14
CNA – 2013 COSO Framework
NOT for distribution.
Points of Focus
• For each principle COSO has identified points of focus to assist management in designing, implementing, and maintaining internal control.
• The points of focus may (or may not) be relevant and there is no requirement to perform a separate evaluation. Presumption is for a sophisticated organization that most would be relevant.
15
CNA – 2013 COSO Framework
NOT for distribution.
COSO/AICPA Reference Materials
Source: COSO
Project deliverable #1 – Internal Control-Integrated Framework (2013 Edition)
• Consists of three volumes:– Executive Summary– Framework and Appendices– Illustrative Tools for
Assessing Effectiveness of a System of Internal Control
• Sets out: – Definition of internal control– Categories of objectives– Components and principles
of internal control– Requirements for
effectiveness
16
CNA – 2013 COSO Framework
NOT for distribution.
COSO/AICPA Reference Materials
Project deliverable #2 – Internal Control over External Financial Reporting: A Compendium....
Source: COSO
• Illustrates approaches and examples of how principles are applied in preparing financial statements
• Considers changes in business and operating environments during past two decades
• Provides examples from a variety of entities – public, private, not-for-profit, and government
• Aligns with the updated framework
17
CNA – 2013 COSO Framework
NOT for distribution.
Transition
• Transition period ending December 15, 2014.• After which time COSO will consider the 1992
Framework to be superseded.• Any reporting between now and the end of the
transition period should disclose which version of the Framework is being used.
18
CNA – 2013 COSO Framework
NOT for distribution.
CNA’s Project Plan
19
CNA – 2013 COSO Framework
NOT for distribution.
CNA’s Project Plan
• Step 1Develop Awareness, Expertise, and Alignment
• Step 2Conduct Preliminary Impact Assessment
• Step 3Facilitate Broad Awareness, Training, and Comprehensive Assessment
• Step 4Develop and Execute COSO Transition Plan for SOX Compliance / Best Practice
• Step 5Drive Continuous Improvement
20
CNA – 2013 COSO Framework
NOT for distribution.
Step 1Develop Awareness, Expertise, and
Alignment• Gain senior leadership and board alignment and support
• Build awareness and expertise
• Educate management
• Map principles to existing controls
• Identify opportunities to expand applications of internal control
CNA’s Project Plan
21
CNA – 2013 COSO Framework
NOT for distribution.
Step 2Conduct Initial Analysis
• Evaluate the existing framework
• Leverage the original mapping of components to controls
• Identify key business owners
• Identify COSO updates which may impact your framework
• Identify gaps / opportunities for improvement
CNA’s Project Plan
22
CNA – 2013 COSO Framework
NOT for distribution.
Step 3Facilitate Broad Awareness, Training,
and Comprehensive Assessment
• Identify potential gaps and/or documentation enhancement opportunities
• Engage business to enhance existing controls and/or add new controls to meet the update’s requirements
CNA’s Project Plan
23
CNA – 2013 COSO Framework
NOT for distribution.
Step 4Develop and Execute COSO Transition
Plan for SOX Compliance
• Phase 1: Formalize Framework (Documentation & Evaluation)
• Phase 2: Validation: Business Acceptance and Auditor Acceptance
• Phase 3: Establish Test Plan for 2014
• Phase 4: Testing of 2014 Framework and External Review
CNA’s Project Plan
24
CNA – 2013 COSO Framework
NOT for distribution.
Step 5Drive Continuous Improvement
• There is a difference between an adequate and a
best-in-class system of internal control
CNA’s Project Plan
25
CNA – 2013 COSO Framework
NOT for distribution.
CNA’s GAP Analysis
26
CNA – 2013 COSO Framework
NOT for distribution.
CNA’s Gap AnalysisPreliminary Control Mapping
Points of Focus Detail
38 Code of Business Conduct and Ethics
39 Commitment to Professional Conduct43 Corporate Governance Guidelines42 Conflict of Interest - Letter from CEO45 Our Commitment to Professional Conduct (11-37 CNA Taking Tough Action Against Internal 63 Human Resources Policy Manual38 Code of Business Conduct and Ethics
Evaluates adherence to Standards of Conduct
Processes are in place to evaluate the performance of individuals and teams against the entity's expected standards
of conduct.
62 Performance Management and Talent ReviewHR
Addresses deviations in a timely manner
Deviations from the entity's expected standards of conduct are identified and remedied in a timely and consistent manner.
62 Performance Management and Talent ReviewHR
29 Audit Committee (Committee Charter, Meeting Minutes, and Resolutions)
41 Compensation Committee (Committee Charter, Meeting Minutes, and Resolutions)
34 BofD Minutes, resolutions or annual 43 Corporate Governance Guidelines43 Corporate Governance Guidelines
29 Audit Committee (Committee Charter, Meeting Minutes, and Resolutions)
41 Compensation Committee (Committee Charter, Meeting Minutes, and Resolutions)
34 BofD Minutes, resolutions or annual
Operates independentlyB of D has sufficient members who are independent from mgmt
and objective in evaluations and decision making.43 Corporate Governance Guidelines
Corp Secretary
29 Audit Committee (Committee Charter, Meeting Minutes, and Resolutions)
Corp Secretary
1 Audit Committee Pack ACI43 Corporate Governance Guidelines Corp Secretary
Co
ntr
ol
En
vir
on
men
t
Focus Point - Subject Matter Expert (Department, Team or
Indvidual)
Corp Secretary
Corp Secretary
Corp Secretary
Corp Secretary1
B of D and Mgmt at all levels of the entity demonstrate through their directives, actions, and behavior the importance of
integrity and ethical values to support the functioning of the system of IC.
The expectations of the board of directors and senior mgmt concerning integrity and ethical values are defined in the
entity's standards of conduct and understood at all levels of the organization and by outsourced service providers and business
partners.
Sets the Tone at the Top
B of D defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to
ask probing questions of senior mgmt and take commensurate actions.
Establishes oversight responsibilities
Establishes Standards of Conduct
B of D identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
Applies relevant expertise
Provides oversight for the system of internal control
B of D retains oversight responsibility for mgmt's design, implementation, and conduct of IC: (All 5 Control Components).
Committee / Control / DocumentCo
ntr
ol
Co
mp
on
en
t
CO
SO
Pri
ncip
le
CO
SO
Pri
ncip
le
Descri
pti
on
CN
A R
efe
ren
ce
Lis
t #
Principle Points of Focus
Demonstrates Commitment to
integrity and ethical values
Exercises oversight and responsibility
2
Gap
Research & Investigation
Pending Review & Business Acceptance
Done & Completed/Accepted by Business
27
CNA – 2013 COSO Framework
NOT for distribution.
Lessons Learned
• Limited Gaps– Refinement and Enhancement of
Documentation
• Non-SOX Participants– Education of IC and Attestation Process – Need Business to be Owners of the Process
• No “Requirement” for Compliance and Operational Risks (Best Practice)– Financial Reporting Requirement from SOX
28
CNA – 2013 COSO Framework
NOT for distribution.
Questions?