2013 COSO v ERM NEW FRAMEWORK Webinar SLIDES

2013 COSO v ERM

Compliance Made Simple ©

Agenda

Why Change Something that’s Working?

Overview of 2013 New Framework

COSO v ERM Framework

Practical “Real Life” Examples

Transition Plan

Join COSO Implementation LinkedIn Group for FREE templates, advise and learn from others implementing this new framework.

Implementation Resources

COSO 2013 Implementation

Hyperlink

Slide ShareLike & Follow - us

Why change?Social media and it’s impact to business processes, relationships and growth strategies were not foreseen factors.Fact: 92% of all companies use social media tools to recruit according to 2012 Jobvite Social Recruitment survey

Reason #1: Social Media

Reason #2: Changes In IT Environment

2012 - The Business Perspective on Cloud Computing – A Literature Review of Research on Cloud Computing by Hoberg, Wollersheim, Krcmar

Reason #3: Globalization

Over 95% of the World’s

population lives outside of the US

(a) 2013 Internationalization of Intangibles Corrado & Hulten

What did we end up with?Holy Grail of Internal Control Frameworks

Vol/Name#

Exec Sum. Overview 10

Vol 2: Framework/App 186Vol 3: Tools/Effectiveness 146

Vol 4: SOX ICFR 159

Total pages 501

How We See Framework Changes?

1992COSO

“Good”

ERM2004

Small COSO2006

“Better”

2013 COSO “BEST”

20 Principles(76

Attributes)

?? Principles(?? Points of

Focus)

How We See Framework Changes?

1992COSO

“Good”

ERM2004

Small COSO2006

“Better”

2013 COSO “BEST”

20 Principles(76

Attributes)

17 Principles

(86 Attributes)

Clarity of Attributes v POF During the comment period,

respondents were concerned that keeping Attributes as in the initial draft would create a “checklist mentality”

Thus in the Updated Framework they stated them as “Points of Focus” (“POF”)

POF are important characteristics of principles

How does this impact ERM? ERM still exists and can be used During comment period some

respondents requested that their be further integration of ERM concepts to the updated framework such as “Risk Appetite”

ERM and 2013 COSO are complimentary to each other and NEITHER is superseding the OTHER!

Governance

New 2013 COSO “IC”

Internal Controls is the “BASE” or FOUNDATION

ERM is much BROADER than just looking at effective Internal Controls (Strategy/Risk Assessment)

ERM is just PART of the OVERALL Governance Process in an organization

How does ERM and New COSO Visually LOOK?

COSO v ERM (Side by Side)

COSO v ERM

Objective Setting component of ERM Framework considers the process used by Mgmt & BOD for setting operations, reporting and compliance objectives.

IC = Objectives are a PRECONDITION to an effective system of controls

COSO v ERM

Strategic Objectives reflect Mgt’s choice of how the Entity will CREATE VALUE for its stakeholders

IC = Mgmt trying to meet these specific objectives.

COSO v ERM

ERM = Risk Assessment Expanded, but only INTRODUCES Risk Appetite and Risk Tolerance concepts

IC = Concept of Risk Tolerance is included as a precondition to IC but NOT part of IC.

Now let’s take a look at NEW COSO

New Framework and ERM DifferencesControl Environment

Common to BOTH Intro. New & Expanded in ERM

ERM Exclusive

Demonstrates commitment to integrity & ethical values

Exercises oversight responsibility

Establishes Risk Mgmt Philosophy

Est. structures, authority & responsibility

Est. risk culture

Demonstrates commitment to competency

Est. risk appetite

Enforces accountability

Control Environment Key Differences ERM has a whole chapter devoted to

“Entity’s Risk Management Philosophy” included in the section called “Internal Environment”.1. Provides Examples of how shared beliefs

and attitudes characterizing HOW an entity considers risks

2. How it reflects on these values and influences its culture and operating style

Risk AssessmentCommon to BOTH

Intro. New but expanded in ERM ERM Exclusive

Assesses Fraud risk

ID & analyzes risks/events Distinguishes risk & Opportunities

ID & Analyzes Significant Change

Develops Portfolio view

ERM Advantages – Risk Assessment process1. ERM = Risks are “Inherent” &

“Residual”2. ERM Addresses “Interrelated Risks”,

which are risks that include a “single event which may create MULTIPLE RISKS”

3. Potential events with positive impact represent opportunities, while those with negative impact represent risks

ERM – Advantage Real Life Examples – with Miley Cyrus

Strategy = Figure out your

lifeInternal

Environment = Dad Famous

Country singer

Miley Cyrus = Career Risk Assessment

Step 1: Internal Environment allows her to set objectives/goals for herself.

Achy breaky heart has:

1. Translated into 100 languages2. Only single to reach triple platinum

and #1 single in 1992 (Australia)

ERM and Miley Cyrus

Step 2: EVENT Identification= Disney (Pure Brand)

Step 3: Risk Assessment (Part 1 )= Music Career

Step 4: Risk Assessment “Risk Appetite” Ditch Good Girl Look to Riskier Looks & Music

Step 5: Risk Response = RISKIER LOOKS & VMA Actions

IC & ERM have 4 Risk response categories :

1. Avoid the Risk“Run Back to Disney Roots!”

ERM and Miley Cyrus

2.Reduce = Cut Down on Bad Girl Image (keep your clothes on!)

ERM and Miley Cyrus

3.Share the Risk = Be weirder than Lady Gaga

4. Accept = Remember what happened to Britney or “Britney who?”

Get reactions like this!

ERM and Miley Cyrus

Miley’s “Risk Response” ChoicesLike IC & ERM Four Categories1. Avoid = Run Back to Disney Roots!2. Reduce = Stop the Bad Girl Image3. Share = Befriend “Lady Gaga”4. Accept = Remember what happened to Britney or “Britney

who?”

ERM ADVANTAGE: However if she decides to implement the ERM framework she would need to ALSO consider potential responses from these categories with intent of achieving a residual risk level aligned with her RISK Tolerances

ERM and Miley Cyrus

So what should she choose?

1. Avoid = Run Back to Disney Roots!2. Reduce = Stop the Bad Girl Image3. Share = Befriend “Lady Gaga”4. Accept = Remember what happened to

Britney or “Britney who?”

Polling Question

ERM Risk Assessment Solution

Time Machine

Get back to her good girl success patterns

ERM Risk Assessment Solution

Principle# Points of Focus

New Framework and ERM DifferencesControl Activities

Common to Both Intro. New but expanded in ERM

ERM Exclusive

Selects & develops control activities

NONE NONESelects & develops general controls over IT

Deploys through policies and procedures

New 2013 Audit

Layering Trends

New Framework and ERM DifferencesInformation & Communication

Common BOTHIntro. NEW but expanded in ERM

ERM Exclusive

Communicates Internally Uses relevant information (Pr.#13)

Communicates Externally

Vol#4 – 2013 COSO page 122 Example Data Validation

Created a higher bar

For Internal Control Testing

Why increase scrutiny of Data Validation?

3 Layered Testing

High Risk & Use of

Judgment?

New Framework and ERM DifferencesMonitoring

Common to BOTH

Intro. New & Expanded in ERM

ERM Exclusive

Conducts ongoing &/or separate evaluations

NONE NONE

Evaluates & Communicates deficiencies

NONE NONE

The NEW 2013 IC Framework presents a more current view of monitoring a using a baseline & monitoring external service providers!

COSO Health Check – On Your Own

Free Tool Evaluation of 86 Attributes go to www.AvivaSpectrum.com/Blog

Included:1) Introduction2) Overall Assessment3) Components (167 rows

data)4) Principles w/Attr. (386

rows of data)5) Deficiencies

COSO’s Transition guidance

Compliance Control Analysis

Step 1 – Awareness & Education!

CCA Transition Plan

Group Document Delivery Date Next Steps

Board of Directors

Executive Summary

FY 2013 3rd Quarter Meeting

Agreement on Transition plan

C-Level Executive Summary

FY 2013 3rd Quarter Meeting

Internal Transition meeting Dec. 13, 2013

SOX Director • All Four COSO Materials

• COSO Cloud Based Guidance

• Monitoring guidance Vol #3

Nov. 4th Draft Transition plan for Dec. 13th meeting (Dec. 6th)

Step 2 – Preliminary Impact Assessment

Map your existing system of internal control against the updated COSO Framework.

CCA Transition Plan

Area Assessment File name

Items/Controls Covered

New 2013 Impact

# of Approaches (Vol. 4)

Est. Eval. Lead Time

Due Date

Impact inventory listing due

ELC 2013-ELC Assessment.xls

45 5 PR & 17 POF

25 Unique Examples

2 weeks Nov. 1st Nov. 8th

These are NOT ControlsEstimate 2-3 Controls per

approach

Step 3: BOD & External AuditorsEach business unit or location may prepare its own local level assessment.

CCA Transition Plan

Corporate Office

Division 1

Operating Unit

Fin IT

CCA Transition Plan

Initial Impact Analysis should give WARNINGS to BOD & C-Level Mgmt Immediately!

In-Scope EntityWith Control Deficiency from

Prior Year

Vol. #3 – COSO IC Effectiveness (pg.65)- 66

FACTS:• Private Co., retail furniture company (family owned)• $200MM Rev and exclusively in Western US Sales• Evaluation of Principle #1

COSO 2013 FINDINGS1. No formal training program to make employees aware of

importance to adherence to standards of conduct.2. No process to evaluate EEs against the published integrity &

ethics policy3. Processes to ID & Address Deviations are ad hoc

Readiness test

QUESTION: Is this a Control Deficiency, Significant Def., or Major Deficiency?

Step 4: Develop & Execute the Plan

Company Overview/Forecast (2 mos. lead time)

SOX Aggregate Impact(3 mos. lead time)

Finance & IT Deliverables Impact assessment(3-4 mos. lead time)

ComplianceControl

Analysis (“CCA”)

Control Compliance Analysis

Info@AvivaSpectrum.com

Contact Information

Sonia Luna, President, CEOSonia.Luna@AvivaSpectrum.com

700 S. Flower Street #1100Los Angeles, CA 90017P: (213) 250-5700

2013 COSO v ERM NEW FRAMEWORK Webinar SLIDES

Economy & Finance

Transcript of 2013 COSO v ERM NEW FRAMEWORK Webinar SLIDES

ERM 101 Lisanne Sison Director ERM Bickmore. What is ERM? Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO)

From the cube to the rainbow double helix: a risk ... · The COSO ERM cube is still available from COSO and it is considered in this guide. In updating the ERM cube, COSO stated that

ERM Framework and Perspective: Workshop E8 · Simple Tools and Techniques for Enterprise Risk Management 5 COSO (2004). ... Application Techniques, COSO 6 COSO (2004). Enterprise

COSO ERM: Integrating with Strategy and Performance

1.ERM COSO 2.ISO 31000

COSO ERM Framework Update - RIMS Handouts/RIMS 16/ERM009/ERM009.pdfCOSO ERM Framework Update 2016 General Audit Management Conference Speakers: •Robert Hirth, Chair, COSO •Frank

COSO ERM ExecutiveSummary Portuguese

ERM - COSO Application Techniques

Integrating BSC and COSO ERM Frameworks

Inf Coso Version Español Ejecutiva Erm

Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, · PDF fileSarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices,

COSO Enterprise Risk Management …...Framework now? 1 Who is COSO and what is the COSO ERM Framework? Introducing COSO COSO recognises the growing expectation of organisations to

Are you prepared for this Challenge? The new COSO ... · What is COSO ERM 2017? •Leadership is expecting more from their organisation’s ERM practices and capabilities •Stakeholders

Materi I Seminar COSO dan ERM - Pusdiklat BPK 2013

The Importance of (COSO-ERM) Model Implementation …centreofexcellence.net/J/JSS/Vol6/No1/JSSarticle10,6_1_pp156-177.pdfInternal control system, COSO-ERM model ... more effective

COSO Enterprise Risk Management (ERM) - Dusitaccounting.dusit.ac.th/home/wp-content/uploads/... · COSO ERM Definition of Enterprise Risk Management (ERM) A process applied in strategy-setting

COSO II ERM [1] (2)

COSO-ERM Risk Assessment InPractice Thought Paper OCtober 2012

COSO-ERM-Understanding Communicating Risk Appetite-WEB_FINAL_r9

Coso Erm(2)