More Related Content Similar to Top 5 Pitfalls to Avoid Implemeting COSO 2013 (20) More from Aviva Spectrum™ (10) Top 5 Pitfalls to Avoid Implemeting COSO 20133. Compliance Made Simple © 3
COSO 2012 Project Participants
COSO
Board of Directors
COSO Advisory Council
• AICPA
• AAA
• IIA
• FEI
• IMA
• Regulatory Observers
• Public Accounting Firms
• Others (IFAC, GAVI Alliance, ISACA)
PwC
Author and Project Leader
Stakeholder Input
Survey of over 700 stakeholders and users
of the 1992 Internal Control – Integrated
Framework
4. Compliance Made Simple © 4
What’s Staying & What’s Leaving?
What is not changing... What is changing...
1. Definition of internal control
2. Five components of internal control
3. The fundamental criteria used to assess
effectiveness of systems of internal
control
4. Use of judgment in evaluating the
effectiveness of systems of internal
control
1. Codification of principles with universal
application for use in developing and
evaluating the effectiveness of systems
of internal control
2. Expanded financial reporting objective to
address internal and external, financial
and non-financial reporting objectives
3. Increased focus on operations,
compliance and non-financial reporting
objectives based on user input
5. A changing business environment... Drives updates to the Framework...
Expectations for governance oversight
Globalization of markets and operations
Changes in business models
Demands and complexity of rules, regulations and
standards
Expectations for competencies and accountabilities
Use and reliance on evolving technology
Expectations for preventing and detecting fraud
Updated COSO Cube
COSO-2012: Summary of Updates
Not limited
to
FINANCIAL
Compliance Made Simple © (see appendix for AICPA Toolkit
changes)
5
6. Confidence
Benefits of the Updated Framework
Management
and Board of Directors
Other
Users
External
Parties
Performance
• Improve governance
• Expand use beyond
financial reporting
• Improve quality of risk
assessment
• Strengthen anti-fraud
efforts
• Adapt controls to
changing business needs
• Greater applicability for
various business models
Compliance Made Simple © 6
7. Compliance Made Simple © 7
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
COSO 2012: CODIFICATION OF 17 PRINCIPLES
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
C O M P L I A N C E M A D E S I M P L E © 7
10. New Fraud Considerations
Changes to “Oversight functions”
In-Depth questions regarding forecasting impact of
changes to ICFR and Operations
Compliance Made Simple © 10
Major Impact to A/C
11. Compliance Made Simple © 11
Part I: Audit Committee Administration Audit Committee
Roles and Responsibilities
Audit Committee Charter Matrix
Audit Committee Financial Expert Decision Tree
Sample Request for Proposal Letter for CPA Services (Public
Company)
AICPA Peer Reviews and PCAOB Inspections of CPA Firms: An
Overview
Guidelines for Hiring the Chief Audit Executive (CAE)
Engaging Independent Counsel and Other Advisers
Part II: Key Responsibilities
Part III: Performance Evaluation Part
IV: Other Tools
12. Template Type of Change that may be Expected
#1 AC Member role &
responsibilities.
Minor updates related to AC members role to assist the BOD in its role of oversight for internal control and other whistleblower
findings and their investigation and related action implementation including the consideration of the impact of a board members
continued social relationship with company executives.
#2 AC Charter Minor updates related to investigative authority and its implementation by the AC.
#7 Engaging Council
Minor updates as they relate to consideration of long standing social relations and their impact on independence in the light of the
current SEC filings based on the Dodd-Frank Act.
#8 Internal Control Major updates to align the principles and attributes under each of the 5 areas of COSO based on the new Integrated Framework.
#9 – Fraud Responsibilities Minor (core issues have already been addressed)
#10 Whistleblower
Moderate –(needs to include in the template/log how to track when SEC investigations have come to attention of Audit
Committee)
#12 Executive Session
Minor updates to the suggested questions to include queries related to assessment and impact of significant changes on the
internal controls.
#14 Responding to ID of Material
Weakness
Moderate – (needs to update language for needs of Dodd-Frank related issues)
#15 – Evaluating the Internal Audit
Team
Moderate (currently no mention of Whistleblower complaint analysis or material weakness follow-up, this could be issues for AC
given the new Dodd-Frank act)
#17 Self Evaluation Minor update related to AC responsibilities per the Dodd Frank Act.
Compliance Made Simple © 12
Appendix A
Dodd-Frank Act: PoteAICPA Tool Kit Impacton AC Toolkit by
AICPA
13. Top 5 Implementation Pitfalls
Compliance Made Simple © 13
1. Pitfall – Deliverables Not Defined
40% of projects fail completely (failure defined
as not delivered expectations or unusable1)
1 Standish Group's 1996 IT survey
14. Top 5 Implementation Pitfalls
Compliance Made Simple © 14
2. Pitfall – No Link
Over 90% of strategies never meet fulfillment of original
intent2.
Primary driver – planning never linked to key deliverables
and overall quantifiable impact. (i.e. # of key controls drops
by 10%, External auditor use of IA work increase by 15%, ELC
controls reduce 25% of detailed transaction testing)
Key Success formula
Motivation=Project SUCCESS!2a 2 JP Kotter, “Leading Change: Why Transformation Efforts Fail,” Harvard
Business Rev., Mar.-Apr. 1995, pp. 59-67
2 a Data on 290 completed projects from software engineering
practitioners based in Australia, Chile, and USA. By June Verner
15. Top 5 Implementation Pitfalls
Compliance Made Simple © 15
3. Pitfall – Culture
Multi-Location Organizations have over 80% of projects fail
because of cultural issues3. (Rolls Royce Case Study)
Primary drivers
1. People don’t do as they say
2. Ineffective leaders
3. Competing Priorities
4. Insufficient resources
3 Enterprise information systems projectimplementation:: A case study of ERP in
Rolls-Royce Yahaya Yusufa, , , A Gunasekaranb, Mark S Abthorpec
16. Top 5 Implementation Pitfalls
Compliance Made Simple © 16
4. Pitfall – Insufficient Resources
People are the most unstable set of resources (i.e. change
position, turnover, CPE, life changes) and major projects
typically under estimate over 86% the need of “human
resources) on all project4.
Primary drivers
1. Budget – Ineffective (incorrect assumptions)
2. Infrequent Timeline reviews
3. Timeliness of budget vs. actual corrections
4 Project management effectiveness: The Choice - formal or informal controls,
University of Canberra, Susilo, A. Heales, J. Rohde, F.
17. Top 5 Implementation Pitfalls
Compliance Made Simple © 17
5. Pitfall – “Team B” Syndrome
87% of C-Level Execs know the team leader function but
NOTHING ELSE.5
Staff augmentations without clear sense of future
Subcontactors never fully integrated within the project
much less the organization
5 “Modern Approach” by Petty, 2009; Juli, 2010
18. Compliance Made Simple © 18
1. Discuss cultural issues upfront (what will work and what won’t…& “why”)
2. Create low & high estimates with checks & balances on estimates
3. Accountability structures for project leader and team members
4. Never use Team B for a Top priority project
5. Clearly define deliverables
6. Link Deliverables to people’s performance and overall corporate goals (quantify
major categories)
7. Updates on timelines and ETC (estimate to complete by person, by task)
8. Get “perceived percentages” from team members and “weed out” weak
players
9. Frequent project updates (more in the beginning and fewer towards end)
10. Present deliverables in a GRAND way!
How to win the COSO Implementation
Project?
19. Compliance Made Simple © 19
Sonia Luna, President, CEO
Sonia.Luna@AvivaSpectrum.com
700 S. Flower Street #1100
Los Angeles, CA 90017
P: (213) 250-5700 x206
Contact Information
Editor's Notes Ineffective Evaluation strategies (also noted in Ineffective Evaluation strategies (also noted in Ineffective Evaluation strategies (also noted in Ineffective Evaluation strategies (also noted in