COSO 2013:

What’s different?

FMI – Victoria

December 9, 2013
Agenda

Introductions
Framework comparisons: 1992 vs. 2013 Release
Next steps
Questions and Wrap-Up

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 1
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Introductions

John Heskin
Partner, Risk Consulting
(604) 691-3540
jheskin@kpmc.ca

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 2
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
 Update Triggers

Evolution to the new model

■ Business and operating environments which have become more global, more
complex and more technology driven
■ Stakeholder and regulator expectations
■ Need to provide greater clarity and more practicality to application of the framework
■ Provide enhancements

1992 2002 2004 2006 2007 2008 2013

SOx Act PCAOB COSO

COSO ASNo2 PCAOB NI 52-109 COSO
Internal Control over Internal Control –
Internal Control – ASNo5
Financial Reporting- Integrated
Integrated Framework
Guidance for Smaller Framework
Public Companies

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 3
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
COSO Framework

There are five key elements outlined in the framework which are represented
below:

COSO 2013

The definition of internal control and these five elements used to assess the
effectiveness of a system of internal controls remain consistent

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 4
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
COSO 2013 Framework – Summary of Changes

What is not changing... What is changing...

• Core definition of internal • Updated for changes in

control business and operating
environments
• Three categories of
objectives and five • Expanded operations and
components of internal reporting objectives
control
• Implicit fundamental
• Each of the five concepts underlying five
components of internal components codified as 17
control are required for principles
effective internal control
• Updated for increased
• Important role of judgment relevance and dependence
in designing, implementing on IT
and conducting internal
control, and in assessing • Addresses fraud risk
its effectiveness assessment and response

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 5
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2013 Framework Structure

The components and relevant

5 principles must be present and
components functioning.

The components must operate

17 principles together in an integrated manner.

The various key issues(+/-70) are

disclosed for information purposes
Points of Focus – they must not all necessarily be
present.

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 6
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Control Environment

Principles Main changes

1. The organization demonstrates a commitment to • The information is reorganized and restructured

integrity and ethical values. around 5 principles.

2. The board of directors demonstrates • Integration of lessons learned and developments

independence from management and exercises in ethics and compliance (code of conducts,
oversight of the development and performance whistle-blower, etc.)
of internal control.
• Governance roles and responsibilities are
3. Management establishes, with board oversight, clarified, including board responsibility for
structures, reporting lines, and appropriate overseeing the system of internal control.
authorities and responsibilities in the pursuit of
objectives. • The necessity of reporting (CEO, management) in
relation to internal control is clearly defined.
4. The organization demonstrates a commitment to
attract, develop, and retain competent
individuals in alignment with objectives.

5. The organization holds individuals accountable

for their internal control responsibilities in the
pursuit of objectives.

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 7
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Risk Assessment

Principles Main changes

6. The organization specifies objectives with • Objectives become a pre-condition to internal

sufficient clarity to enable the identification and control (operations, financial reporting, external
assessment of risks relating to objectives. non financial reporting, internal reporting and
compliance).
7. The organization identifies risks to the
achievement of its objectives across the entity • Incorporates risk tolerance concept.
and analyzes risks as a basis for determining
how the risks should be managed. • Introduces the concepts of risk velocity and
persistence.
8. The organization considers the potential for
fraud in assessing risks to the achievement of • Considers fraud risk.
objectives.

9. The organization identifies and assesses

changes that could significantly impact the
system of internal control.

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 8
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Control Activities

Principles Main changes

10. The organization selects and develops control • Updated discussion on ITGCs from 1992 to
activities that contribute to the mitigation of risks today’s technology .
to the achievement of objectives to acceptable
levels. • Expanded discussion of the relationship between
automated controls and ITGCs and how they link
11. The organization selects and develops general to the business processes.
control activities over technology to support the
achievement of objectives. • Clarifies that control activities are actions
established by policies and procedures rather
12. The organization deploys control activities than the policies and procedures themselves.
through policies that establish what is expected
and procedures that put policies into place.

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 9
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Information and Communication

Principles Main changes

13. The organization obtains or generates and uses • Obtaining quality information not only from the
relevant, quality information to support the organization, but also from its partners,
functioning of internal control. particularly for subcontracted operations.

14. The organization internally communicates • Refers to modes of communications (social

information, including objectives and medias, text messages, etc.)
responsibilities for internal control, necessary to
support the functioning of internal control. • For ICFR – automated data processing controls
for information reporting and data warehousing.
15. The organization communicates with external
parties regarding matters affecting the
functioning of internal control.

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 10
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Monitoring Activities

Principles Main changes

16. The organization selects, develops, and • Makes the difference between ongoing and
performs ongoing and/or separate evaluations separate evaluations.
to ascertain whether the components of internal
control are present and functioning. • The organization must focus on the criteria
defined by applicable regulations (e.g., Sox,
17. The organization evaluates and communicates 52-109).
internal control deficiencies in a timely manner
to those parties responsible for taking corrective • Deficiencies are grouped into major and other
action, including senior management and the deficiencies.
board of directors, as appropriate.

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 11
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Major Deficiency and Material Weakness

COSO 2013 SEC/PCAOB

An effective system of internal control requires that: Material weakness: a deficiency, or a

combination of deficiencies, in ICFR, such that
• Each of the five components and relevant there is a reasonable possibility that a material
principles are present and functioning and, misstatement of the company’s annual or interim
• The five components operate together in an financial statements will not be prevented or
integrated manner detected on a timely basis.

A major deficiency exists if the organization cannot

conclude that these are met. • Considers magnitude and likelihood of
misstatement
Major deficiency in one component or principle
cannot be mitigated to an acceptable low level by the • Follow CSA/SEC criteria for defining and
presence and functioning of another component or classifying the severity of deficiencies when
principle reporting under those regulations.

Look across components and principles for mitigating • Cannot conclude that internal controls are
controls to reduce the severity effective under the 2013 Framework if a
material weakness exists
Concept of material misstatement does not exist

Look for mitigating controls to reduce the severity

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 12
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Transition: Timeline and Effort

■ COSO determined the 2013 Framework will supersede 1992 Framework effective
December 15, 2014
– SEC has not stated a transition date.SEC has stated plans to monitor transition
phase.
– CSA has not made any public statements on transition.
■ Assess the implications of the 2013 Framework as soon as feasible
■ Impact of adopting the updated Framework will vary by entity
■ COSO recommends that entities disclose whether the 1992 or 2013 version of the
Framework was used during the transition period
■ Opportunity to take a fresh look
– at the efficiency and effectiveness of business processes, risk assessments, and
controls responsive to the risks
– at the ICFR assessment prepared under the 1992 Framework
■ Treat 2013 assessment as a “Dress Rehearsal”!
© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 13
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Anticipated Impacts – Management Perspective

1. Assess the quality of existing documentation of your program

– Clearer more descriptive methodology documentation, COSO categories, tool
updates
2. Development / formalization of controls and related documentation
– Consider: Form and substance changes as well as additions, including key
topics such as IT, fraud risk, outsourced controls, aggregation of deficiencies
– Assess: Impact, especially for those who have scoped these areas out and
relied on other controls
– Develop: Road map for enhancement based on assessment
– Document: Compliance / applicability of 17 principles to your program
3. Opportunity to revisit your program and the principles behind it
4. Awareness to management and audit committees
5. Certification considerations - Material change in ICFR and framework used

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 14
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Impact to Management’s Control Certifications

The use of the COSO framework is stated in Canadian quarterly and annual
certifications. COSO FAQ #6 “ The COSO Board believes…that any
application of its Internal Control-Integrated Framework that involves external
reporting should clearly disclose whether the original or 2013 version was
utilized.”

Commencing with next certificate recommend

identifying framework by inserting date until after
December 15, 2014 :
Control framework: The control framework the issuer’s
other certifying officer(s) and I used to design the issuer’s
ICFR is the Integrated Framework (COSO 1992
Framework) published by the Committee of Sponsoring
Organizations of the Tread way Commission (COSO).

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 15
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Anticipated Impacts – Auditor Perspective

■ Standards require auditors to understand the design and implementation of

entity level controls and controls that address significant risks
– Management / auditor joint discussions on when management intends to adopt
as well as potential changes – primarily impacts timing of auditor testing
■ Awareness at audit committee and discussion of impacts to audit approach
■ For US listed companies, auditor opinion on internal controls under 404b)
– Will need to know when management intends to adopt – impacts report as well
as timing of testing, may need to co-ordinate with internal audit
– Will need to read any new documentation and audit key controls related to each
relevant principle or assess management’s assertion that principle is not relevant
– Will impact evaluation and reporting of control deficiencies – aggregate by
COSO principle and not just COSO component
– May impact nature of disclosure of the material weakness, if any

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 16
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Next Steps

■ Understand the guidelines discuss and with management and the board
■ Assess the impacts – current state assessment
■ Document position taken
■ Roadmap to action plans as required
■ Confirm certifiers’ collaboration on approach and extent of work
■ Update your audit committee

© 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with 17
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The information contained herein is of a general nature and is
not intended to address the circumstances of any particular
individual or entity. Although we endeavor to provide accurate
and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on
such information without appropriate professional advice after
a thorough examination of the particular situation.

© 2013 KPMG LLP, a Canadian limited liability partnership and

a member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are

registered trademarks or trademarks of KPMG International.