Phoenix Chapter Annual Conference

May 17, 2019

Much More than Just
Internal Control…

Robert Hirth
COSO, Chair Emeritus
Three Excellent Resources…
What the Heck is
COSO?...
About COSO…

Originally formed in
1985, COSO is a joint
initiative of five private
sector organizations
and is dedicated to
providing thought
> 600,000 leadership through the
professionals development of
frameworks and
guidance on
enterprise risk
management (ERM)
internal control and
fraud deterrence
5
 Mission
COSO’s Mission is “To provide thought leadership
through the development of comprehensive frameworks
and guidance on enterprise risk management, internal
control and fraud deterrence designed to improve
organizational performance and governance and to
reduce the extent of fraud in organizations.”

COSO’s Fundamental Principle

• EFFECTIVE risk management and internal control are
necessary for long term success of all organizations
6
 National Commission on Fraudulent Financial Reporting
formed with James C. Treadway, Jr., former SEC
And Thus…Commissioner and General Counsel, Paine Webber as its
Chairman – becoming known as the “Treadway
Commission” a private-sector initiative, was formed in 1985
to inspect, analyze, and make recommendations on
fraudulent corporate financial reporting.

Source: sechistorical.org

7
The Internal Control Recommendation
All public companies should maintain internal
controls that provide reasonable assurance that
fraudulent financial reporting will be prevented or
subject to early detection - this is a broader
concept than internal accounting controls…
…The Commission also recommends that
its sponsoring organizations cooperate on
developing additional, integrated guidance on
internal controls…

- Treadway Commission report

8
…

“…while effective internal control requires leadership from

the top, the responsibility for effective implementation of
internal control resides with everyone in the organization,
not just the finance function. This includes accountants,
compliance officers and those involved in making contracts
and supporting operations as well as those working on the
production line to ensure that products produced meet
quality objectives.

…the individuals that are responsible for achieving the

objectives are also responsible for the quality of internal
controls. “
Larry Rittenberg
Chair Emeritus, COSO
9
A Broad Perspective…

Internal control is a process, effected by an entity’s board

of directors, management, and other personnel, designed
to provide reasonable assurance regarding the
achievement of objectives relating to operations,
reporting, and compliance.

Source: COSO 2013 Internal Control- Integrated framework

10
 11
© Allstate Insurance Company

20 Years in the Making…

11
W In the twenty years since the inception of the
hy Make Changes?
original framework, business and operating
environments have changed dramatically,
becoming increasingly complex,
technologically driven, and global.

At the same time, stakeholders are more

engaged, seeking greater transparency and
accountability for the integrity of systems of
internal control that support business
decisions and governance of the
Source: COSO September 2012 organization

12
Project deliverable #1 – Internal Control-Integrated Framework (2013 Edition)
• Consists of three volumes:
▫ Executive Summary
▫ Framework and Appendices
▫ Illustrative Tools for Assessing
Effectiveness of a System of Internal
Control
• Sets out:
▫ Definition of internal control
▫ Categories of objectives
▫ Components and principles of internal
control
▫ Requirements for effectiveness

13
Project deliverable #2 – Internal Control over External Financial Reporting: A
Compendium....
• Illustrates approaches and
examples of how principles are
applied in preparing financial
statements
• Considers changes in business
and operating environments
during past two decades
• Provides examples from a
variety of entities – public,
private, not-for-profit, and
government
• Aligns with the updated
Framework
14
ICFR, SOX Section 404
The final rules require a company's annual report to include an internal control report of
management that contains:
• A statement of management's responsibility for establishing and maintaining adequate
internal control over financial reporting for the company;
• A statement identifying the framework used by management to conduct the required
evaluation of the effectiveness of the company's internal control over financial reporting;
• Management's assessment of the effectiveness of the company's internal control over
financial reporting as of the end of the company's most recent fiscal year, including a
statement as to whether or not the company's internal control over financial reporting is
effective.

15
ICFR, SOX Section 404
• The assessment must include disclosure of any "material weaknesses" in the
company's internal control over financial reporting identified by management. Management
is not permitted to conclude that the company's internal control over financial reporting is
effective if there are one or more material weaknesses in the company's internal control over
financial reporting; and

• A statement that the registered public accounting firm that audited the financial
statements included in the annual report has issued an attestation report on
management's assessment of the registrant's internal control over financial reporting.

16
Using a Suitable Framework…
• Management is required to base its assessment of the effectiveness of the company's
internal control over financial reporting on a suitable, recognized control framework
established by a body of experts that followed due-process procedures, including the broad
distribution of the framework for public comment. In addition to being available to users of
management's reports, a framework is suitable only when it:
• Is free from bias;
• Permits reasonably consistent qualitative and quantitative measurements of a company's
internal control over financial reporting;
• Is sufficiently complete so that those relevant factors that would alter a conclusion about the
effectiveness of a company's internal control over financial reporting are not omitted; and
• Is relevant to an evaluation of internal control over financial reporting.
17
 Why is COSO a Suitable Model?
“Management is required to base its assessment of the
effectiveness of the company's internal control over financial
reporting on a suitable, recognized control framework
established by a body of experts that followed due-process
procedures, including the broad distribution of the framework
for public comment. The COSO Framework satisfies our
criteria…”

Source: SEC 18
HR(1

A Specific-Purpose Perspective

19
Slide 19

HR(1 Hirth, Robert (10040), 1/14/2019

COSO is Happy !
Control Environment 1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
Risk Assessment 7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities 10. Selects and develops control activities

11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & 13. Uses relevant information

Communication 14. Communicates internally
15. Communicates externally

Monitoring Activities 16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies
20
COSO and Fraud…

21
The Fraud Risk Management Guide is an update to a
2007 report sponsored by the American Institute of
CPAs (AICPA), The Institute of Internal Auditors (IIA), and
ACFE, Managing the Business Risk of Fraud: A Practical
Guide. Updates reflect recent developments in the area
of risk management, including important information
related to new technology, specifically data analytics.
The Fraud Risk Management Guide includes examples of
key program components and resources that
organizations can use to develop a fraud risk-
management program effectively and efficiently. In
addition, the guide contains references to other sources
of guidance for tailoring a fraud risk-management
program to a specific industry.
COSO ICF Principle #8
Update articulates principles of effective internal control
(continued)
6. The organization specifies objectives with
Risk Assessment sufficient clarity to enable the identification and
assessment of risks relating to objectives.
7. The organization identifies risks to the
achievement of its objectives across the entity
and analyzes risks as a basis for determining
how the risks should be managed.

8. The organization considers the

potential for fraud in assessing
risks to the achievement of
objectives.
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control.
24
Principle #8- Points of
Focus

• Considers Various Types of

Fraud
• Assesses Incentive and
Pressures
• Assesses Opportunities
• Assesses Attitudes and
Rationalizations
Types of Fraud
• Fraudulent financial reporting
• Fraudulent non-financial reporting
• Misappropriation of assets
• Illegal acts
• Uses technology or does not
• Inside or outside the organization
• Corruption
Sources of Fraud
• Management bias
• Degree of estimates and judgments
• Fraud schemes and scenarios common
to industries and markets
• Geographic regions
• Incentives that motivate fraudulent
behavior
• Nature of technology and ability to
manipulate information
• Unusual or complex transactions
• Vulnerability to override and ability to
circumvent existing controls
5 KEY POINTS
• Establishes and Communicates
Fraud Risk Management Program
• Performs Comprehensive Fraud
Risk Assessment
• Selects, Develop and Deploys
Preventative and Detective Fraud
Controls
• Establishes a Communication
Process about Potential Fraud
• Selects, Develops and Performs
Ongoing evaluations
 Control
Hierarchy…
• Preventative better than
detective
• Automated better than
manual
• Must be operating as
intended and effective
• Must be performed by
competent personnel
• Should be tested
periodically
 Approvals and approval levels
Access
Controls Limits
That May Reviews, matching
Help Reduce
Segregation of duties, rotations
or Deter
Reconciliations
Fraud….
Metric reporting
Vacations
 Frequency

Precision
Other Control
Characteristics
Degree of difficulty to apply

Competencies required
 • People
• Culture
• Technology
• Whistleblowers
and Hotlines
• Controls
Best Fraud Defenses • Vigilance
• Audits
 The Three Lines of Defense model advocates for
clearly defining responsibilities for three aspects of
risk: risk ownership, risk monitoring, and risk
assurance. Respectively, functions that own and
manage risks are the first line. Various risk control
and compliance functions that monitor risks are the
second line. Internal audit, which provides
independent assurance on the effectiveness of
control and compliance functions, is the third line.
The new white paper breaks down each of the
three lines and assigns the corresponding
framework principles. For example, the first line of
defense — primarily front-line and mid-line
managers who have day-to-day ownership and
management of risks and controls — is assigned the
12 COSO principles listed under risk assessment,
control activities, information and communications,
and monitoring.
 37

Enterprise Risk
Management

Integrating with Strategy

and Performance

37
A New Title… • Retitled as Enterprise Risk
Management—Integrating with
Strategy and Performance

• Recognizes the importance of

strategy and entity performance

• Further delineates enterprise

risk management from internal
control

38
 Builds Links to Internal Control
• The document does not replace the
Internal Control – Integrated Framework
• The two frameworks are distinct and
complementary
• Both use a components and principles
structure
• Aspects of internal control common to
enterprise risk management are not
repeated
• Some aspects of internal control are
developed further in this framework 39
A Key Introduction…
• Our understanding of the nature of risk, the art and science of
choice lies at the core of our modern market economy.

• Every choice we make in the pursuit of objectives has its risks.

From day-to-day operational decisions to the fundamental trade-
offs in the boardroom, dealing with uncertainly in these
choices is a part of our organizational lives.

40
Definitions

The possibility that events will occur and

Risk affect the achievement of strategy and
business objectives (or will not occur)

The culture, capabilities, and practices,

Enterprise integrated with strategy and execution,
Risk that organizations rely on to manage risk
Management in creating, preserving, and realizing
value
41
 1) Provides a New Document
Structure
• Framework focused on fewer components (five)

• Uses focused call-out examples to emphasize key points (> 30)

• Follows the business model versus an isolated risk management process

42
2) Introduces Principles
20 key principles within each of the five components

43
3) Incorporates New
Graphics/Concepts
Graphic has stronger ties to the business model

44
Links to Strategy
• Explores strategy from three different perspectives:
–The possibility of strategy and business objectives not aligning with
mission, vision and values
–The implications from the strategy chosen
–Risk to executing the strategy

45
Integrated, Not Added on

46
Decision-making
Uncertainty/Certainty
• Selecting SAP or Oracle
• Setting the quarterly revenue plan
for $20 million
• Hiring a new VP of___________
• Not developing a new product
• Making a new investment
• Opening a new office
• Closing an office
47
NEW!!- Compendium of Examples
The compendium illustrates:
• All principles
• A variety of entity sizes from global
through to national, regional, and
local entities
• Actual company practices and
augmented with expected
practices in select areas, as
needed
• An ERM perspective from the
business mindset
In-Depth View of ERM in Practice
Each example:
• Sets out the industry context
• Highlights the key benefits of enterprise risk management
• Lists the principles demonstrated
• Provides facts and circumstances for context
• Offers in-depth discussion
The Compendium Considers a Variety of Industry
Types
 You May Already be “Doing
ERM”…
• Strong, Articulated Mission, Clear Vision and Values
• Commitment to the concept of ERM activities and integration
• Strategy as the best alternative, Risk vs. Reward, linked to objectives
• Understand uncertainty of our world and decisions we make
• Big focus on Change, so what, what do we do
• Focus and measurement on Objectives
• Going through the “WHAT IF” process
• Knowing what you won’t do and why
• Evaluating if ERM is adding value
51
WHY ERM?

“How would you like to meet more

of your objectives more of the
time? “
 Every organization is trying to achieve its mission. Trying
usually involves creating a plan that defines objectives,
including metrics. Establishing that plan and objectives as
well as executing to those objectives involves decision-
making which involves uncertainty.

ERM In addition, we live in an imperfect world that changes

quickly and presents unexpected events- all creating
additional uncertainty. Risk is defined as the degree of
Simplified… uncertainty in achieving objectives.

ERM includes the discipline and process of identifying,

evaluating and the desire to manage risk and uncertainty in
any enterprise relative to its plan and objectives, as well as
external events so that the plan and objectives are achieved
more often than without this discipline and activity.

53
The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) released a new research
report that provides direction on how the Internal
Control-Integrated Framework (2013) and the
Enterprise Risk Management-Integrated Framework
(2004) can help organizations effectively and efficiently
evaluate and manage cyber risks.
Using the 2013 Internal Control-Integrated Framework
as an example, COSO in the Cyber Age provides
direction on identifying and implementing internal
control components and principles, from demonstrating
commitment to integrity and ethical values, to risk
analysis, and evaluating and communicating
deficiencies.
ERM on Every Audit…
• What are the Objectives?
• What is the plan to achieve them?
• How do you monitor progress and status?
• What will impact the plan (positive and
negative)?
• Do you recognize uncertainty of decisions?
• How can you be better?
• Do you need any help?
“Personalize” ERM…
• What are YOUR Objectives?
• What is YOUR plan to achieve them?
• How do YOU monitor progress and
status?
• What will impact YOUR plan (positive
and negative)?
• Do YOU recognize uncertainly of
decisions?
• How can YOU be better?
• Do YOU need any help?
COSO, World Business Council for Sustainable Development
to Issue First- Ever Guidance for Applying Enterprise Risk
Management (ERM) to Environmental, Social, Governance-
related Risks
"Business is moving into an era of significant change in corporate
governance. Integrating the environmental, social and governance
factors into a company’s risk assessment will soon be the norm. New
tools are needed for managing this new view of risks to the long-term
financial and societal profile of business are needed. Using these tools
will mean better decisions that will make more sustainable companies
become more successful.“

WBCSD President and CEO Peter Bakker,

January 2018
Applying enterprise risk management to
environmental, social and governance-related
risks
How the guidance can help you
• Enhanced resilience
• A common language for articulating ESG-
related risks
• Improved resource deployment
• Enhanced pursuit of ESG-related
opportunities
• Realized efficiencies of scale
• Improved disclosure
COSO Framework and Sustainability
Leveraging the COSO Internal Control – Integrated Framework to Improve Confidence in
Sustainability Performance Data

5/22/2019
And Even Legal Advice…
“Be aware that sustainability has become a major, mainstream
governance topic that encompasses a wide range of issues, including
a company’s long-term durability as a successful enterprise, climate
change and other environmental risks and impacts, systemic financial
stability, management of human capital, labor standards, resource
management, and consumer and product safety, and consider how
your company presents itself with respect to these matters.”
(Wachtell Lipton, July 2018)

5/22/2019
And Even Internal Audit !

Based upon a thorough review by NIKE’s internal audit function,

considerable progress has been made to NIKE’s sustainability data
processes over the past several fiscal years, including but not limited
to: a performance management data system overhaul, development
of standard operating procedures, and an improved data governance
model. The review also identified opportunities to further improve
systems and controls around sustainability reporting. NIKE will
continue to evolve and address information systems in light of this
goal.
5/22/2019
ESG “Out Performs”
Industries Grouped by Resource Intensity & Sustainability Impacts
Sustainable Industry Classification System (SICS®): 77 industries within 11 sectors
Consumer Goods Food & Beverage Resource Transformation
 Apparel, Accessories & Footwear  Agricultural Products  Aerospace & Defense
 Appliance Manufacturing  Alcoholic Beverages  Chemicals
 Building Products & Furnishings  Food Retailers & Distributors  Containers & Packaging
 E-Commerce  Meat, Poultry & Dairy  Electrical & Electronic Equipment
 Household & Personal Products  Non-Alcoholic Beverages  Industrial Machinery & Goods
 Multiline and Specialty Retailers &  Processed Foods
Distributors  Restaurants Services
 Toys & Sporting Goods  Tobacco  Advertising & Marketing
 Casinos & Gaming
Extractives & Minerals Processing Health Care  Education
 Coal Operations  Biotechnology & Pharmaceuticals  Hotels & Lodging
 Construction Materials  Drug Retailers  Leisure Facilities
 Iron & Steel Producers  Health Care Delivery  Media & Entertainment
 Metals & Mining  Health Care Distributors  Professional & Commercial Services
 Oil & Gas - Exploration & Production  Managed Care
 Oil & Gas - Midstream  Medical Equipment & Supplies Technology & Communications
 Oil & Gas - Refining & Marketing  Electronic Manufacturing Services &
 Oil & Gas – Services Infrastructure Original Design Manufacturing
 Electric Utilities & Power Generators  Hardware
Financials  Engineering & Construction Services  Internet Media & Services
 Asset Management & Custody  Gas Utilities & Distributors  Semiconductors
Activities  Home Builders  Software & IT Services
 Commercial Banks  Real Estate  Telecommunication Services
 Consumer Finance  Real Estate Services
 Insurance  Waste Management Transportation
 Investment Banking & Brokerage  Water Utilities & Services  Air Freight & Logistics
 Mortgage Finance  Airlines
 Security & Commodity Exchanges Renewable Resources &  Auto Parts
Alternative Energy  Automobiles
 Biofuels  Car Rental & Leasing
 Forestry Management  Cruise Lines
 Fuel Cells & Industrial Batteries  Marine Transportation
 Pulp & Paper Products  Rail Transportation
 Solar Technology & Project Developers  Road Transportation
 Wind Technology & Project Developers

65 5/22/2019 © SASB
Thought Leadership to Improve Your
Organization
Oh, and One More Thing…

68
Much More than Just
Internal Control…