5 Steps to a More Efficient Internal Control Environment

Is your team overwhelmed with activities that feel unnecessary?

How confident are you that the energy spent on testing is focused on the necessary controls?

Leverage policyIQ to systematically focus on the critical controls for management and testing. More efficiently analyze which Financial Statement Assertions, relative to each of your 10K line items, are adequately controlled, which are left vulnerable and which of your relevant assertions is over-controlled! See, plainly, the gaps in your coverage and leverage the evidence to justify the reduction of waste, and plan to concentrate effort on work that matters.

This process really starts with your risk assessment. If you have not leveraged policyIQ to bring automation and reliability to your risk assessment process and want to walk through the policyIQ solution (including the just-released feature that makes cumulative risk calculations possible), reach out to schedule a free working meeting with us! After completing your risk assessment, identifying significant accounts and relevant assertions, and determining which of your processes and objectives are in scope (all steps that can be managed in policyIQ), you can begin the process of rationalizing your controls.

Next, leverage policyIQ to move through these five Control Rationalization steps:

Each step is made more efficient with policyIQ. We can support you to customize templates for the attributes that are critical and unique to your organization. The import, linking, calculations, workflow, and reporting features will allow you to more quickly examine the effectiveness and priority of your procedures. Having confidence in your Control Rationalization process and your internal control environment then allows you to come full circle to look at the bank of risks that you previously identified. You might conclude that some process risks that have consumed time and attention for years are actually not in scope. This Control Rationalization process will help you to be more effective and more efficient through each testing cycle.

Would you like to see sample templates and schedule a working meeting to get the ball rolling? Contact us and reap the benefits by your next testing cycle!

Lessons Learned from Early Adopters of the 2013 COSO Framework

RGP brought us a second COSO webinar hosted by these Audit, Risk, Finance and Accounting experts:

COSO Follow-up Presenters

Watson kicked off RGP’s follow-up webcast with a recap of the highlights of the first session hosted a couple of months ago that addressed effective implementation of the updated COSO Framework. She noted that the framework is not significantly different from the first version of COSO’s Internal Control Integrated Framework published in 1992. The most notable change is that the 17 Principles that were introduced in language that was embedded in the earlier version have now been called out and defined more formally in this latest version.

Evidenced by a session polling question, a significant number of companies have now moved into the planning stage and are beginning the process of mapping their controls to Points of Focus or Principles. Remember that companies using the COSO framework must demonstrate that all 17 Principles are present and functioning, but the Points of Focus are not required. While COSO says that the Points of Focus are intended to be considerations, Les Sussman noted that we are finding that many companies are mapping to the Points of Focus and using them as a checklist of sorts to help with the mapping process.

In the project timeline review, Sussman noted the importance and value of checking in with your external auditors early and often. He urged attendees to get started as soon as possible as those with a December Fiscal Year End will be expected to demonstrate adequate coverage of COSO’s 17 Principles by the end of this year.

COSO Project Timeline

John Digenan further emphasized Sussman’s point that the mapping process was not particularly time consuming. The mapping portion of the project is pretty straightforward and can go pretty quickly—as it did for Microsoft. The process of updating and validating controls is really what takes the lion’s share of time in this transition process.

The team examined and reviewed three case studies, involving Microsoft, a large telecommunications company ($128B) and a smaller mining company ($1.5B). In each of these cases, the company performed an initial bottom up approach; mapping entity level controls to related COSO Principles. All three considered the COSO Points of Focus to help them with the gap analysis and remediation process (although some did not formally document gaps and remediations in this early stage of the process). Each organization had similar findings to John’s regarding time spent on mapping. This part of the process went pretty quickly (in a week or two). All found the early involvement of external auditors to be helpful. Another common finding was that so-called “missing” controls were being performed, but were not formally documented and tested. Even in the largest organizations, only about a dozen controls needed to be documented.

The team also presented some of the challenging issues (and the associated “good news”) for this 2013 COSO Framework implementation project:

Challenging Issues

policyIQ_COSO_4Steps_1HourLes Sussman took a moment to remind attendees that RGP owns a GRC application (a SOX tool, among other uses) and highlighted the 4 simple steps that an existing policyIQ client can work through in about an hour to have all COSO Principles and Points of Focus properly documented, linked and filed in policyIQ to prepare for the mapping process. For those companies who have properly licensed (purchased) the 2013 COSO Internal Control – Integrated Framework, RGP’s policyIQ team can help clients with the importing of COSO Principles and Points of Focus by providing import templates that are pre-populated and ready to go. Configuration guidance for brand new policyIQ clients is also included in the affordable policyIQ licensing fees (generally about 1/10th the cost of comparable competitors). Contact us (support@policyIQ.com) for more information on using policyIQ for management of your SOX and COSO processes and related documentation.

Shauna Watson, Les Sussman and John Digenan wrapped up the session with a question and answer period. Among the flash items discussed:

  • Assuming you used a top-down, risk-based approach before, the COSO framework does not change your approach. In fact, apply that mentality to other areas (non-financial areas) following the AS5, top-down, risk-based approach.
  • The Fraud Risk Assessment is certainly part of the broad Risk Assessment. It can be performed and documented as an integrated part of the formal Risk Assessment. Note that, while it is not required, a separate Fraud Risk Assessment can be very helpful for addressing your organization’s anti-fraud considerations and your coverage of COSO’s Principle #8.
  • Some companies have observed a differences in terminology related to the significance of deficiencies identified (material weakness vs major deficiency). Sussman noted that the framework is clearly guides companies to default to any regulatory regime used to evaluate deficiencies. With regard to SOX, we will continue to use SOX language.
  • Digenan also clarified that the new controls added at Microsoft were entity level controls and noted that the initial mapping process involved only entity level controls, not transaction level controls.

You may follow this link to review a recording of the webinar which goes into much more detail on the case studies and helpful resources. For more information regarding your COSO implementation project, reach out to us and we will put you in touch with a expert in your area. You may also contact us for help with your policyIQ implementation. We can show you how to make quick work of your gap analysis and control rationalization tasks. Let’s get started today—we’ll have you up and running in no time!

Recap Session: Efficiently Transition to the 2013 COSO Internal Control – Integrated Framework Using policyIQ

The policyIQ Team was recently joined by Senior Practice Director of RGP’s Governance Risk & Compliance (GRC) practice, Les Sussman, to discuss how the updated COSO framework will impact companies and, specifically, policyIQ clients or prospects. Mr. Sussman recaptured the highlights from a recent webinar that he co-presented with RGP’s Global Managing Director of the Finance & Accounting practice, Shauna Watson. Their session, “Effective Transition to the 2013 COSO Framework and SOX Compliance”, drew more than a thousand registrants and received great reviews for addressing considerations that have not been discussed in other COSO-related sessions.

With a diverse audience of current policyIQ users and many participants who are not currently using policyIQ, we took time to introduce some highlights of policyIQ, including these:

  • Web-based, accessible from any major browser
  • Flexible and customizable with an easy to use interface
  • A tool for management of workflow, analysis and roll-up reporting
  • Top security from the host, through the pipeline, to end users and specific content
  • Version control, pages can be mapped to multiple relevant access points (folders)
  • Mature audit trail with both version and change history
  • Features for uploading appropriate evidence and linking to relevant content
  • Reporting capability to expedite gap/redundancy analysis, oversight and roll-up reporting

In our session, we demonstrated how easily and quickly we amended our policyIQ configuration to accommodate the updated 2013 COSO Internal Control – Integrated Framework: We added a Folder structure for capturing the COSO Principles by COSO Component and a Page Template with a Short Text Field for capturing each COSO Principle in its own Page.

After populating policyIQ with the COSO Principles (using an import process), RGP recommends following both a top-down (Principle–Control or Principle–Points of Focus–Control) and a bottom-up (Control–Points of Focus–Principle or Control–Principle) approach. The combination of approaches will help to ensure that all Principles are adequately addressed (which is a requirement, if you choose to use the COSO Framework) as well as help with your control rationalization process.

Blog_image_Report_Gaps

We discussed how policyIQ reports can make quick work of mapping, gap analysis, control rationalization and reporting to the Audit Committee and External Auditors.

If you haven’t already, check out the presentation for yourself! The presentation slides are available via the Attachments/Links tab in our related policyIQ Help page here. To review the session or share it with a colleague, click this link to access a recording of the 60 minute webinar.

Do you have questions about implementing the 2013 COSO Internal Control – Integrated Framework? Have you begun the mapping process and taken advantage of policyIQ to make your analysis more effective and efficient? Reach out to us with any questions that you have and we’ll help to connect you with the most appropriate contact that can get you headed in the right direction!