Let us help you implement the COSO 2013 structure in policyIQ in under an hour!

If you have not already implemented policyIQ to more efficiently work through your transition to COSO’s 2013 Internal Control – Integrated Framework, we can help you to get started!  Companies with a calendar year-end are rushing to map their controls and address gaps with appropriate controls so that they are ready for testing in Q4.

Have policyIQ COSO-Ready in Under an Hour

The adjustments to your policyIQ site and import of the COSO Principles and Points of Focus can all be completed in under an hour and in these four steps:

4 Steps to policyIQ COSO Readiness_blog
NOTE: We have pre-populated spreadsheets that we are happy to share with you. Or, if you prefer, our policyIQ Support team can complete the entire COSO setup and import for you. Contact us for more information: Support@policyIQ.com.

Mapping, Analysis, Rationalization and Evidence

Now you are ready to begin the COSO mapping process. You may run a report of your Controls and link each one to the appropriate Principle or Point of Focus. You may already be aware that companies following the COSO Framework must demonstrate that all 17 COSO Principles are “Present” and “Functioning”. The Points of Focus, while not required, are uploaded and included in the mapping process by many companies, as they provide added assurance and justification for your control mapping decisions.

Once all of your Controls (typically Entity Level Controls) are properly mapped, you can use policyIQ’s Detail Link Report to see a view of all Principles, linked Points of Focus and Linked Controls. This report provides an excellent foundation for Gap Analysis and for Control Rationalization. It also can serve as evidence of coverage for your external auditors.

Let us connect you with the experts!

If you find that your team is struggling to find time, resources or the necessary subject matter expertise for your COSO Transition Project, contact us and we’ll align you with a subject matter expert who can help you in the areas where you need it most (from the initial setup, mapping, gap analysis, establishment of new controls—or documentation of controls that have, to this point, been less formal—to control rationalization and testing).

Contact us today—for your free copies of the import spreadsheets, to request the import to be completed by our support team or to learn more about working with one of our subject matter experts!

 

Lessons Learned from Early Adopters of the 2013 COSO Framework

RGP brought us a second COSO webinar hosted by these Audit, Risk, Finance and Accounting experts:

COSO Follow-up Presenters

Watson kicked off RGP’s follow-up webcast with a recap of the highlights of the first session hosted a couple of months ago that addressed effective implementation of the updated COSO Framework. She noted that the framework is not significantly different from the first version of COSO’s Internal Control Integrated Framework published in 1992. The most notable change is that the 17 Principles that were introduced in language that was embedded in the earlier version have now been called out and defined more formally in this latest version.

Evidenced by a session polling question, a significant number of companies have now moved into the planning stage and are beginning the process of mapping their controls to Points of Focus or Principles. Remember that companies using the COSO framework must demonstrate that all 17 Principles are present and functioning, but the Points of Focus are not required. While COSO says that the Points of Focus are intended to be considerations, Les Sussman noted that we are finding that many companies are mapping to the Points of Focus and using them as a checklist of sorts to help with the mapping process.

In the project timeline review, Sussman noted the importance and value of checking in with your external auditors early and often. He urged attendees to get started as soon as possible as those with a December Fiscal Year End will be expected to demonstrate adequate coverage of COSO’s 17 Principles by the end of this year.

COSO Project Timeline

John Digenan further emphasized Sussman’s point that the mapping process was not particularly time consuming. The mapping portion of the project is pretty straightforward and can go pretty quickly—as it did for Microsoft. The process of updating and validating controls is really what takes the lion’s share of time in this transition process.

The team examined and reviewed three case studies, involving Microsoft, a large telecommunications company ($128B) and a smaller mining company ($1.5B). In each of these cases, the company performed an initial bottom up approach; mapping entity level controls to related COSO Principles. All three considered the COSO Points of Focus to help them with the gap analysis and remediation process (although some did not formally document gaps and remediations in this early stage of the process). Each organization had similar findings to John’s regarding time spent on mapping. This part of the process went pretty quickly (in a week or two). All found the early involvement of external auditors to be helpful. Another common finding was that so-called “missing” controls were being performed, but were not formally documented and tested. Even in the largest organizations, only about a dozen controls needed to be documented.

The team also presented some of the challenging issues (and the associated “good news”) for this 2013 COSO Framework implementation project:

Challenging Issues

policyIQ_COSO_4Steps_1HourLes Sussman took a moment to remind attendees that RGP owns a GRC application (a SOX tool, among other uses) and highlighted the 4 simple steps that an existing policyIQ client can work through in about an hour to have all COSO Principles and Points of Focus properly documented, linked and filed in policyIQ to prepare for the mapping process. For those companies who have properly licensed (purchased) the 2013 COSO Internal Control – Integrated Framework, RGP’s policyIQ team can help clients with the importing of COSO Principles and Points of Focus by providing import templates that are pre-populated and ready to go. Configuration guidance for brand new policyIQ clients is also included in the affordable policyIQ licensing fees (generally about 1/10th the cost of comparable competitors). Contact us (support@policyIQ.com) for more information on using policyIQ for management of your SOX and COSO processes and related documentation.

Shauna Watson, Les Sussman and John Digenan wrapped up the session with a question and answer period. Among the flash items discussed:

  • Assuming you used a top-down, risk-based approach before, the COSO framework does not change your approach. In fact, apply that mentality to other areas (non-financial areas) following the AS5, top-down, risk-based approach.
  • The Fraud Risk Assessment is certainly part of the broad Risk Assessment. It can be performed and documented as an integrated part of the formal Risk Assessment. Note that, while it is not required, a separate Fraud Risk Assessment can be very helpful for addressing your organization’s anti-fraud considerations and your coverage of COSO’s Principle #8.
  • Some companies have observed a differences in terminology related to the significance of deficiencies identified (material weakness vs major deficiency). Sussman noted that the framework is clearly guides companies to default to any regulatory regime used to evaluate deficiencies. With regard to SOX, we will continue to use SOX language.
  • Digenan also clarified that the new controls added at Microsoft were entity level controls and noted that the initial mapping process involved only entity level controls, not transaction level controls.

You may follow this link to review a recording of the webinar which goes into much more detail on the case studies and helpful resources. For more information regarding your COSO implementation project, reach out to us and we will put you in touch with a expert in your area. You may also contact us for help with your policyIQ implementation. We can show you how to make quick work of your gap analysis and control rationalization tasks. Let’s get started today—we’ll have you up and running in no time!

Featured Feature: Import (helps you to start fresh!)

import_definitionWebster gives us a pretty easy to understand definition of import, but did you know that Import is also a utility under policyIQ’s Tools & Settings menu that enables Site Administrators to bulk load items that exist outside of the system into policyIQ?

Most policyIQ clients had an experience of policyIQ’s Import capabilities when they first implemented policyIQ—it is the fastest way to get all of your content from other systems and spreadsheets into policyIQ. However, many of today’s policyIQ users inherited their instance of policyIQ and, so, you may not be aware of how easy it is to load new content into policyIQ or to replace existing content.

With the events impacting public companies, we are hearing from a number of clients who want to revamp their existing policyIQ implementation by importing COSO’s 17 Principles and 87 Points of Focus. We are also working with a number of companies who are taking this opportunity to start fresh with a new examination of the Risk Assessment and associated Risks, Controls and Tests. All of this content can be captured and linked, just as procedures can be linked to related policies, so that you have very useful reporting capabilities. In any case, if your organization is considering the use of policyIQ to help automate processes and make the oversight and management more effective and efficient, we encourage you to take advantage of the import utility in policyIQ.

For information on how to import content, check out the online policyIQ Help guide and navigate to the import section:

Import_image
For those visual learners, you will also find a link to a video walkthrough of the importing process within the Help guide. Of course, you are welcome to reach out to the policyIQ Support team with any questions: support@policyIQ.com. Let us know if you’d like to discuss your options regarding starting over—maybe you’d like to get a brand new policyIQ site with the updated framework and our latest recommendations already configured. We are happy to accommodate you. Reach out to us!

Addressing COSO Principle #8: Assess Fraud Risk

P8_Call_to_actionRisk and Compliance professionals generally agree that the updated 2013 COSO Internal Control – Integrated Framework is not, in essence, different from the 1992 version. And by now, we recognize that the most notable change requiring action is the formalization of COSO’s 17 Principles that were introduced by language embedded in the earlier version. Public companies subject to Sarbanes Oxley (SOX) requirements that utilize the COSO framework and have a calendar year-end will need to demonstrate that all 17 COSO Principles are “present and functioning” by the end of 2014. COSO_Principles At the conclusion of the mapping process, what many of our clients are finding is that they do already have the necessary controls in place. We are helping some clients to also identify where they have more than adequate controls and can use this thorough review as an opportunity to rationalize and reduce the number of controls that they are testing—and, in turn, reduce costs! And, in some cases, companies recognize that the practices are in place, but the controls may not be formally documented and tested. One of the Principles that is garnering a lot of attention is Principle #8: Principle8If you haven’t before, this will likely be the year that you perform a formal Fraud Risk Assessment. You may need to reinforce documentation around your related Entity Level Controls and will want to ensure that those include measurable indicators of appropriate “Tone at the Top”. If you are not sure that you have the appropriate competencies or subject matter experts on your team, we can help to lead or supplement your assessment and documentation of your related controls. Reach out to us if you’d like more information. Additionally, most companies required to comply with SOX likely already have a fraud hotline in place. Did you know that policyIQ also includes an electronic “WhistleBlower” module that is accessible to all company employees for anonymous submission of suspected financial reporting issues (or other issues, if you choose to rebrand the feature)? The WhistleBlower module is already available in all policyIQ sites and can be enabled at any time at no additional charge. Each case is assigned a 16 character code that is revealed only to the submitter of a case so that he or she may periodically review the progress of any associated investigation and even correspond anonymously with an investigator. This feature provides whistle blowers with greater assurance that their voice or accent will not give away their identity if they wish to remain anonymous. WhistleBlower It is very simple to use policyIQ to demonstrate the presence of preventive and detective fraud mitigating controls. Simply run a report of your Controls and include those two variables as columns in your display. If you haven’t already setup your policyIQ site to capture these items, here are the steps that we recommend:

  1. Add a field to your policyIQ Control Page Template to track whether a Control is fraud mitigating.
  2. Add a field to your policyIQ Control Page Template to track whether a Control is Preventive or Detective (most policyIQ clients already include this).
  3. Review your controls and update the pages to reflect whether they are fraud mitigating and whether they are preventive or detective (note that you can use the Edit Fields option from the Table Toolbar to make bulk changes and save time).
  4. Use a policyIQ Page Detail or Page Detail Link Report to list your Fraud Mitigating Controls and whether they are EvidenceforP8Preventive or Detective
    1. Use the report results to perform your gap analysis
    2. Use the report results as evidence of your compliance or coverage of COSO’s Principle #8!

If you’d like some support from a subject matter expert, have questions about the mapping process, or would like help with properly setting up policyIQ to support your transition to the 2013 COSO Framework, contact us and we’ll put you in touch with the appropriate resource in your area.