COSO 2013 Implementation Webinar: Your Questions Answered

Keith Kawashima

Keith Kawashima, Managing Director
Internal Audit and Financial Advisory practice



Wrapping up our Internal Audit Awareness Month webinar Q&A series, Keith Kawashima, managing director in our Silicon Valley office, answers some of the questions we weren’t able to get to in our April 29th webinar, Top 10 Lessons Learned From Implementing COSO 2013.

In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a comprehensive update to its original 1992 Internal Control — Integrated Framework. This COSO framework is the de facto framework used by more than 99 percent of the organizations required to comply with Section 404 — Internal Controls over Financial Reporting (ICFR) requirement of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX). Based on financial filings reviewed through the end of May, 2015, approximately 83 percent of companies subject to the external auditor attestation requirement have transitioned from the 1992 version of COSO to the revised 2013 version.

The U.S. Congress enacted SOX, in 2002, in the wake of several high-profile public company financial frauds, to provide additional comfort to investors that public company financials were built on reasonable standards. Among other things, this legislation created the Public Company Accounting Oversight Board (PCAOB) and charged it with establishing auditing and related professional practice standards for registered public accounting firms to follow in the preparation and issuance of audit reports.

Below, Keith addresses some SOX-specific questions regarding the application of COSO 2013.

Q: Given the increased regulatory focus on internal control deficiencies, how does COSO connect the dots between deficiencies and the scope of potential misstatements they could create?

A: The PCAOB is telling external auditors that they need to further scrutinize both the design and operating effectiveness of a company’s internal controls over financial reporting, as well as to better support the conclusions they come to in their evaluation of ICFR. Both the old COSO framework and the revised framework have five components by which internal controls were evaluated. The new framework further expands and defines each of those five components through its 17 mandatory principles. These principles are broken down even further through the points of focus.

For a control environment to be deemed to be effective, the company needs to be able to demonstrate that all principles are present and functioning, as well as operating together. The application of the new framework has and will continue to help both the external auditors and management to identify control gaps and evaluate the potential exposure that these gaps create. This allows them to understand the potential for misstatement that exists and helps to size the gaps as deficiencies, significant deficiencies or material weaknesses.

Q: If there is a discrepancy between the COSO 2013 internal control framework and SOX, which takes precedence? And what part of SOX compliance, specifically, does COSO address?

A: The COSO internal controls framework was released 10 years before the Sarbanes – Oxley act was passed. As one can imagine, both the 1992 and 2013 version were designed for broader application than those required by the internal controls over financial reporting (ICFR) evaluation required to comply with SOX section 404. While the focus of SOX is limited to the controls in place to ensure material accuracy of the company’s outwardly facing financial reports, the COSO framework is intended to apply more broadly to the company’s overall internal control environment. This has led some companies to either intentionally or un-intentionally expand their control evaluation efforts beyond what is required for SOX purposes. As it pertains specifically to SOX, however, COSO has clearly communicated that it has provided a thorough and useful framework for evaluating internal controls, and continues to reiterate that it is not a legislative body. The SOX 404 requirement continues to focus on a top-down risk-based scoping approach. It also has defined the evaluation criteria and reporting requirements for control gaps or deficiencies. COSO has stated that in the instance where additional criteria is required, the framework is flexible enough to accommodate it. So for SOX, the focus will be on ICFR, and the evaluation and reporting requirements remain aligned to the SOX criteria of deficiency, significant deficiency and material weakness.

Q: The PCAOB, which was created by SOX, has said that not enough work is being done by external auditors to verify the presence and functioning of internal controls over outsourced processes and third-party vendors within the scope of ICFR. How can COSO 2013 be applied to address this concern?

A: I think it’s important to recognize that while a company can outsource a process, it can never outsource the responsibility for maintaining an appropriate control environment over that process, particularly when the outputs from that process have an impact on public financial statements.

External auditors and management both need to conclude that the overall control environment is adequate and that all 17 of the COSO principles are present and functioning, regardless of whether a process or a series of processes is performed by the company or by third-party providers. The additional granularity of the revised version – including additional emphasis for areas such as use and reliance on technology and an enhanced focus on fraud risks and other areas – helps us to understand the broad control environment, including areas where outsourcing in deployed.

For a more in-depth examination of COSO 2013 internal control framework and how to implement it, you might be interested in Protiviti’s Frequently Asked Questions (FAQ) COSO publication, as well as our 5-part webinar series covering COSO 2013. Follow the links below to register for one, or all, of the free archived sessions:

COSO 2013: What is New, What Has Changed, Why Does it Matter, and Other Frequently Asked Questions (May 28, 2014)
COSO 2013: Managing the Project for Success and IPO Readiness (June 4, 2014)
COSO 2013: Mapping Controls to Principles (June 11, 2014)
COSO 2013: The Implications to IT Controls (June 18, 2014)
COSO 2013: Assessing Fraud Risks in ICEFR and Implementation Insights Panel (June 25, 2014)

Protiviti is offering these webinar Q&As in May as part of Internal Audit Awareness Month. For additional information about the month-long initiative, spearheaded by the Institute of Internal Auditors, please visit The IIA’s website.

Setting the Audit Committee Agenda — Your Questions Answered

By David Brand
Managing Director, Leader of Protiviti’s Global IT Audit Practice




When we hosted our webinar, “Setting the 2015 Audit Committee Agenda,” on February 10, we knew we were tackling a hot topic.

After all, the task has become so much more challenging. Not only are audit committees dealing with crowded agendas, but they’re also addressing issues that are infinitely more complex.

Navigating an organization through a rapidly evolving business environment means setting clear priorities and establishing a risk management framework that asks the right questions at the right time to yield effective solutions.

The webinar emphasized the importance of finance and audit functions expanding beyond their traditional roles and becoming true strategic partners. It also discussed the impact of technology – and the audit committee’s responsibility to understand it.

During the webinar, we received an overflow of insightful questions. We wanted to share some of them because they address critical topics that may be relevant for many of you. We’ve included the actual questions from webinar participants, along with our answers, below.

It’s one of the ways we’re promoting Internal Audit Awareness Month. For additional information about the month-long campaign, visit The IIA’s website.

Q. How do you report on internal audit’s data analytics efforts to the audit committee? To what level do you report results?

A. If the analytics were conducted as part of a specific audit, they should be reported as part of that audit. If you are doing more continuous monitoring – or broad-based analytics that are not directly tied to a specific audit – it is typically helpful to create a dashboard for the committee. It should include information such as testing criteria, testing frequency and the exception rate. You may also want to include some commentary detailing how management addressed the exceptions.

Q. We are nonprofit but are looking for the correct place for governance of IT (and information security) to reside – audit committee or legal and compliance committee? Thoughts?

A. The governance of IT as well as the IT compliance function should reside with the CIO. Assurance that these processes are happening is provided by internal audit. Because IT controls are pervasive, we often see the audit committee take ownership of the technology risks from an oversight perspective. Information security is typically aligned with the business and reports to someone outside of the IT organization. Again, assurance over the security function is provided by internal audit.

Q. What are the top 3 to 5 technology risks (i.e., security around confidential information such as social security numbers)?

A. Most surveys I have seen list some combination of the following as top IT risks: cybersecurity, cloud computing, mobile devices, mobile applications and social media.

Q. Can you give me a more specific example of how you make cybersecurity a “business issue” versus an “IT issue”?

A. Cybersecurity is the processes and systems in place to protect whatever data an organization deems worthy of shielding. This could include customer lists, pricing information, trade secrets, drug formulas, non-public financial information, etc. Understanding what is important to protect and where it resides in the organization is a business issue. The IT component only comes into play when technologies need to be deployed to protect the relevant information.

New Survey on SOX Compliance – Changes Abound Amid Drive for Stability and Long-Term Value


Today, Protiviti unveiled the results of our latest Sarbanes-Oxley Compliance Survey. There are a number of interesting findings tied to cost, hours and the effects of the PCAOB inspection reports of external auditors, among many other results. I encourage you to visit to download a complimentary copy of our report. Here you’ll find our infographic and a short video. Enjoy!





Revenue Recognition Webinar Series: Chris Wright Answers Your Questions

Chris WrightChris Wright, Managing Director
Leader of Protiviti’s Finance Remediation and Reporting Compliance practice



New Financial Accounting Standards Board (FASB) revenue recognition rules will be required to apply to reporting periods beginning after December 15, 2018 — and likely will be allowed a year earlier for those who are ready.

The new framework will impact all industries, but is most likely to affect those with longer delivery cycles or complex contract terms. Among the industries identified as potentially facing major change: Software, telecommunications, asset management, airlines, real estate, aerospace and construction.

It is an issue that needs immediate attention because companies have a choice of how they will apply the rules – retroactively (including two prior years of data), or prospectively. Companies need to be evaluating their options now in order to prepare properly for the change.

Those that have started the process are discovering that what they expected to be a straightforward accounting exercise is actually affecting operations across the board. It is critical that organizations do their due diligence and involve all key stakeholders to tackle this project.

Protiviti launched its revenue recognition webinar series in November, working holistically through our propriety Six Elements of Infrastructure — and how each should prepare for the transition. Here are the links to the previous seminars:

Webinar #1 – Revenue Recognition: It’s Here, Are You Ready? Transitioning to the New Revenue Recognition Standard (Nov. 20, 2014)

Webinar #2 – Revenue Recognition: The People Elements – A Collaborative and Cross-Functional Collaboration Process (Jan. 20, 2015)

Webinar #3 – The New Revenue Recognition Rules: Using a Methodology to Identify Gaps in Current Business Processes (March 18, 2015)

Registration is now open for the May 21st webinar, The New Revenue Recognition Rules: Systems, Data, Reporting and a Transparent Audit Trail. Register at

Below, Chris Wright answers some of the top questions posed by webinar participants so far:

Q: Where do you see the biggest challenge in this transition?

A: The biggest challenge is going to be in companies going through a proper diagnostic effort to understand the degree to which the new standard will affect them: whether it will lead to radical change, or no change at all – or anything along the spectrum. The reason that’s going to be a challenge is because the process of coming to those conclusions will require a multidisciplinary approach.

It will require whoever is responsible for the effort to engage the assistance of many others – if the finance team is in the lead, they’ll need to work with HR, legal, tax; they’ll need to work with IT and with internal audit, and they’ll have to do all of that under the cover of permission from either the CFO, the audit committee, or both.

In the absence of a proper diagnostic and finding out how hard or easy it’s going to be for your company, you will likely be wasting time explaining to the people to whom you report how significant or insignificant the change is likely going to be – time that you could be spending preparing a project plan based on insight from your diagnostic. The challenge that comes with this kind of inaction is that you run the risk of overestimating the simplicity or the complexity of the process and either doing too much too soon or too little too late.

Q: What input should the external auditors have in the process?

A: There is nothing but upside in talking to your external auditors about this change. External auditors are familiar with the company, and they understand what it takes to get through the process of planning and producing accurate financial statements. They should also have a view on prospective versus retrospective application of the rules, especially in the context of how “auditable” your records are likely to be for the two earlier years, given past history or current controls in place.

It’s good to make sure the external auditor agrees, at least in principle, with how a company has interpreted the rules and reviews the process and control changes stemming from those judgment calls. When you change a process, the controls change, and then the risks change, and the company’s auditing response to risks and controls has to change as well. These changes should be vetted by both external and internal auditors.

Q: How long should the diagnostic process be?

A: It depends on what the company does for a living and how it earns its revenue. Many companies, for which the revenue recognition process is currently simple, may discover through the diagnostic process that little or no change is required. For those companies, the diagnostic process may be very quick and the company will gain comfort in knowing it is not overestimating the simplicity or the complexity of the change.

For others that are more complex, or diverse in terms of products, geography or business lines, the diagnostic process will be more complicated, due to the complexity of their own business model.

It shouldn’t take terribly long in either case. That said, we are aware of extremes, anecdotally, from having participated in conferences and conversations with companies, where, on one hand, some companies are able to use internal resources and quickly conclude on what it is they have to do, and on the other, global multinationals with complex contracting processes are discovering they have to spend thousands of hours and millions of dollars to prepare to adopt the new standard.

Protiviti will be offering more answers to webinar questions in May as part of Internal Audit Awareness Month. For additional information about the month-long initiative, spearheaded by the Institute of Internal Auditors, please visit The IIA’s website.

Vendor Management – Realizing Opportunities in Financial Services

Chris MonkBy Christopher Monk
Managing Director, Protiviti Supply Chain Solutions 




Banks and other financial institutions have conducted tactical vendor management activities for decades. Much of this activity also has been performed in silos throughout these organizations.

As reliance on third-party providers domestically and globally grows, often driven by competitive pressures, the management of those vendors has become increasingly complex and scrutinized. Indeed, it’s not unusual for the largest financial institutions to have more than 50,000 vendors!

Add to the picture aggressive rollout of new services and products, heightened merger and acquisition activity, and new regulations regarding third parties, and it’s no wonder that financial services industry observers are left with one word to describe the current state of vendor management: Chaotic.

Even in the midst of this challenging environment, companies that employ the right strategic approach can do more than just meet compliance requirements; they can capitalize on better vendor management to achieve operational improvements and enhance the value provided by third parties. A recently published Protiviti white paper, Vendor Management: Realizing Opportunities in the Financial Services Sector, offers guidance in this regard.

One of the most common problems afflicting organizations is that there is no single point of accountability for managing vendor activity. Different functions and lines of business often hire their own vendors – or sometimes the same vendor – unaware of the vendor’s existing relationship with the company. The lack of centralized vendor data or reporting may make it difficult, if not impossible, to understand the complete picture with each vendor, identify spending patterns or uncover opportunities for more cost-efficient sourcing. Such a deficiency also hinders sharing of best practices across business units.

Furthermore, companies that lack good mechanisms for the ongoing management of their vendor relationships likely will struggle to ensure that contractual terms and related service-level agreements are fulfilled. These issues, in part, explain why regulators – including the Office of the Comptroller of the Currency and the U.S. Federal Reserve Board – are increasingly concerned that institutions have:

  • Failed to perform adequate due diligence and ongoing mentoring of third party relationships
  • Entered into contracts without assessing the adequacy of a third party’s risk management practices
  • Entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers in order to maximize the third party’s revenues.

A sophisticated vendor management organization (VMO) can help institutions to tackle these compliance issues, but just as importantly, it can help them build strategic partnerships with vendors to drive greater value. Protiviti has identified six critical elements that an evolved and mature VMO is built upon: Contracts, spend, classification, metrics, governance and relationships.

How these elements are assembled and the degree to which they are developed determines the effectiveness of the VMO. The first step in making necessary enhancements is to ask key questions, such as:

  • Are our vendors classified using factors such as the importance of business function supported; geography; ease of replacement; dollars spent; frequency of use; data privacy requirements or level of reputational risk?
  • Do our current vendor management activities include a mechanism for reducing risks?
  • To what extent are our current spend analyses driving vendor management decisions?
  • How effective are our existing relationship management metrics in improving vendor performance?

By answering these questions, companies can gain a clearer picture of their existing state of vendor management and a better understanding of the work required to elevate it to a strategic level that yields real operational benefits.

Do you have a vendor management organization that delivers more than just basic performance and compliance management? I’d love to read your insights in the comments.

Clear and Present Danger: Cybersecurity Should Be a Top Priority

With organizations large and small falling victim to a troubling number of cybersecurity issues, 2014 infamously became the year of the data breach.

To avoid making 2015 the same, internal auditors must play an important role in securing the organization. That responsibility entails working closely with the board, executive management and functional leaders to ensure that cybersecurity is incorporated into the flow of daily business and its multitude of processes.

In our 2015 Internal Audit Capabilities and Needs Survey, we’ve devoted a special section to the current state of cybersecurity. With the help of more than 800 chief audit executives and internal audit professionals who participated in the study, we’ve identified organizational traits and practices that lead to effective cybersecurity measures.

The two most critical success factors?

  1. High level of engagement in cybersecurity by the board of directors
  2. Evaluating cybersecurity risk as part of the current audit plan

There is a clear correlation between the two. For example, 69 percent of organizations that reported a high level of board engagement in information security risks include cybersecurity in their audit plans. By comparison, only 46 percent of organizations reporting lesser levels of board engagement address cybersecurity in their audit plans. The correlation goes the other way too: 40 percent of organizations with audit plans tackling cybersecurity report high level of engagement by their boards. Only 20 percent of organizations without such audit plans say their boards are similarly engaged in information security issues.

A pressing priority for nearly every organization is strengthening its ability to identify, assess and mitigate cybersecurity risk to an acceptable level. Most of the organizations that rate themselves as “very effective” in tackling these tasks are organizations that have either a high level of board engagement or those that have included cybersecurity in their audit plans. For example, 39 percent of companies with boards that are highly engaged in information security issues say they mitigate issues very effectively. Only 15 percent of companies with less involved boards exhibit the confidence to say so.

Internal auditors must prioritize and cultivate the critical success factors because it’s their job to make sure their companies are prepared to deal with a variety of threats. On a scale of 1 to 10, with 10 posing the highest level of risk, participants in our survey cited the following as their biggest cybersecurity concerns: data security (company information) – 7.9; brand/reputational damage – 7.7; regulatory and compliance violations – 7.5; data leakage (employee personal information) – 7.5; and viruses and malware – 7.3.

For CAEs and internal auditors to achieve “top performer” status, Protiviti recommends the following ten cybersecurity action items:

  • Work with management and the board to develop a cybersecurity strategy and policy.
  • Seek to have the organization become “very effective” in its ability to identify, assess and mitigate cybersecurity risk to an acceptable level.
  • Leverage board relationships to a) heighten the board’s awareness and knowledge of cybersecurity risk; and b) ensure that the board remains highly engaged with cybersecurity matters and up to date on the changing nature and strategic importance of cybersecurity risk.
  • Focus on the organization’s most critical data and information assets and information systems (the so-called “crown jewels”); these are the assets of highest value that the organization cannot afford to lose.
  • Ensure cybersecurity risk is formally integrated into the audit plan.
  • Stay in touch with the threat landscape by developing an understanding of and keeping current with emerging technologies and technological trends that are affecting the company and its cybersecurity risk profile.
  • Evaluate the organization’s cybersecurity program against the NIST Cybersecurity Framework, while recognizing that the framework does not run to the control level and therefore may require additional evaluations from an ISO 27001 and 27002 standpoint.
  • Recognize that with regard to cybersecurity, the strongest preventive capability is a combination of technology and human involvement – a complementary blend of education, awareness, vigilance, and technology tools.
  • Make cybersecurity monitoring and cyber incident response a top management priority. A clear escalation protocol can help make the case for and sustain this priority.
  • Address any IT/audit staffing and resource shortages – this represents a top technology challenge in many organizations and can hamper efforts to address cybersecurity issues.

For a more in-depth discussion on cybersecurity risks and what internal audit functions can do to ensure their organizations are adequately addressing the risks, I’d highly recommend that you read the full report. In addition, check out Issue 66 of Board Perspectives: Risk Oversight, Managing Cyber Threats with Confidence.

Preventing Money Leaks: Vendor Fraud and How to Fix It

One of the most common ways organizations are victimized is through vendor fraud.

Though frauds can be perpetrated in a variety of ways, vendor fraud is the most pervasive, and typically occurs through manipulation of a company’s accounts payable and payments systems for illegal personal gain. Billing schemes, check tampering, bribery and extortion are all examples of the crime that occurs all too frequently – sometimes, siphoning company funds for years without detection.

As with other forms of fraud, taking preventative measures is an effective deterrent to vendor fraud. Similarly, developing investigative protocols that can be implemented quickly when crisis strikes can minimize damage and help protect brand reputation.

Recently, Scott Moritz, Protiviti’s managing director and global leader of the Investigations and Fraud Risk Management practice, and Peter Grupe, a director in the same practice with more than 20 years of experience in the fraud division of the FBI, hosted a webinar discussing ways to investigate vendor fraud, including how to avoid tipping off the fraudsters and when to call in third-party help.

Fraud investigation teams are typically engaged under one of two scenarios: Either there’s a strong suspicion that an individual or a group is conducting illicit activity, or unusual transactions have been detected, warranting additional investigation.

The first step in identifying vendor fraud is reviewing vendor master files and scrutinizing business partners. For example:

  • Look for unknown company names
  • Compare mailing addresses against the employee address database
  • Investigate vendors with PO boxes for addresses

These steps are critical in discovering “shell companies” that may have been created to divert and accept unwarranted payments. A vendor address that appears to be a residence may be a red flag indicating an illicit company formed to provide cover for perpetuating fraudulent schemes.

Indeed, proper maintenance and periodic reviews of the vendor master file are preventive measures that can go a long way toward curbing vendor fraud. Negligence on this front makes it all too easy for criminals to infiltrate a company and perpetrate fraud. Moritz recommends establishing a thorough vendor-acceptance process that includes vetting prospective business partners with background checks and confirming ownership with state business registration databases. He also advises segregation of duties between receipt of goods and payment of invoices.

Once suspicious activity is identified, companies often are too anxious to begin interviewing witnesses and suspects. But demonstrating restraint at this stage is critical to avoid giving fraudsters time to cover their tracks.

What you do in the first 48 hours is critical. Accurate and thorough documentation of any investigation is essential, especially if civil or criminal litigation is to follow. It is thus vital to have an investigation plan in place before the need for it arises.

An investigation plan should cover the following:vendor fraud,

  • Defining the scope of the investigation
  • Selecting investigation participants
  • Establishing communication protocols for progress reports
  • Preserving evidence
  • Conducting interviews
  • Documenting and providing deliverables

The planning process allows companies to assign internal investigative resources and identify external service providers for critical elements, such as forensic investigations, crisis communications and legal advice. Note that contracts with such providers should be negotiated in advance so they can be activated immediately.

The bottom line is, attempts at vendor fraud inside companies will not go away in any foreseeable future, however, proper preparation – from careful vendor approval to established investigation processes – is the best means companies have for thwarting vendor fraud and/or reducing its effects on the organization.