New guidance for compliance executives and internal auditors on monitoring internal controls should be in hand as soon as next month.
“I believe we will be able to clarify some things in the document and address the majority of the comments without drastic changes to the core content,” he says.
Among other things, the exposure draft improved upon the earlier version by adding new material, including examples and illustrations of effective monitoring and clearer articulation of the differences between direct and indirect information used for monitoring, as well as more clarity on how indirect information can be used.
Commenters generally lauded the COSO project team’s efforts, but offered some suggestions for improvements in the final version.
“When viewed in conjunction with the examples provided, we believe that the proposed guidance on monitoring will go a long way toward providing the clarity and useful guidance that you intended,” wrote Peter Bridgman, Pepsico’s controller.
In an Aug. 15 letter, partners in the audit firm PricewaterhouseCoopers called changes to the proposed guidance in the draft “significant improvements.” However, they said definitive statements in the exposure draft “may impair the document’s usefulness.” For example, the audit firm says a statement in the guidance gives the impression of the existence “of an absolute cause-effect relationship, even though monitoring does not, by itself, provide absolute assurance.” To avoid the risk that “too much reliance may be placed on monitoring alone,” PwC suggests the concept “would be better presented as a description of what monitoring is intended to accomplish.”
“We recommend that COSO ensure that the final guidance avoids making such definitive statements that imply absolute certainty, especially when discussing the reliability of financial reporting,” the letter states.
Further, PwC said the length and level of detail devoted to describing the persuasiveness of information “may potentially lead a user to believe that a mechanical analysis is required.” Rather than encouraging that “inordinate time be spent determining the characteristics that make information persuasive,” the letter says, COSO should instead provide broad principles to consider when evaluating the effectiveness of monitoring.
Financial Executives International’s task force on monitoring also urged COSO to “remain principles-based … so that companies can most effectively apply the guidance to their facts and circumstances.”
Brounstein
A letter from Richard Brounstein, chairman of the FEI’s monitoring task force, also urged COSO to be “cognizant of, and not cause inconsistencies with, the many layers of regulation companies are already subject to”—especially regulations issued by the SEC, the PCAOB, and major stock exchanges. In particular, Brounstein urged COSO to revise a proposed description of the role of the board of directors to change references to the board’s role in “monitoring” to “oversight” and to remove prescriptive requirements for the board, “in favor of reiterating COSO’s broad guidance from 1992 and providing reasonable examples.”
Cees Klumper, a partner in KPMG’s Business Advisory Services group in the Netherlands and a former top auditor at Ahold, says the portion of the guidance on “Ongoing Monitoring and Separate Evaluations” is “going to be one of the areas that will be the most difficult for organizations to grasp.”
COSO had sought comment on that section, which was simplified from the earlier draft to articulate more clearly that the primary difference between the two processes isn’t how they are performed, but how often and by whom, and to addresses the factors an organization might consider in deciding between the two. While Klumper says the guidance is clear, he expects that, “in practice, organizations will have trouble making the distinction.”
Klumper
In many organizations, Klumper says he sees “a significant amount of ongoing monitoring that is performed by functions that also perform separate evaluation-type activities”—for example, an internal control department that performs a monthly routine verification of the performance of certain controls and that also performs certain sample-based testing activities that aren’t routine and would fit the definition of separate evaluations.
As Klumper points out, no matter how good the guidance, it won’t be much help unless companies actually implement it. “Making available yet more guidance, no matter how correct and practically oriented as the exposure draft is, will probably not be sufficient,” he wrote in a letter to COSO. “Companies will have to adopt it in practice and in my personal experience this is far less likely to happen than one might expect.”
Accordingly, Klumper recommends the committee and its constituent organizations undertake “significant promotional efforts to convince organizations to actually put the monitoring guidance into practice.” For instance, he says, it might be “worthwhile” to form a group of volunteer organizations that share their experiences as they set out to implement the guidance.
No comments yet