Audit experts at Compliance Week 2014 are warning companies to be careful not to rely too heavily on a gap analysis of internal control when implementing the new updated COSO Internal Control -- Integrated Framework this year.

Analyzing internal control gaps under COSO's 1992 framework compared with the newly revised framework can serve as part of the implementation process, but should not form the entire basis for implementing the updated internal control framework, says Jeanette Franzel, a member of the Public Company Accounting Oversight Board. “There are risks associated with a checklist approach or a gap analysis,” she says. “This should not be a paperwork exercise. This should be a step back so you can take a fresh look at your controls.”

COSO updated its 20-year-old internal control framework to bring it up to date with modern business practices in a digital era and to more explicitly require companies to examine the 17 principles that are required to be present to assert effectiveness of controls. For public companies relying on the framework to comply with Sarbanes-Oxley internal control reporting requirements, COSO has said it expects companies to transition to the new framework this year before the 1992 framework is deemed obsolete at the end of 2014. Internal control experts have said they don't expect the transition to the new framework to be excessively burdensome for companies that already have a robust system of controls under the old framework.

Bavan Holloway, vice president of internal audit at Boeing, agreed with Franzel's view that a gap analysis -- looking at existing controls under the old framework and finding gaps based on the new framework -- is part of the process but not the entire process. “It can't be just a big board exercise where you just check the box,” she says.

 Eric Allegakoen, vice president and chief audit executives at Adobe Systems, agrees. “A gap analysis is an important part of the process, but you've also got to bring in the risk-based approach,” he says.

Franzel says spreadsheets can become a crutch. “How you do it is very important,” she says. “What makes me nervous is I see people with these big matrices, so they say I've got this framework and I'm going to map it, and then they are good to go. They are turning it into a paperwork exercise.” That doesn't mean spreadsheets aren't helpful, she says, but companies should be careful not to let spreadsheets drive the process.

Although COSO published the framework in mid-2013, many companies said they would wait until 2014 to fully adopt the framework.

Topics