Early adopters of the updated COSO framework say they're finding their existing internal controls map rather well to the newly articulated principles contained in the updated framework, although they need to bring more controls into the scope of their internal control evaluation and audit to show it.
COSO's Internal Control -- Integrated Framework was published last year to update the 1992 framework that virtually all U.S. public companies rely on to achieve compliance with Sarbanes-Oxley requirements regarding internal control over financial reporting. COSO says it will consider the old framework to be expired at the end of 2014, with companies expected to transition to the new framework in time for 2014 year-end reporting and auditing. COSO updated the 20-year-old framework to make it more relevant in the modern, digital era and to articulate the 17 principles of sound internal control more explicitly.
Microsoft, which has a fiscal year end of June 30, is nearly complete with its implementation of the COSO update, mapping the new framework to its existing control environment and updating its controls as a result, says Kevin Funk, director of the financial compliance group. Ultimately, the company has increased the number of entity-level controls that are scoped into its Sarbanes-Oxley compliance exercise from 45 to 58 as a result of the refresh to the updated framework, he says.
When Microsoft mapped its existing controls to the new COSO framework, the company found its coverage was adequate, but some of the controls that met the COSO principles were not scoped into the internal control assessment and audit, says Funk. “These weren't new activities for Microsoft,” he says. “But it meant streamlining and identifying activities we were already doing that met the requirements, then documenting them and bringing them into scope for walkthroughs and testing.”
Funk estimates Microsoft devoted a few hundred staff hours to the project, and the company is finalizing its control design with input from its audit firm, Deloitte & Touche. “There are still a couple of open questions we are working on with them that may result in a few more changes, but it's not substantial at this point,” he says. Throughout the implementation the audit firm has targeted areas that the Public Company Accounting Oversight Board has called on auditors to pay closer attention through its inspection process, he says. They are looking more closely, for example, at risk assessments, outsourcing, and reports that are generated and relied on internally.
Jon Goode, global operational controller for General Electric, says the mapping exercise led to a close evaluation of IT controls and fraud risks. Under the new framework, “It was more explicit than implicit,” he says. “And that's very relevant because the world has changed since 1992 and we have more fraud and IT focus.” As at Microsoft, GE's mapping exercise revealed controls outside the entity level that addressed some of the COSO principles but weren't scoped into the entity-level SOX exercise.
“We found there were some processes outside our entity-level controls that we felt addressed these principles, but we really needed to document it to take credit for it,” says Courtney Connors, senior operational controller for GE. Examples, she says, include some processes meant to address fraud risks and controls over the use of outside service providers. “These are things we normally do already, but it was a matter of documenting them,” says Connors.
“We're looking at some things and saying it's not that we don't have the controls, but the framework highlights that we may not have aligned those controls.”
—Tom Harper,
General Auditor,
Federal Home Loan Bank of Chicago
At Federal Home Loan Bank of Chicago, the mapping exercise is in its early stages, but so far is not revealing any big surprises, says Tom Harper, executive vice president and general auditor. “We're looking at some things and saying it's not that we don't have the controls, but the framework highlights that we may not have aligned those controls,” he says. “The more granular approach has allowed us to re-evaluate the whole control environment. It's leading to incremental improvements rather than radical change.”
All Over the Map
Jeff Getz, a partner at Deloitte, says companies span a wide spectrum in terms of what they will find as they implement the new framework. “Leading edge companies are finding they're already addressing much of what the new framework requires,” he says. “For them, there's less concern about whether they have control gaps that they need to worry about. For companies doing the bare minimum at the other end of the spectrum, they might have a bigger task ahead of them in getting to full compliance." Deloitte is advising companies to also consider areas for potential improvement, including common deficiencies in internal control such as reported material weaknesses and fraud, he says.
EMERGING ISSUES
Below is an excerpt from PCAOB member Jeanette Franzel's recent speech in which she discusses emerging issues in audits of internal control over financial reporting.
In some cases, the following [situation is] occurring ...
The auditor performs additional procedures for a previously completed audit after a PCAOB inspection.
A firm might also be performing additional procedures specifically because a deficiency was identified and included in Part I of the firm's inspection report, and the firm seeks to determine whether, following performance of the necessary procedures, it can still support its previously expressed opinion on ICFR.
The PCAOB has heard that in response to some of the above changes, some issuers have expressed concerns about the value of additional audit work in the ICFR area, and whether there will be significant increases in costs as a result.
We also have received feedback that would indicate there has not been effective communication and dialogue between audit firms and issuers about ICFR issues. In some cases, audit firms have told issuers that the PCAOB insists on detailed procedures such as the use of “screen prints” to document certain systems-related features; or specifying the number of pages that must be involved in summarizing key controls; or that auditors must attend management meetings to observe certain controls in action. I assure you that the Board is not requiring procedures at that level of detail. AS 5 provides the guiding standard for ICFR audits.
Unfortunately, such responses from audit firms tend to close down the dialogue with financial statement preparers about important basic issues such as identifying key controls, establishing the appropriate level of management documentation and testing, and the nature and extent of auditor testing needed to support the auditor's ICFR opinion.
Productive dialogue between the audit firm and financial statement preparers is necessary to coordinate management's responsibilities to implement effective ICFR and assess its effectiveness, and the auditor's responsibilities to audit and report on ICFR ...
Source: PCAOB.
Through its analysis of audit inspection findings, the new framework, other relevant guidance, not to mention material weakness disclosures and restatements, Deloitte is advising companies to pay close attention to specific COSO principles, including risk assessments and the company's use of information to support controls. “Those are hot topics where companies often get things wrong,” he says.
Bill Watts, a partner with Crowe Horwath, says most companies are still developing their methodology for performing a mapping or gap analysis. “I still see a lot of lack of understanding about what should be done to go about implementing,” he says. “We are saying take these 17 principles and look at where you have aligned control. Where you can't find control aligned with that, then you know you have a gap.”
Sara Lord, a partner with McGladrey, says now that year-end companies are past the close, she's seen a significant increase in the number of questions and phone calls about the updated framework. “A lot more audit committees are asking about COSO,” she says. She's advising companies to consider the PCAOB's charge to auditors to take a harder look at internal controls to assure companies establish and document controls in a way that makes the audit most efficient. In reviewing guidance to auditors, Lord says management holds some responsibility for making changes that will lead to better audits. “Perhaps management documentation would be more robust, and that could facilitate the audit being in line with what the PCAOB expects,” she says.
Mike Rose, a partner at Grant Thornton, is advising companies to use all resources and relevant guidance at their disposal to take a thorough, comprehensive look at controls, including the 2007 guidance from the Securities and Exchange Commission directed at management and the PCAOB's guidance directed at auditors in Audit Practice Alert No. 11. “There's a lot of information in there that really ties this all together,” he says.
Websites
We are not responsible for the content of external siteshttp://www.coso.org/documents/coso%20mcnallytransition%20article-final%20coso%20version%20proof_5-31-13.pdf
http://pcaobus.org/standards/qanda/10-24-2013_sapa_11.pdf
http://www.sec.gov/rules/interp/2007/33-8810.pdf
http://www.corpgov.deloitte.com/binary/com.epicentric.contentmanagement.servlet.contentdeliveryservlet/useng/documents/deloitte%20periodicals/audit%20committee%20brief/acbrief_march%202014.pdf
http://pcaobus.org/news/speech/pages/03262014_iia.aspx
No comments yet