Companies adopting a new internal control framework, recently updated by the Committee of Sponsoring Organizations, will have to think hard about whether control deficiencies they identify under the new framework might also signal deficiencies that need to be reported now under the old framework.
Internal control experts at a national conference of the American Institute of Certified Public Accountants said implementation of the freshly revised 2013 COSO framework should begin with a gap analysis to determine where companies may need to shore up controls or documentation. But because the 17 core principles in the new framework are not different from those contained in the old one—only more explicitly listed and described as requirements for effective internal control—deficiencies identified as part of implementation should be assessed even under the existing framework for possible year-end 2013 reporting.
Bill Schneider, director of accounting and finance at AT&T, said companies should have begun their gap analysis to determine where they may need to make changes to controls under the new framework by now. “If you're planning to adopt in 2014, you should have already started,” he said. “This is going to be more than a one-year process. If you are adopting in 2014 and you haven't started, you need to do some catching up now and through the end of the year.”
He also cautioned, however, that for some companies it could cause some uncomfortable discoveries. “The 1992 and 2013 frameworks are very related,” he said. “If you find you have principles that are not present when doing your gap analysis, you need to consider whether you can say the ‘92 framework is there and fully functioning,” he said. “The end of the year may not be the best time to inform your audit committee that you're missing something.”
The 2013 Internal Control—Integrated Framework issued by COSO is an update of the 1992 framework that virtually all U.S. public companies have leveraged to comply with internal control reporting requirements. COSO refreshed the framework to reflect current business practices and advances in technology since it was originally issued more than two decades ago. The refreshed framework isn't substantially different, but it is improved, said COSO Chairman Bob Hirth at the conference. “The new framework is like going from black and white to color,” he said. “It's using technology to make it better. It's enhancing something that wasn't broken.”
COSO issued the framework in May 2013 and set a date of Dec. 15, 2014, to purge the old framework. The board said it will no longer make the old framework available after that date, labeling it “superseded.” The Securities and Exchange Commission hasn't explicitly told companies it will require them to adopt the new framework to achieve compliance with internal control reporting requirements, but it has called on all companies to disclose which framework they are following and said it may ask companies relying on the old framework to explain why they think it is a better choice.
“This is going to be more than a one-year process. If you are adopting in 2014 and you haven't started, you need to do some catching up now and through the end of the year.”
—Bill Schneider,
Director of Accounting & Finance,
AT&T
Sara Lord, a partner with McGladrey, said there may be a valid point in the argument that deficiencies discovered through implementation should be evaluated for reporting currently. However, she doesn't see companies shying away from the gap analysis for that reason. “For the most part, if they haven't done it yet it's usually because of resources,” she said. “If you've done a good job implementing the ‘92 framework, you're probably going to be fine.”
Tom Ray, former chief auditor at the Public Company Accounting Oversight Board now on the faculty of Baruch College, said the question is an interesting one to ponder. He believes the 17 principles of effective internal control required under the new framework were implicit to the 1992 framework, so a company finding gaps as it maps controls to the new framework will have some work to do. “The company may, indeed, have an internal control deficiency, in which case it will need to evaluate its severity,” he said. “Finding a material weakness using the updated framework is a pretty strong indication that it also is a material weakness under the 1992 framework.”
Getting Started
For companies that have not yet started implementation,Schneider said companies need to begin the process first by getting themselves educated in the new framework. “Get your staff, your team and other key players up to speed,” he said. Depending on the organization, that should include at a minimum the controller, the CFO, and the chief audit executive, he said.
COSO Internal Control Principles
CONTROL ENVIRONMENT
1. Demonstrates commitment to integrity
and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority, and
responsibility
4. Demonstrates commitment to
competence
5. Enforces accountability
RISK ASSESSMENT
6. Specifies suitable objectives
7. Identifies and analyzes fraud
8. Assesses fraud risk
9. Identifies and analyzes significant
change
CONTROL ACTIVITIES
10. Selects and Develops control activities
11. Selects and develops general controls
over technologies
12. Develops through policies and procedures
INFORMATION & COMMUNICATION
13. Uses relevant information
14. Communicates internally
15. Communicates externally
MONITORING
16. Conducts ongoing and/or separate
evaluations
17. Evaluates and communicates deficiencies
*Note: Please see Framework for the actual
principles and descriptions.
Source: Campbell Soup.
The next step, said Schneider, is the gap analysis. Companies are developing different approaches for this, he said. “Some say they want to take the principles and map them to existing controls,” he said. “Others want to map their controls the principles. There can be pros and cons to each approach.”
His own preference, said Schneider, is to map controls to principles. “It's easier to find gaps,” he said. “If you start with principles, you're going to have a bias toward finding controls that match, but if you do it the other way around, you may realize you have a gap.”
Lord said the better approach likely will depend on a company's existing documentation. “With good documentation, it's probably better to map from the documentation to the framework so you can go through and see what you have covered,” she said. “But if you have less robust documentation, it may be more beneficial to start with the framework.”
Ray says he doubts it makes much difference which approach is chosen, as long as there is a final check for completeness. “That is, there should be adequate controls associated with each principle,” he said. One possible benefit of mapping principles to controls is the potential to identify redundant or unnecessary controls, he says, which would stand out if there are no principles mapped to them. “It is probably not that difficult to make that evaluation regardless of where you start, but before companies start eliminating controls, it would be wise to determine why they were established in the first place.”
To implement the new framework, some companies are turning to companion document COSO produced called “Illustrative Tools for Assessing a System of Internal Controls,” PwC Partner Stephen Soske, who helped develop the revised framework, said. The document provides templates and scenarios that companies can use to apply the framework, which COSO says can help management assess whether its own system of internal control meets the framework's requirements for effective control. “Many companies have found that very helpful to map their existing internal controls to the updated framework,” he said at the same accounting conference.
PwC also provided its clients with a generic mapping tool, said Soske. “It allows a company to deposit their system of internal control into a tool that allows them to consider how those controls map to the principles,” he said.
No comments yet