Updated Control Framework Makes Companies Dig Deeper

The burden of adopting the newly updated COSO framework for internal controls will depend on how closely a company's control environment is aligned with the original framework, say internal control experts.

Speaking at the Compliance Week 2013 conference in Washington, D.C., last week, executives from Raytheon and Pfizer said they haven't yet fully assessed what it will take for their companies to adopt the freshly revised Internal Control — Integrated Framework published by the Committee of Sponsoring Organizations, but at minimum they are expecting to produce new documentation. They hope, like many compliance officers who attended the conference and aired their concerns, it won't lead to the discovery of control gaps.

Companies are also hoping the new version of the controls framework does not spark a renewed effort by regulators to heighten scrutiny of internal controls. The massive, detail-driven effort to comply with the Sarbanes-Oxley Act of 2002 was followed by a right-sizing effort a few years later when the Public Company Accounting Oversight Board ratcheted back the prescriptive demands of its original auditing standard. More recently, the PCAOB is finding through its inspection process that auditors have become a bit too lax on internal controls, leading to a new focus on shoring up control weaknesses.

The introduction of a new COSO framework now has compliance officers wondering how far the pendulum will swing this time. “I just spent the last several years going from 125 key controls to 25,” said a compliance officer in attendance at the event who wished to remain anonymous. “I'm not feeling good about this right now.” Another compliance officer, who also spoke only on the condition of anonymity, said she is worried about whether the adoption of the new framework will resemble the initial adoption of Sarbanes-Oxley. That, she said, was “a near death experience.”

The experience will vary for each company, said Ray Purcell, director of financial controls at Pfizer, depending largely on how well a company's present control environment maps to the original 1992 COSO framework. The key difference between the 1992 framework and the newly revised framework is the articulation of 17 principles of good internal control that lie beneath the foundational five components of internal control. The original framework contemplates and addresses those principles, so they aren't new to the framework, but the new framework makes them much more explicit, experts say.

The original and the new framework both say that a good system of internal control will consist of a control environment, a risk assessment, control activities, information and communication, and monitoring activities. The new framework goes on to elaborate the principles that support each of those five components. For example, regarding the control environment, the new framework says the organization must demonstrate a commitment to integrity and ethical values, and the board must demonstrate independence from management and oversee controls, although management establishes the authorities and responsibilities for controls. It also says the organization must demonstrate a commitment to adequate, competent staffing to maintain controls, and it must hold those individuals accountable.

The inclusion of the 17 principles that support each of the five components will require companies to take a fresh look at their controls and assess how well they map to those principles, said Purcell. “You may have in your 404 program some gaps if you didn't have a concept of a model as drawn out in 1992,” he said. “That's where you are going to have to think about whether you have a gap. If you do, that will certainly drive some work.”

Even if a company identifies no gaps in its controls, practically everyone will have at least some documentation to do, says Purcell. “When you document your system of internal controls today, you probably aren't talking about the 17 principles, but clearly you'll need to do that,” he said.

Steven Forrest, assistant controller for Raytheon Co., said he also expects his company to face some documentation needs. As the framework was in development, Forrest was already contemplating how the inclusion of 17 explicit principles would affect the company's adoption of the new framework. “We have been looking at the 17 principles, and we have that activity, but we really need to map what we have in the controls and the documentation to line it up,” he said. “For some of the principles, we don't have robust documentation, so we will demonstrate with documentation that the company satisfies those principles.”

Marie Hollein, president and CEO of Financial Executives International and a member of the COSO board, said COSO is planning a series of educational sessions around the country later this year that will provide a “deeper dive” into how companies can go about adopting the framework. COSO decided to update the framework because the business environment has changed a great deal over the past two decades, especially with respect to the use of technology. “The basic framework has not changed,” she said. “What we did change was we added a lot of clarification, interpretation, and examples as well to really help you work through that process.”

SUMMARY OF UPDATES

Below is an excerpt from a CW 2013 powerpoint presentation given by Marie Hollein of FEI, Ray Purcell of Pfizer, and Michael Wood of Raytheon in regard to COSO's internal control framework.

What is changing …

1.Codification of principles with universal application for use in developing and evaluating the effectiveness of systems of internal control

2.Expanded financial reporting objective to address internal and external, financial and non-financial reporting objectives

3.Increased focus on operations, compliance and non-financial reporting objectives based on user input

What is not changing …

1.Definition of internal control

2.Five components of internal control

3.The fundamental criteria used to assess effectiveness of systems of internal control

4.Use of judgment in evaluating the effectiveness of systems of internal control

Source: COSO Framework Presentation.

Forrest said Raytheon will not fully adopt the new framework in 2013 for reporting purposes, but it will use the remainder of 2013 for a “dry run,” with plans to fully adopt it in 2014. Purcell suggested companies begin the process by reading the entire framework, then referring to the accompanying guidance on an as-needed basis. In addition to the framework, COSO also published some examples and tools to further explain how companies should proceed. The entire package is more than 600 pages.

So far, the Securities and Exchange Commission is saying nothing about what it expects companies to do with respect to adopting the new framework. The SEC requires companies to use a “suitable” framework as the basis for their system of internal control. It doesn't specify which framework companies must use, but it has never pointed to any framework other than the COSO 1992 framework as suitable. COSO says it will no longer support the 1992 framework effective Dec. 15, 2014.

Purcell and Forrest said companies would be wise to spend 2013 assessing their controls and documentation in light of the new framework so they will be ready to adopt it in 2014. Sarbanes-Oxley requires companies to have controls in place as of the day of the report, so companies that would attempt to adopt in 2013 face a considerable risk if they do not meet a self-imposed deadline of fully implementing the framework by the end of the year.