Now that COSO has completed the update of its widely used internal control framework, it's time for companies to lay it out against their existing systems of internal control and determine where control changes might be in order.
COSO has published a final overhauled version of its Internal Control—Integrated Framework, giving public companies a new foundation for how to establish internal controls over financial reporting that will pass muster with auditors and the Securities and Exchange Commission. The 1992 framework has long served as the means most accepted by the SEC for achieving compliance with Sarbanes-Oxley Act Section 404 reporting requirements, but COSO's board saw a need to update the framework to reflect two decades of changes in business and technology.
The good news is that the core principles of the original framework are still intact, so internal control experts believe there's no need for companies to take out a blank sheet of paper and begin re-inventing their internal controls. And more good news: Companies have plenty of time to consider what changes they need to make, since the framework won't be considered fully effective until the 2014 year-end financial reporting period.
That doesn't mean, however, that companies can just breeze through the hundreds of pages of new guidance published by COSO, says John McLaughlin, a partner with BDO USA. In addition to the revised framework, COSO also published companion documents offering examples and tools for companies to consider.
“You've got to create awareness within your organization around this framework,” McLaughlin says. “The 92 framework related to financial professionals, but this framework is meant to relate to everyone.” Companies need to begin their adoption of the revised framework by first educating the board, audit committee, senior management, and even operational management about the existence of the new guidance and the need to perform a gap analysis, he says. “That will take time,” he says.
Indeed, the COSO board expanded the scope of the original framework to make it applicable not just to financial reporting, but to compliance and operations as well. That means it will touch more of the organization, says McLaughlin. “There are examples that relate to the sales force, for example, so it will take time to educate all those people,” he says.
The framework retains the same five core components of internal control as the original, says COSO Chairman Dave Landsittel. It says effective internal controls are geared to the achievement of objectives and that they are a means to an end and not an end in themselves. It also asserts that internal controls are affected by people and not by policies or procedures, and they are meant to provide reasonable, not absolute, assurance. They also should be adaptable to an entity's structure, so they can be applicable to the entire company or to a particular operating unit or business process.
Underlying Principles
Perhaps the most significant change in the new framework is the articulation of 17 principles that lie beneath those five components, says Christian Peo, a partner with KPMG. “Under the 92 framework, you had an effective system of internal control if each component of the framework was present and functioning,” he says. “Now you need to go one level below and look at the 17 principles that go along with the five components.”
“Companies need to begin their adoption of the framework first by simply educating the board, audit committee, senior management, and even operational management about the existence of the new framework and the need to perform a gap analysis.”
—John McLaughlin,
Partner,
BDO USA
Peo recommends companies begin their assessment by examining the controls they currently have in place and analyzing how well they stand up to the 17 principles described in the new framework. “COSO says those 17 principles were implicit in the 92 framework, but now they are bringing them to the forefront and making them explicit,” he says. “That's probably where most companies will focus their attention.”
The analysis will differ among companies depending on their existing control environment and the nature of the business, says Sara Lord, a partner at McGladrey. A non-accelerated filer with a single operating location, for example, may work its way through an analysis fairly quickly, she says, while a multinational with many different reporting structures will have a much bigger job on its hands.
For the majority of companies, Lord anticipates that much of the work will go into improving technology and documentation as a result of applying the new guide. “The framework is expanded to look much more at technology,” she says, for example requiring companies to look more closely at their controls over outsourced processes, such as payroll. As for documentation, she expects companies will find because the new framework is more structured with the listing of 17 principles for all controls, companies will likely have to produce more documentation to show how their controls fit with the new structure. “How do we show we have good controls?” she says. “This is going to require some thinking, and documentation to reflect it.”
COMPONENTS AND PRINCIPLES
Below is an excerpt from COSO's updated framework, describing the 17 principles supporting internal control.
The Framework sets out seventeen principles representing the fundamental concepts
associated with each component. Because these principles are drawn directly from the
components, an entity can achieve effective internal control by applying all principles.
All principles apply to operations, reporting, and compliance objectives. The principles
supporting the components of internal control are listed below.
Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
Control Activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Source: Committee of Sponsoring Organizations of the Treadway Commission.
The new framework could drive boards to take more responsibility for oversight of controls, says Mike Rose, a partner with Grant Thornton. “At the board and senior management levels, this will enhance the overall governance concepts,” he says. “It will help boards move to a clearer level of responsibility in the organization and more accountability. We've been moving in that direction the past several years.”
Andrew Schweik, a director at Crowe Horwath, agrees companies likely will have some incremental work to do to comply with the new framework. “They're probably going to have to enhance their entity-level controls,” he says. “Not necessarily modify, but enhance, and improve the documentation around controls.”
The new framework will also drive a strong analysis on risk, Rose says. “The updated framework really provides guidance on that, and it's an area that most of business and industry is already really focused on right now,” he says.
Stephen Soske, a partner at PwC who assisted with developing the revised framework, says the COSO board created plenty of room for transition, with the existing framework recognized through Dec. 15, 2014. If companies spend time over the next several months identifying where they need to make changes to existing controls, they should be able to meet the timeline. “In our discussions with a number of organizations, a lot of them are already doing it,” he says.
Peo also advises companies to perform their analysis after a fresh read of the 2007 guidance published by the Securities and Exchange Commission advising management on how to establish sound internal controls. “The SEC has been encouraging people to read the 2007 guidance at the same time as the COSO guidance,” he says. “That's pretty good advice.”
Smaller companies also need to take note that the new framework supersedes COSO's 2007 guidance for scaling internal controls to their environments. “That shouldn't be overwhelming to smaller companies,” says Brian Christensen, executive vice president at consulting firm Protiviti. “This presents them with an opportunity to understand what are good, solid operating and internal control practices that they need to be considering.”
No comments yet