Reflections on the updated COSO Internal Control Framework
I am still in the process of my detailed review of the update. However, I have already formed two opinions:
- The assertion that “an effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives” is excellent and I am pleased that it comes before any discussion of principles
- The assertion that follows, that this (reducing risk to an acceptable level) requires that “each of the five components and relevant principles is present and functioning” creates a serious problem
Let’s examine the problem created by COSO saying that effective internal control requires that all relevant principles are present and functioning. I say ‘principles’ because the Framework asserts that no component can be assessed as present and functioning if there are major issues with any of the related principles.
Rather than taking an approach that requires that risks to the achievement of objectives be identified, and then an assessment made as to whether the combination of controls across all components of the Internal Control Framework reduces the level of risk to acceptable levels (i.e., a top-down, risk-based approach like those recommended in PCAOB, SEC, and IIA guidance), the assessor is directed to assess the principles. This creates a high risk, highlighted by many commentators on the drafts submitted earlier for review, that the assessment will be based on a checklist: a checklist formed by the principles.
Now an argument can be made, requiring some contortions of logic, that the same result as a top-down and risk-based approach is achieved because the principles include the required steps of a risk-based approach (principle 7 refers to the identification of risks, principle 10 identifies control activities that “contribute to the mitigation of risks to the achievement of objectives to acceptable levels”, and principle 11 talks about IT general controls – though they should be included in principle 10). Then, so the logic goes, the assessment is made as to whether there are any major deficiencies (i.e., one that “severely reduces the likelihood that the entity can achieve its objectives”). Does this, in fact, result in the same assessment?
Possible, but unlikely.
- As we know from PCAOB and SEC guidance and our experience on SOX assessments, indirect entity-level controls do not necessarily result in a higher risk of failure to achieve objectives (in the case of SOX, the objective is a set of financial statements free from material misstatement). Indirect entity-level controls only create a higher risk that direct controls will fail. Then it is up to the assessor to determine whether, especially considering the quality of monitoring controls, the risk to objectives is greater than acceptable levels
- The determination of a major deficiency (see above) is not whether the risk to achievement of objectives is greater than acceptable levels. That assessment, requiring judgment, still has to be made but is not referred to as far as I can tell in the updated Framework
- I believe it is likely that an assessment based on the principles rather than risks to the achievement of objectives will result in (a) assessment of principles that are not relevant to the assessment of risk to achievement of objectives, and (b) a failure to consider all the key controls (using SOX language) relied upon to reduce the level of risk to objectives to acceptable levels
Why do I believe this? Just look at the COSO (or PwC) suggested templates for assessing internal control. Do they take a top-down, risk-based approach, or do they instead ask for an assessment of the principles, with yes or no answers and no reference to acceptable levels of risk?
I suspect that over time we will learn how to use the updated Framework while remaining true to the top-down and risk-based approach. But, in the meantime I fear that many will lose their way.
Until now, the choice has been rules-based or principles-based. I always thought that in the case of internal control, principles-based referred to the principle that internal control is not perfect and only provides reasonable assurance that risks to the achievement of objectives are at acceptable levels. PwC and COSO have blurred, in my opinion, the distinction between rules-based and principles-based. I just wished they had gone for “risk-based”.
I welcome your comments.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
PS – While I am critical of the assessment process, each of the Principles represent valuable elements of an effective system of internal control. The issue is whether they are always critical and essential before you can assess internal control as providing reasonable assurance that risks to the achievement of objectives are at acceptable levels.
PPS – The acceptable level of risk to objectives is not necessarily the same for every objective.
Norman:
You make a lot of good points. Applying the framework internally, I am comfortable with the 17 principles. The issue will be if our external auditor attempts to audit us against these principles, and I think we need to be ready for that.
On side note, I am very displeased with the e-book version of the revised framework from the AICPA. I found the Adobe Digital Edition download process to be difficult and moving the publication to multiple devices is a major pain. Getting it to run on an iPad is especially difficult and it looks horrible on an iPad. The resolution is fuzzy and it looks like a poorly scanned copy. Why not issue the framework as a pdf file? Password protect it if you’re worried about people copying and sharing it. On that note, is anyone objecting to the cost of the framework and its related materials? We all need to buy multiple copies of this and it seems like some price gouging going on. In any event, I would strongly recommend that people buy the print version until the e-book issues are resolved. I’m calling the AICPA to get my money back and get a hard copy.
Thank you for taking the time to share your reflections Norman!
This updated COSO remains a framewok, not a set of rules executable as such. The test is whether it is possible, in any ICS, to deduct all the existing controls from the COSO, and whether it is possible to classify all existing controls in at least one of the COSO catagories/principles. If those two conditions are respected, I can use it as a general standard for my audits.
Your point is valid. I always struggle with a risk based approach vs. principle based approach. In national COSO based versions of internal control frameworks, as in Colombia and Paraguay(MECI and MECIP) they name standards to the principles, and the framework is designed to check if standards are implemented. But I think that even in a risk based approach, we have yet to assess the component control environment. How do you asses the component control environment vs. risks to the achievement of objectives, in a top-down risk based approach?
Eduardo, activities in the Control Environment are important and need to be addressed. However, they only have an indirect effect on the ability to achieve objectives: they raise or lower the risk that controls in other components are in place and operating effectively on a consistent basis.
COSO themselves have recognized that smaller companies and non-publicly traded organizations may not have an effective set of independent directors (one of the Principles). Does that necessarily mean that these organizations cannot have an adequate system of internal control? Surely, they can and often do. Small companies have owners who have close proximity to the direct controls as well as an intimate knowledge of the business. Consider the COSO ICF for small businesses.
This Guidance is not intended to preclude financial institutions from doing business with a customer merely because of its potentially higher risk status. Rather, it is designed to assist institutions to identify situations where additional measures and controls may be appropriate. Even with the use of a reasonably designed risk based approach, a financial institution may unwittingly be involved in money laundering. Such findings do not invalidate the risk based approach and should not result in unwarranted criticism of an institution that has implemented such an approach.
Still trying to find the time to thoroughly read the documents, but I have to say that the printing and purchasing process via the AICPA leaves much to be desired. The direct number to the AICPA is misprinted in all 4 books – two numbers are transposed, and they take you to a chat line. When I called the AICPA about it on June 6th, it was the first time they were aware of the misprint.
Also, when I ordered the books on May 22nd, free priority next day shipping was offered at no cost (same as standard shipping), so I took advantage of the deal. Turns out, the AICPA made a mistake on their website and made me pay for it! I have been charged full price for shipping. They “will see” if they can get the necessary approvals to refund my card. Overall, a very frustrating process for ridiculously overpriced material. The framework should be put in the public domain at no charge.
In the article you mention that you believe it is likely that an assessment based on the principles rather than risks to the achievement of objectives will result in a failure to consider all the key controls (using SOX language) relied upon to reduce the level of risk to objectives to acceptable levels. Any guidance I have found is in regard to key financial reporting control for SOX, do you have guidance for key operational or compliance controls?
My suggestion for key operational and compliance controls is to start with the objective you are trying to achieve. What are the risks to the achievement of those objectives (use the Risk Assessment component)? What controls are then required to manage those risks at acceptable levels.
Do you see other companies testing key operational or compliance controls in addition to their other SOX testing?
I see internal audit departments testing controls for other risks, and other assurance groups testing controls in areas such as physical security and so on.