Home > Risk > Let’s get practical with COSO 2013

Let’s get practical with COSO 2013

The highly respected periodical Compliance Week just published an article that appears to reflect misunderstanding if not panic in some quarters over the updated COSO Internal Control – Integrated Framework.

Written by Tammy Whitehouse with a title of COSO Framework Update Introduces New Measure of Deficiency , the piece includes quotes from interviews with a number of consultants and other experts, including the new chairman of COSO and me.

I was struck by a number of apparent inferences:
1. There is confusion over the use by COSO of the term “major deficiency” when for SOX purposes we have been using the terms deficiency, significant deficiency, and material weakness.
2. People are worried because they are unsure how the updated framework will affect their SOX program.
3. Some seem to believe that if they have a deficiency related to one risk area that will affect their assessment for SOX.

Let’s take each of these in turn. By the way, Tammy was unable to include in the article my comments on these points, presumably for lack of space.

1. When it comes to SOX, we continue to use the same terms as before. As Bob Hirth pointed out, COSO recognizes that when there are regulations in an area, as there are for SOX with SEC and PCAOB guidance, that takes precedence.

We should also recognize that the term in COSO is not new. Organizations and their internal auditors have been using it for decades.

2. If an organization was truly basing their SOX assessment on the prior version of the COSO framework, they are already “compliant” with the updated version. The only issue is that they have to be able to show how they achieve the principles. This can be done with minimal effort through a management self-assessment. Where the level of risk justifies, consistent with current practice, related key controls are identified and tested. (I expect the IIA will publish an update to my SOX book in a few months that guides this process.)

3. If you have a deficiency in a different risk area, such as in compliance with safety regulations or the delivery of revenue growth, that will not prevent you from assessing your internal control over financial reporting as effective.

I believe the only implementation issue will be on how much evidence you need to support management’s assertion that all the principles are present and functioning. I believe, and have many experts supporting me on this, that you need to consider the risk to the financial statements if there is a defect in a principle. That risk is indirect; please refer to the discussion in AS5 on entity-level controls that have an indirect effect. The greater the risk, the greater the need for key controls to support and augment management’s self-assessment.

As for those who are concerned because they haven’t read this long document. Let me reassure you. If you read and understood COSO 1992 you will not find anything different in 2013, at least anything substantial. The 17 principles were there before; they now have been emphasized. Some discussions, such as on monitoring, are improved.

This is NOT a radical new document that should cause concern.

But that doesn’t mean you should leave implementation for SOX to 2014! Do your self-assessment now and start any remediation now, because it will take time to upgrade issues like the composition and practices of the audit committee, or the training of staff.

I welcome your comments.

  1. July 26, 2013 at 6:26 AM

    Why do I believe this? Just look at the COSO (or PwC) suggested templates for assessing internal control. Do they take a top-down, risk-based approach, or do they instead ask for an assessment of the principles, with yes or no answers and no reference to acceptable levels of risk?

  2. Ryan
    March 2, 2014 at 3:15 PM

    Do you have an example of a self-assessment format or template that you would recommend?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: