Protiviti provides insights into COSO 2013
The latest publication from Protiviti with answers to Frequently Asked Questions about the Updated COSO Internal Control Framework has some excellent content.
Protiviti emphasizes the continuing need to embrace the top-down and risk-based approach in determining the scope of the SOX program. I like that and congratulate them for emphasizing that point.
However, they have also suggested (as has pretty much everybody else) that companies should map controls to the 17 COSO Principles.
I have expressed my disagreement with the idea of identifying controls to include in the SOX scope before determining whether there is a risk (at least a reasonable possibility of a material error or omission in the financial statements filed with the SEC) that needs to be addressed.
However, it is useful on general principles to consider all the Principles and discuss them with senior management and then with the Board (or audit committee).
The Principles are important, if not essential, to a system of internal control that addresses risks to the more significant objectives of the organization. It is very difficult to argue that they don’t represent good business practices.
But when it comes to the SOX scope, the regulators have said that you can assess the system of internal control as effective if there are no material weaknesses.
How do you reconcile that with the commandments in COSO 2013 that the system of internal control is effective when:
(a) It provides reasonable assurance that risks to objectives are at acceptable levels. (Unfortunately, many consultants, trainers, and commentators have overlooked the COSO text that puts this requirement first, before talking about components and principles),
(b) The components are present and functioning and working together, and
(c) All relevant principles are present and functioning?
A couple of observations:
(a) You can assess the components as present and functioning if you have assessed the principles as present and functioning
(b) You can assess the principles as present and functioning if any deficiencies are less than “major” (i.e., represent less than a significant risk to the achievement of the objective). In other words, if you don’t have a deficiency relating to the principle that would be assessed (using traditional SOX control deficiency methods) as a material weakness, you can consider the principle as present and functioning.
In one section, Protiviti suggests that if you have a deficiency such that you assess the principle as other than present and functioning, you have a material weakness. I think that is circular thinking. You don’t assess the principle as less than present and functioning unless there is a deficiency that you assess as (in SOX terms) a material weakness. So it’s not the fact that the principle is defective that leads to the material weakness; it’s the material weakness that leads to the principle being defective.
Many of the controls required to address the principles are of the type discussed by the regulators as “indirect entity-level controls”. When these fail, their effect is not to create risk to the financial statements directly; their effect is to increase the level of risk that other controls will fail.
If there is less than a reasonable possibility that, as a result of the indirect control failing, one or more direct controls will fail and lead to a material error or omission, then the failure of the indirect control should not be considered a material weakness.
So, you need to know your direct control population before you can assess potential indirect control deficiencies. Let’s take an example and consider two of the Principles:
13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
Any company generates and communicates a massive volume of information. However, what we are concerned about for SOX (in fact for any objective) is whether the individuals performing key controls have the information they need to perform those controls reliably. In order to assess whether this Principle is present and functioning, you need to assess it in relation to your key controls – and for that you need to know what they are.
The same thing applies to Principle 4: “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.” Here, we are concerned about the competency of the individuals performing and responsible for our key controls. We all know that even a world-class HR department doesn’t mean that every employee is world class, so I for one would have difficulty placing reliance on HR processes. I need to assess competency as part of assessing each key control.
By the way, Protiviti (and PwC) suggest that there are multiple objectives when it comes to SOX. I have one: “the financial statements that are filed with the SEC are free of material error or omission”. This single objective covers all the objectives they have suggested. For example, compliance with accounting standards is necessary to have the financials free of material error.
I have previously shared my approach to this issue of integrating the COSO 2013 Principles into the top-down and risk-based approach. It is explained in more detail, principle by principle, in my SOX book (available from the IIA Bookstore and Amazon).
The more I talk about my approach with regulators, firm partners, COSO leaders, and senior practitioners, the more I think it is common sense and practical.
So here’s a refinement for those who have already mapped controls to the principles.
Take each of the controls that have been determined as necessary to address the principles and ask this question:
“If this control failed, would it represent at least a reasonable possibility that a material error or omission in the financial statements filed with the SEC would not be prevented or detected on a timely basis?”
If the answer is no, then you may at your discretion remove this control from the SOX scope. If it failed it would not cause the principle to fail; there would be no material weakness.
Remember that the SEC and PCAOB have directed that the scope only needs to address the risk of a material misstatement. Going further is a choice.
Should your external auditor, consultant, or other advisor ask that you include a control “because it is necessary to meet COSO requirements” or because “it is necessary to meet our firm requirements”, ask them this:
“Why? Where is the risk? If it failed, would it lead to a material weakness?”
I welcome your comments.