Home > Audit, Compliance, COSO, Governance, GRC, Risk, Sarbanes, SOX > Protiviti provides insights into COSO 2013

Protiviti provides insights into COSO 2013

The latest publication from Protiviti with answers to Frequently Asked Questions about the Updated COSO Internal Control Framework has some excellent content.

Protiviti emphasizes the continuing need to embrace the top-down and risk-based approach in determining the scope of the SOX program. I like that and congratulate them for emphasizing that point.

However, they have also suggested (as has pretty much everybody else) that companies should map controls to the 17 COSO Principles.

I have expressed my disagreement with the idea of identifying controls to include in the SOX scope before determining whether there is a risk (at least a reasonable possibility of a material error or omission in the financial statements filed with the SEC) that needs to be addressed.

However, it is useful on general principles to consider all the Principles and discuss them with senior management and then with the Board (or audit committee).

The Principles are important, if not essential, to a system of internal control that addresses risks to the more significant objectives of the organization. It is very difficult to argue that they don’t represent good business practices.

But when it comes to the SOX scope, the regulators have said that you can assess the system of internal control as effective if there are no material weaknesses.

How do you reconcile that with the commandments in COSO 2013 that the system of internal control is effective when:

(a) It provides reasonable assurance that risks to objectives are at acceptable levels. (Unfortunately, many consultants, trainers, and commentators have overlooked the COSO text that puts this requirement first, before talking about components and principles),

(b) The components are present and functioning and working together, and

(c)  All relevant principles are present and functioning?

A couple of observations:

(a) You can assess the components as present and functioning if you have assessed the principles as present and functioning

(b) You can assess the principles as present and functioning if any deficiencies are less than “major” (i.e., represent less than a significant risk to the achievement of the objective). In other words, if you don’t have a deficiency relating to the principle that would be assessed (using traditional SOX control deficiency methods) as a material weakness, you can consider the principle as present and functioning.

In one section, Protiviti suggests that if you have a deficiency such that you assess the principle as other than present and functioning, you have a material weakness. I think that is circular thinking. You don’t assess the principle as less than present and functioning unless there is a deficiency that you assess as (in SOX terms) a material weakness. So it’s not the fact that the principle is defective that leads to the material weakness; it’s the material weakness that leads to the principle being defective.

Many of the controls required to address the principles are of the type discussed by the regulators as “indirect entity-level controls”. When these fail, their effect is not to create risk to the financial statements directly; their effect is to increase the level of risk that other controls will fail.

If there is less than a reasonable possibility that, as a result of the indirect control failing, one or more direct controls will fail and lead to a material error or omission, then the failure of the indirect control should not be considered a material weakness.

So, you need to know your direct control population before you can assess potential indirect control deficiencies. Let’s take an example and consider two of the Principles:

13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.

Any company generates and communicates a massive volume of information. However, what we are concerned about for SOX (in fact for any objective) is whether the individuals performing key controls have the information they need to perform those controls reliably. In order to assess whether this Principle is present and functioning, you need to assess it in relation to your key controls – and for that you need to know what they are.

The same thing applies to Principle 4: “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.” Here, we are concerned about the competency of the individuals performing and responsible for our key controls. We all know that even a world-class HR department doesn’t mean that every employee is world class, so I for one would have difficulty placing reliance on HR processes. I need to assess competency as part of assessing each key control.

By the way, Protiviti (and PwC) suggest that there are multiple objectives when it comes to SOX. I have one: “the financial statements that are filed with the SEC are free of material error or omission”. This single objective covers all the objectives they have suggested. For example, compliance with accounting standards is necessary to have the financials free of material error.

I have previously shared my approach to this issue of integrating the COSO 2013 Principles into the top-down and risk-based approach. It is explained in more detail, principle by principle, in my SOX book (available from the IIA Bookstore and Amazon).

The more I talk about my approach with regulators, firm partners, COSO leaders, and senior practitioners, the more I think it is common sense and practical.

So here’s a refinement for those who have already mapped controls to the principles.

Take each of the controls that have been determined as necessary to address the principles and ask this question:

“If this control failed, would it represent at least a reasonable possibility that a material error or omission in the financial statements filed with the SEC would not be prevented or detected on a timely basis?”

If the answer is no, then you may at your discretion remove this control from the SOX scope. If it failed it would not cause the principle to fail; there would be no material weakness.

Remember that the SEC and PCAOB have directed that the scope only needs to address the risk of a material misstatement. Going further is a choice.

Should your external auditor, consultant, or other advisor ask that you include a control “because it is necessary to meet COSO requirements” or because “it is necessary to meet our firm requirements”, ask them this:

“Why? Where is the risk? If it failed, would it lead to a material weakness?”

I welcome your comments.

  1. Bhaskar S
    May 3, 2014 at 11:33 PM

    Norman , how about integrating BPM with COSO ERM COBIT so that there is an overarching framework which could address all enterprise initiatives. All Enterprise Processes (BPM say as per APQC standard) could be the starting point linking with the Business Objectives and ending with the RCSA , sample mgmt testing, sample IA testing and external auditors testing linked into the ERM heatmap of the organization

  2. Norman Marks
    May 4, 2014 at 6:24 AM

    Bhaskar, I believe there is always an opportunity to address process inefficiencies as well as auditing for control effectiveness. When internal audit does the testing, I hope that they are alert to and seizing those opportunities.

    I would start with objectives and risks to objectives, not with the business processes that support them.

    COBIT is useful once you get into ITGC and are defining ITGC control objectives and assessing controls there.

  3. Bhaskar
    May 4, 2014 at 6:51 AM

    thanks Norman, agree..Testing must start with objectives-the inter-linked processes to achieve them- risks- controls and evaluate these against the COSO elements, principles & the point of focus

  4. May 5, 2014 at 1:52 AM

    I completely agree that the approach in determining the scope of the SOX program must be risk-based (not so sure about the top-down). In other words, if you cannot spell the risk, there is no need for a control objective. That said, in the process of assessing risk it is assumed that we have full understanding of our environment and business processes. Both of which are variables. Therefore, cutting down on controls because no present risk can be identified, could constitute a risk on itself. I think that the best risk based SoX controls environment is one that is self-adjusting based on internal and external events such as incident response, audit evaluation, risk assessment, whistleblower analysis… (not always top-down).

    • Norman Marks
      May 8, 2014 at 9:05 AM

      Gonzalo, you can always do more but both the SEC and POCAOB (and I) advise top-down. That approach is spelled out in AS5 and (better) in the SEC’s Interpretive Guidance.

  5. Greg Kirkland
    May 8, 2014 at 8:27 AM


    Great article. Could you point me to the guidance that states “regulators have said that you can assess the system of internal control as effective if there are no material weaknesses.”

  6. Norman Marks
    May 8, 2014 at 9:03 AM

    Greg, it is in PCAOB Auditing Standard Number 5 and in the SEC’s Interpretive Guidance

  7. Jean-Michel Boudreault
    May 13, 2014 at 7:31 PM

    Norman, thank you for your article, Now, you seem to suggest that you may reasonably exclude individual controls from SOX scope simply through an evaluation of the risk of material misstatement associated with those individual controls. But I would like to point out that a material weakness can (and usually does) result from a COMBINATION of control deficiencies and therefore you should not simply consider the risks of individual control failures in isolation when scoping for SOX (see AS5, section 65).

  8. Norman Marks
    May 13, 2014 at 10:51 PM

    Jean-Michel, you are absolutely right. But we are talking about at least a reasonable likelihood that the controls will fail at the same time with the error in the same direction. That likelihood must be considered.

    But if there is no reasonable possibility that the control will fail and, in combination with other failures if appropriate, lead to a material misstatement, then the controls is not being relied upon to prevent or detect such a misstatement.

  1. June 7, 2014 at 9:27 AM
  2. June 13, 2014 at 3:01 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: