Home > Audit, Compliance, COSO, Governance, GRC, Risk, Sarbanes, SOX > More Poor Guidance on COSO 2013

More Poor Guidance on COSO 2013

I continue to be concerned that accounting firms are providing poor guidance to their clients and other organizations.

Let’s look at new guidance from PwC’s Canadian firm, “What does it mean to me? Frequently asked questions about the COSO Updated Framework”.

PwC asks and provides their answers to a few questions, including:

Q: What might happen if my company does not update to the 2013 Framework?

A: There are indications that the SEC will take a close look at any company that doesn’t make this transition. We’re encouraging our clients to transition before December 15, 2014.

Norman: PwC fails to point out that this only applies to the SOX assessment of internal control over financial reporting for organizations subject to that compliance requirement. There is no requirement to adopt COSO 2013 for any other business objective.

Q: Are there new/updated requirements for effectiveness?

A: While the fundamental requirements haven’t changed, there’s greater clarity around what management should assess in determining effectiveness. The requirements are that:

  • Each of the five components and relevant principles are present and functioning
  • The five components are working together in an integrated manner

Norman: I find it unforgiveable that PwC omits the first and most significant requirement: internal control is effective when it provides reasonable assurance that risk to objectives is at acceptable levels. Unforgiveable because this is the primary and overriding way to assess internal control; it comes ahead of the requirements relating to components and relevant principles in the COSO section on Effectiveness; and PwC really should get this right as they wrote the COSO 2013 update! (By the way, I give PwC kudos for pointing out that the “fundamental requirements have not changed”.)

Q: Isn’t this just a mapping exercise? Can’t you just use the template?

A: The mapping of controls based on the 1992 Original Framework to the updated 2013 Updated Framework is a key part of the transition. Many companies seem to think it’s just a mapping exercise and that there’s little they need to do to apply the update. We’ve heard of other organizations who think that because they had a clean certification last year, there won’t be any challenges this year. However, once they start this mapping, many companies are finding that updates are needed to their system of internal control. The mapping templates help draw this out, and management should expect some level of added effort to the update.

Norman: There is no requirement to map your controls from last year to the Principles. This is a creation of consultants.

The requirement is to demonstrate that the Principles are present and functioning, which will serve to demonstrate that the components are present and functioning and working together in an integrated manner.

I give credit to Deloitte for including this distinction in their firm’s internal training (according to the lady who runs it for them). Companies don’t need to take all their existing controls and map them to the new Principles. Instead, they need to identify the controls that satisfy the Principles.

I again give credit to Deloitte for training their people that there is no need to identify controls for every Point of Focus. The latter are provided to assist in addressing the Principles.

The other major problem, and this applies to every guidance I have seen on COSO 2013, is the failure to note that the requirement to assess internal control over financial reporting using a top-down and risk-based approach has not changed. This is mandated in Auditing Standard Number 5 (which has not been changed), included in the SEC’s Interpretive Guidance (which has not been changed), and strongly reinforced in the PCAOB’s Staff Alert 11 of October, 2013 (published after the release of COSO 2013).

The assessment of the Principles should be based on whether any gap represents what COSO calls a major deficiency: one which represents a significant risk to the achievement of the objective of reliable financial reporting to the SEC. Absent such a major deficiency, which basically translates to a material weakness, the Principles can be assessed as present and functioning. I haev confirmed this with COSO and several audit firm partners.

Finally, the mapping templates can be and generally are misused. When consideration of risk is not included, these templates are just checklists. This is why many organizations are warning against the checklist approach to COSO 2013 adopted by firms and registrants alike.

I like how the PCAOB Board Member Jeanette Franzel advised organizations to avoid the checklist approach and use the 2013 Update as an opportunity to revisit the system of internal control’s design, effectiveness, and efficiency.

I have talked to a number of PwC partners about the COSO 2013 update and its effect on SOX. They “get it” so this failure to talk about providing reasonable assurance that risk to objectives is at acceptable levels is not pervasive across PwC. I hope it is limited to this guidance.

These partners know that the assessment of effective internal control over financial reporting is still based on whether there are no material weaknesses. Translating this into COSO language: the objective is to file financial statements that are free of defect; the acceptable level of risk is that they do not contain any material errors or omissions; if there are no material weaknesses, then it should be possible to show that the principles are free of major deficiency and thus present and functioning.

I welcome your comments.

By the way, this is addressed in more detail in the guidance to management on SOX published by the IIA (written by me).

  1. Norman Marks
    July 30, 2014 at 4:18 PM

    I have just updated the post to reflect the fact that the PwC partners I have spoken to (my old firm) have a good understanding of the need to retain the top-down and risk-based approach, and that the principles can be assessed as present and functioning if there are no gaps that would present a major risk to the SOX objective.

    I have also corrected a typo: Jeanette Franzel is a member of the PCAOB board, not FEI.

  2. Dan Clayton
    August 1, 2014 at 5:42 AM


    I agree with your analysis for the most part, but feel it is emblematic of a larger issue with the entire COSO framework. There was a time in the evolution of risk and control concepts where process level analysis was king, and COSO was its tools. As these concepts were first formalized within the assurance profession they were focused on transactions and tasks. At that time, it was innovative and efficient to step out of the detail and consider the whole process. However, with any good theory that has staying power, the next step in maturity is to grow more ways to interconnect with the existing environment.

    The environment is that of the organizational structure. Strategy, Initiatives, departments, functions, business objectives, management oversight, operational alignment of people, process and technology… In 2009 when ISO 31000 Risk Management defined risk as the effect of uncertainty on objectives, it set the bar for what risk and control concepts could achieve – something much larger than process level considerations and a few token comments about strategic planning.

    I recently documented a new Chief Audit Executive risk assessment process. Prior to her new effort PwC had been paid to run the process the year before. Their product was a book with very detailed SOX-like tasks and risks to define these tasks by business area. They have effectively done control documentation at the process level and used it as a risk assessment. The feedback from management was that it was a tremendous amount of effort, where the business managers had to define numerous task and at the end of the day did not understand or agree that the risks identified were those most important to them. The new CAE had changed the process and set up facilitated group conversations. From reviewing the results the High risks were seldom identified at the process level. They existed in the development of a new oversight mechanism, the lack of education, poor alignment of a technology with a business objective, etc…

    If a framework for risk and control is not robust enough to answer the question, “what business objective is impacted by this risk?” it is not centered on a foundation that will grow in strength. Risk and Control frameworks that put that question central to their purpose and recognize that risks can be found in all the organizational components required in achieving an objective, will become interconnected with existing operational philosophy and strengthen as they add value at the right points to the organization. In short the risk and control concepts have matured past their once useful process level foundation.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: