More Poor Guidance on COSO 2013
I continue to be concerned that accounting firms are providing poor guidance to their clients and other organizations.
Let’s look at new guidance from PwC’s Canadian firm, “What does it mean to me? Frequently asked questions about the COSO Updated Framework”.
PwC asks and provides their answers to a few questions, including:
Q: What might happen if my company does not update to the 2013 Framework?
A: There are indications that the SEC will take a close look at any company that doesn’t make this transition. We’re encouraging our clients to transition before December 15, 2014.
Norman: PwC fails to point out that this only applies to the SOX assessment of internal control over financial reporting for organizations subject to that compliance requirement. There is no requirement to adopt COSO 2013 for any other business objective.
Q: Are there new/updated requirements for effectiveness?
A: While the fundamental requirements haven’t changed, there’s greater clarity around what management should assess in determining effectiveness. The requirements are that:
- Each of the five components and relevant principles are present and functioning
- The five components are working together in an integrated manner
Norman: I find it unforgiveable that PwC omits the first and most significant requirement: internal control is effective when it provides reasonable assurance that risk to objectives is at acceptable levels. Unforgiveable because this is the primary and overriding way to assess internal control; it comes ahead of the requirements relating to components and relevant principles in the COSO section on Effectiveness; and PwC really should get this right as they wrote the COSO 2013 update! (By the way, I give PwC kudos for pointing out that the “fundamental requirements have not changed”.)
Q: Isn’t this just a mapping exercise? Can’t you just use the template?
A: The mapping of controls based on the 1992 Original Framework to the updated 2013 Updated Framework is a key part of the transition. Many companies seem to think it’s just a mapping exercise and that there’s little they need to do to apply the update. We’ve heard of other organizations who think that because they had a clean certification last year, there won’t be any challenges this year. However, once they start this mapping, many companies are finding that updates are needed to their system of internal control. The mapping templates help draw this out, and management should expect some level of added effort to the update.
Norman: There is no requirement to map your controls from last year to the Principles. This is a creation of consultants.
The requirement is to demonstrate that the Principles are present and functioning, which will serve to demonstrate that the components are present and functioning and working together in an integrated manner.
I give credit to Deloitte for including this distinction in their firm’s internal training (according to the lady who runs it for them). Companies don’t need to take all their existing controls and map them to the new Principles. Instead, they need to identify the controls that satisfy the Principles.
I again give credit to Deloitte for training their people that there is no need to identify controls for every Point of Focus. The latter are provided to assist in addressing the Principles.
The other major problem, and this applies to every guidance I have seen on COSO 2013, is the failure to note that the requirement to assess internal control over financial reporting using a top-down and risk-based approach has not changed. This is mandated in Auditing Standard Number 5 (which has not been changed), included in the SEC’s Interpretive Guidance (which has not been changed), and strongly reinforced in the PCAOB’s Staff Alert 11 of October, 2013 (published after the release of COSO 2013).
The assessment of the Principles should be based on whether any gap represents what COSO calls a major deficiency: one which represents a significant risk to the achievement of the objective of reliable financial reporting to the SEC. Absent such a major deficiency, which basically translates to a material weakness, the Principles can be assessed as present and functioning. I haev confirmed this with COSO and several audit firm partners.
Finally, the mapping templates can be and generally are misused. When consideration of risk is not included, these templates are just checklists. This is why many organizations are warning against the checklist approach to COSO 2013 adopted by firms and registrants alike.
I like how the PCAOB Board Member Jeanette Franzel advised organizations to avoid the checklist approach and use the 2013 Update as an opportunity to revisit the system of internal control’s design, effectiveness, and efficiency.
I have talked to a number of PwC partners about the COSO 2013 update and its effect on SOX. They “get it” so this failure to talk about providing reasonable assurance that risk to objectives is at acceptable levels is not pervasive across PwC. I hope it is limited to this guidance.
These partners know that the assessment of effective internal control over financial reporting is still based on whether there are no material weaknesses. Translating this into COSO language: the objective is to file financial statements that are free of defect; the acceptable level of risk is that they do not contain any material errors or omissions; if there are no material weaknesses, then it should be possible to show that the principles are free of major deficiency and thus present and functioning.
I welcome your comments.
By the way, this is addressed in more detail in the guidance to management on SOX published by the IIA (written by me).