Going crazy with COSO 2013 for SOX
For some reason, I only just saw a new PwC publication, Present and functioning: Fine-tuning your ICFR using the COSO update, dated November 2014.
PwC provided the project team for the COSO 2013 update of the Internal Controls – Integrated Framework, so their advice and insight should merit our attention.
The trouble is that it very easy to go overboard and do much more work than is necessary to update your SOX program for COSO 2013.
I fear that PwC may help people go crazy, rather than perform the few additional procedures necessary. I respect those who have said, rightly in my view, that if you were able to comply with the requirements of COSO 1992 (the original version) and either the SEC guidance (in their Interpretive Guidance) or PCAOB Standard Number 5, you should already be in compliance with COSO 2013.
The key is to be able to demonstrate that.
We need to remember these facts:
- Neither the SEC nor the PCAOB has updated regulatory guidance for management or the external auditor since the release of COSO 2013. That guidance, reinforced by the PCAOB October 2013 Staff Practice Report) mandates a top-down and risk-based approach. It requires a focus on the potential for a material error or omission in the financial statements filed with the SEC.
- COSO 2013 says that internal control is effective when it reduces the risk to the achievement of objectives to acceptable levels. For SOX, that means that there are no material weaknesses.
- COSO 2013 also says that a principle can be deemed present and functioning if there are no “major deficiencies” that represent a significant level of risk to the achievement of the objective – in other words, there are no material weaknesses due to a failure of elements relating to a principle.
Now let’s have a look at what PwC has to say.
“With the COSO’s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time for companies to use the updated framework to evaluate the effectiveness of their systems of internal control over financial reporting.”
I agree with this statement. This is a great opportunity to ensure an effective and efficient program is in place.
“The updated framework formalizes 17 principles that stipulate more granular evaluative criteria to help a company’s management assess the design and operating effectiveness of its ICFR.”
They forget to say that COSO informs us that internal control is effective if it reduces risk to the achievement of objectives to acceptable levels. They also forget to remind us that the SOX assessment must be top-down, risk-based, and focused on the potential for a material error or omission.
“We don’t believe that implementation of the 2013 framework affects management’s existing control activities…. assuming that a company’s control activities have been assessed as effective, reevaluating them according to the 2013 framework is not necessary.”
While there is an element of truth to this, organizations should not be assessing control activities in isolation – they should be assessing whether the combination of controls provides reasonable assurance that there are no material errors or omissions. Focusing on one component by itself is insufficient and, I believe, incorrect.
In addition, the selection of controls for reliance should always be re-evaluated as the business is likely to have changed, including materiality, significant accounts and locations, and so on.
“We believe the most immediate value of applying the 2013 framework lies in the opportunity it provides for taking a fresh look at indirect entity-level controls.”
Again, the SOX scoping should be focused on the combination of controls that provides reasonable assurance. In addition, some principles (such as the hiring and training of employees, or the provision of training and obtaining certification of employees in the code of conduct) are performed at the activity level. COSO tells us that activities in each of the COSO components may exist at any level of the organization. So, we need to recognize that indirect controls may operate at the entity (corporate) level, activity level, or any level in between (such as at the business unit or regional level).
Having said which, the principles do offer us a new opportunity to determine which of these indirect controls need to be included in scope because a failure would represent an unacceptable level of risk – because they raise to an unacceptable level the likelihood that one or more key direct control relied on to prevent or detect a material error or omission might fail.
But, it all has to be within the context that we are focusing the scope, and the SOX program as a whole, on the risk of a material error or omission!
“…fine-tune the design and related documentation of indirect ELCs [entity-level controls] through mapping them to principles.”
Many have misguided organizations, telling them to “map their controls to the principles”. The proper guidance is to “identify the controls you are relying on to provide reasonable assurance that the principles are present and functioning”. Again, we need to remember that the principles can be deemed present and functioning if a failure would not represent a material weakness.
It is correct to say that if you have indirect controls (at entity or another level) that are not required to provide that reasonable assurance, they do not need to be included in scope for SOX.
“…we have noted the following areas in which management’s assessment has indicated room for optimization or improvement in control documentation.”
I suspect that the issue is not limited to control documentation! There is always room for improvement and it is useful to see what PwC has identified.
“Leading companies are formalizing or clarifying and incorporating into their evaluations of ICFR certain indirect ELCs that support existing human resources policies. Such controls usually consist of approvals of new hires and employee transfers (including background checks and assessments of requisite skills and experience when appropriate), requirements for professional certifications and training (e.g., in new and complex accounting standards), succession planning and retention of competent employees, and periodic reviews of employee performance to assess requisite skill levels and conduct. Compensation programs aligned with expected performance, competencies, and behaviors are also important to support ICFR objectives.”
If you believe that any organization’s HR policies and practices provide the assurance you need that every single key control is performed by individuals with the appropriate experience, knowledge, training, and so on, I have a bridge to sell you!
While it is very important to have excellence in hiring, training, supervision, career development, promotion and so on, I do not believe that for SOX it is productive to spend much time on controls in this area.
I very much prefer to assess the capabilities and competence of each control owner as part of the evaluation of the design and operation of each individual key control.
“In many organizations, the evaluation of fraud risks related to financial reporting is integrated into the overall assessment of financial-reporting risks……… In identifying and evaluating those risks, management investigates incentives, pressures, opportunities, attitudes, and rationalizations that might exist throughout the company in different departments and among various personnel.”
The first statement is (I hope) true, although I personally perform a separate assessment of fraud risk (focused on the risk of a material error or omission due to fraud) and generally find that they are addressed by the controls already identified for mistakes.
PwC talks about ‘scenarios’, while I talk about ‘fraud schemes’. In each case, we are talking about ‘how’ the fraud would be committed – an essential step in understanding the true nature of the risk and the controls that would prevent or detect it, if material.
However, going crazy about the fraud triangle is not recommended. We should focus on how we can provide reasonable assurance that a material error or omission due to fraud might be prevented or detected, and remember that the number of people with the ability to commit such a fraud is limited. More than 80% of reported material frauds have been perpetrated by the CEO and CFO acting together, not individuals “throughout the company in different departments and among various personnel.” Rationalization, for example, is an intensely personal action and not something that can be detected by looking broadly at even a segment of the workforce.
“Companies taking a thoughtful approach in transitioning to the 2013 framework—rather than viewing it as a mere compliance exercise—are finding value in the identification of opportunities to strengthen their ICFR.”
We are back on solid ground.
The focus has to remain solidly grounded on identifying and then testing the design and operation of the controls relied upon to prevent or detect a material error or omission. A top-down and risk-based approach is mandated.
Going beyond this may have value in improving operations and the achievement of other (than SOX) business objectives.
But let’s not go crazy!
I welcome your comments and, especially, your experiences with COSO 2013 and your external auditors.
By the way, I think it is well past time for COSO to issue a statement or other guidance to set people straight on the COSO 2013 principles when it comes to SOX. They need to explain that the primary evaluation criterion for effective internal control is whether there is reasonable assurance that risk to the achievement of principles is at an acceptable level. Then they need to explain that the principles offer more granulated guidance that can be used in assessing that risk and whether it is acceptable, but assessing the principles without the context of risk is misunderstanding COSO 2013.
Do you agree?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
“While it is very important to have excellence in hiring, training, supervision, career development, promotion and so on, I do not believe that for SOX it is productive to spend much time on controls in this area.” I think a lot of companies have felt the same way, which is perhaps why COSO 2013 emphasizes these points. Entity-level controls set the “tone at the top”, the compliance climate of the company, upon which all the other controls are based. Personally, as a stockholder, I would get a certain amount of comfort in knowing that the company is not run, and the financial statements are not produced, by people whose only expertise and experience is sweeping floors! While I do not spend a lot of time testing controls in this area either, I certainly see the value of them as quality control.
They are important for business purposes, but would you rely on them for SOX? Do they provide sufficient assurance for you that everyone who performs a control has the specific training and experience for that specific control?
The HR processes will help, but only help, make sure you hire people who can do more than sweep the floor. But not every CPA is expert on the business to the extent that he/she can perform a flux review and understand the trends.
I think the absence of them would speak volumes – think about your overall impression of a company you are auditing that does not have these in place, or has these values or commitment to quality. Good discussion; thanks!
That’s not the point. We need to identify the controls we rely on to provide reasonable assurance that there are no material errors or omissions.
I do agree but you have not commented on the most frustrating part, the points of focus. COSO clearly states that you do not need to include/comply with each point of focus. This was part of the re-write from the initial draft yet most firms are requiring their clients to demonstrate that they have controls which “map” to each point of focus or document why that point of focus is not relevant. This is crazy and completely misses the point of having a risk based approach to controls which lowers the risk of a material misstatement to an acceptable level. My guess is the firms are worried about their PCAOB audit and are trying to make sure they have adequate documentation.
Cathy, you are 100% correct. Have you talked to your firm’s partner about this?
We also went through the pain of mapping controls to every Points of Focus – as requested by the external auditors, even though COSO clearly stated that this was not required.
Agree, in many respects the requirement for “mapping” reflects more of an audit program checklist than what an expectation of management self doubting itself and double checking that what is in place and being carried out is really real.
Mark, I appreciate your insight and agree with you. However, the external auditors are not on the same page at all. We have a very lean control design for SOX as we take the “top-down, risk-based approach” very seriously. So, of course for COSO, we took the same approach. We looked at each of the 17 principles and evaluated the risk of them causing a material misstatement. For those with higher risk, we made sure there were controls in place. For the most part, all our needed controls were in place, we just had to beef up our documentation (as we expected). However, when the externals got their hands on it, they demanded that each of the priciples have controls “mapped” to them. We tried to overlap as much as possible to keep from having to add controls that we really didn’t feel needed to be in the design and argued the “resonable assurance” angle as much as possible. You know the saying “pick your battles?” Well, in the end, this wasn’t one we chose to fight as hard, hoping to streamline it in the future. I do believe, especially now after some more recent information from our external, that the firms are VERY concerned with thier PCAOB audits and are going crazy (as you say) themselves.
Did anybody challenge the auditors to “show me” where this required?
Yes. The conversation was awkward and tense. They had just completed some internal training on the subject and thier understanding was that all principles had to be supported with controls. We talked about our approach and why that wasn’t necessary but it didn’t get any traction with them. I hate to say it but eventually we gave up. We’re fighting a whole new battle now regarding compleness and accuracy and what they fear from a PCAOB audit.
Which firm, Tina?
KPMG
By the way, I think you do need at least one control for each principle. But when the risk is low, you can limit your testing.
Hmm… you made me really think back with that comment (we completed what we were hoping was the final product in July). I looked back at those beginning workpapers and remembered exactly how we approached that. About half of the a principles were designated as high risk, the rest low. There were controls for every principle (my apologies for my ealier comment being slightly misleading). However, our testing approach was to rely on inquiry and management’s assertions on the low risk controls. To support that, we created a “mgmt survey” to be completed by a primary and secondary “evaluator” stating if the principle was present and functioning and adding comments to support.
That should be fine. AS5 allows us to rely on self-assessment when the risk is low.. Did KPMG disagree?
Absolutely, they wanted controls tested for all principles. The also wanted some controls added when they didn’t feel our current ones addressed all the points of focus. And yes, we had the point of focus discussion as well. Like I said before, in the end we gave up. But we did manage to leverage as much as possible with the original controls we had selected to test. We “mapped” them to as many principles as they could possible cover, effectively reducing the number of controls added to testing while keeping KPMG happy.
We mapped the indirect entity level controls and a few high-level management review controls (about 40 total) to the points of focus (POF). However, we mapped the transactional / process controls (200+) to one of the three control activities principles. For example, all of the IT general controls were mapped to one principle.
I interpret COSO as mainly an indirect entity-level framework; it is not the right “tool” for transactional processes (e.g., deciding whether you meet the validity/existence assertion for payables.) So investing much time in transaction-level control mapping to POF doesn’t make much sense.
We use a relational database, so we created electronic pages for each of the points of focus and pointed the indirect entity level control pages to the POF pages. It probably took me about 3-4 weeks on my own studying the guidance, mapping the indirect controls to the POF, mapping the transactional controls to the principles, writing up a report on the gaps, and summarizing the work for the Audit Committee. We’re a private company, so we didn’t have to do the testing, so I just based my report on a design assessment. Our external auditor (a big 4 firm) seems happy with the results.
I think COSO has raised the bar on risk assessment, so I primarily used the new guidance to help convince our leadership to implement a basic ERM program, which it has done. I didn’t try to use the framework to drive other types of behavior, but this was a nice win for the Company.
does anyone have a template that i can use for the new coso 2013 transition?
Erum, COSO provides a template in their toolset, as fo the CPA firms – but it is a checklist and does not help you with the application of judgment and consideration of risk. I believe the chapters in my SOX book are more helpful.