Going crazy with COSO 2013 for SOX
For some reason, I only just saw a new PwC publication, Present and functioning: Fine-tuning your ICFR using the COSO update, dated November 2014.
PwC provided the project team for the COSO 2013 update of the Internal Controls – Integrated Framework, so their advice and insight should merit our attention.
The trouble is that it very easy to go overboard and do much more work than is necessary to update your SOX program for COSO 2013.
I fear that PwC may help people go crazy, rather than perform the few additional procedures necessary. I respect those who have said, rightly in my view, that if you were able to comply with the requirements of COSO 1992 (the original version) and either the SEC guidance (in their Interpretive Guidance) or PCAOB Standard Number 5, you should already be in compliance with COSO 2013.
The key is to be able to demonstrate that.
We need to remember these facts:
- Neither the SEC nor the PCAOB has updated regulatory guidance for management or the external auditor since the release of COSO 2013. That guidance, reinforced by the PCAOB October 2013 Staff Practice Report) mandates a top-down and risk-based approach. It requires a focus on the potential for a material error or omission in the financial statements filed with the SEC.
- COSO 2013 says that internal control is effective when it reduces the risk to the achievement of objectives to acceptable levels. For SOX, that means that there are no material weaknesses.
- COSO 2013 also says that a principle can be deemed present and functioning if there are no “major deficiencies” that represent a significant level of risk to the achievement of the objective – in other words, there are no material weaknesses due to a failure of elements relating to a principle.
Now let’s have a look at what PwC has to say.
“With the COSO’s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time for companies to use the updated framework to evaluate the effectiveness of their systems of internal control over financial reporting.”
I agree with this statement. This is a great opportunity to ensure an effective and efficient program is in place.
“The updated framework formalizes 17 principles that stipulate more granular evaluative criteria to help a company’s management assess the design and operating effectiveness of its ICFR.”
They forget to say that COSO informs us that internal control is effective if it reduces risk to the achievement of objectives to acceptable levels. They also forget to remind us that the SOX assessment must be top-down, risk-based, and focused on the potential for a material error or omission.
“We don’t believe that implementation of the 2013 framework affects management’s existing control activities…. assuming that a company’s control activities have been assessed as effective, reevaluating them according to the 2013 framework is not necessary.”
While there is an element of truth to this, organizations should not be assessing control activities in isolation – they should be assessing whether the combination of controls provides reasonable assurance that there are no material errors or omissions. Focusing on one component by itself is insufficient and, I believe, incorrect.
In addition, the selection of controls for reliance should always be re-evaluated as the business is likely to have changed, including materiality, significant accounts and locations, and so on.
“We believe the most immediate value of applying the 2013 framework lies in the opportunity it provides for taking a fresh look at indirect entity-level controls.”
Again, the SOX scoping should be focused on the combination of controls that provides reasonable assurance. In addition, some principles (such as the hiring and training of employees, or the provision of training and obtaining certification of employees in the code of conduct) are performed at the activity level. COSO tells us that activities in each of the COSO components may exist at any level of the organization. So, we need to recognize that indirect controls may operate at the entity (corporate) level, activity level, or any level in between (such as at the business unit or regional level).
Having said which, the principles do offer us a new opportunity to determine which of these indirect controls need to be included in scope because a failure would represent an unacceptable level of risk – because they raise to an unacceptable level the likelihood that one or more key direct control relied on to prevent or detect a material error or omission might fail.
But, it all has to be within the context that we are focusing the scope, and the SOX program as a whole, on the risk of a material error or omission!
“…fine-tune the design and related documentation of indirect ELCs [entity-level controls] through mapping them to principles.”
Many have misguided organizations, telling them to “map their controls to the principles”. The proper guidance is to “identify the controls you are relying on to provide reasonable assurance that the principles are present and functioning”. Again, we need to remember that the principles can be deemed present and functioning if a failure would not represent a material weakness.
It is correct to say that if you have indirect controls (at entity or another level) that are not required to provide that reasonable assurance, they do not need to be included in scope for SOX.
“…we have noted the following areas in which management’s assessment has indicated room for optimization or improvement in control documentation.”
I suspect that the issue is not limited to control documentation! There is always room for improvement and it is useful to see what PwC has identified.
“Leading companies are formalizing or clarifying and incorporating into their evaluations of ICFR certain indirect ELCs that support existing human resources policies. Such controls usually consist of approvals of new hires and employee transfers (including background checks and assessments of requisite skills and experience when appropriate), requirements for professional certifications and training (e.g., in new and complex accounting standards), succession planning and retention of competent employees, and periodic reviews of employee performance to assess requisite skill levels and conduct. Compensation programs aligned with expected performance, competencies, and behaviors are also important to support ICFR objectives.”
If you believe that any organization’s HR policies and practices provide the assurance you need that every single key control is performed by individuals with the appropriate experience, knowledge, training, and so on, I have a bridge to sell you!
While it is very important to have excellence in hiring, training, supervision, career development, promotion and so on, I do not believe that for SOX it is productive to spend much time on controls in this area.
I very much prefer to assess the capabilities and competence of each control owner as part of the evaluation of the design and operation of each individual key control.
“In many organizations, the evaluation of fraud risks related to financial reporting is integrated into the overall assessment of financial-reporting risks……… In identifying and evaluating those risks, management investigates incentives, pressures, opportunities, attitudes, and rationalizations that might exist throughout the company in different departments and among various personnel.”
The first statement is (I hope) true, although I personally perform a separate assessment of fraud risk (focused on the risk of a material error or omission due to fraud) and generally find that they are addressed by the controls already identified for mistakes.
PwC talks about ‘scenarios’, while I talk about ‘fraud schemes’. In each case, we are talking about ‘how’ the fraud would be committed – an essential step in understanding the true nature of the risk and the controls that would prevent or detect it, if material.
However, going crazy about the fraud triangle is not recommended. We should focus on how we can provide reasonable assurance that a material error or omission due to fraud might be prevented or detected, and remember that the number of people with the ability to commit such a fraud is limited. More than 80% of reported material frauds have been perpetrated by the CEO and CFO acting together, not individuals “throughout the company in different departments and among various personnel.” Rationalization, for example, is an intensely personal action and not something that can be detected by looking broadly at even a segment of the workforce.
“Companies taking a thoughtful approach in transitioning to the 2013 framework—rather than viewing it as a mere compliance exercise—are finding value in the identification of opportunities to strengthen their ICFR.”
We are back on solid ground.
The focus has to remain solidly grounded on identifying and then testing the design and operation of the controls relied upon to prevent or detect a material error or omission. A top-down and risk-based approach is mandated.
Going beyond this may have value in improving operations and the achievement of other (than SOX) business objectives.
But let’s not go crazy!
I welcome your comments and, especially, your experiences with COSO 2013 and your external auditors.
By the way, I think it is well past time for COSO to issue a statement or other guidance to set people straight on the COSO 2013 principles when it comes to SOX. They need to explain that the primary evaluation criterion for effective internal control is whether there is reasonable assurance that risk to the achievement of principles is at an acceptable level. Then they need to explain that the principles offer more granulated guidance that can be used in assessing that risk and whether it is acceptable, but assessing the principles without the context of risk is misunderstanding COSO 2013.
Do you agree?