As organizations map their existing controls to The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) updated
Internal Control–Integrated Framework, it is becoming clear that some areas will see little change, while other areas will see opportunities to increase the effectiveness and efficiency of their controls. Although some organizations have identified an existing population of internal controls and should now map them, there are some (such as an IPO or newly public company first implementing U.S. Sarbanes-Oxley Act of 2002) that may need to both identify and then map controls to the framework principles.
Since 1992, COSO has helped organizations design, operate, and evaluate the effectiveness of their systems of internal control over financial reporting (ICFR) and achieve reasonable assurance that their risk of material misstatement has been reduced to an acceptable level.
Organizations transitioning to the 2013 framework, which was designed to reflect changes in the business environment, have found that the core concepts for effective ICFR are little changed from those in the original. Instead, 17 principles of effective internal control that were previously implied have been formalized, providing organizations with more granular criteria to evaluate ICFR design and operating effectiveness.
Implementation of the 2013 framework does not affect management’s existing control activities, an area that typically represents 85 percent to 95 percent of a company’s ICFR in the form of transaction-level controls and review controls in business processes (which are intended to have a direct effect on the likelihood that a misstatement will be prevented/detected/corrected timely). The 2013 framework prescribes no specific control activities, and the formalization of the three principles related to control activities does not change the requirements regarding their design and operation. Therefore, assuming that an organization’s control activities have been assessed as effective under the original framework, reevaluating them according to the 2013 framework is unnecessary.
Instead, the most immediate value of applying the 2013 framework lies in the opportunity for taking a fresh look at indirect entity-level controls (ELCs), which are controls that have both an important effect on ICFR and an indirect effect on the likelihood that a misstatement will be prevented/detected/corrected timely. These controls are important for support of the principles in the “softer” components of internal control: control environment, risk assessment, information and communication, and monitoring activities.
Opportunities exist to fine-tune the design and related documentation of indirect ELCs by mapping them to principles within those softer components and challenges in evaluating the design and operation of those controls.
There are several COSO principles in which management assessments have indicated room for optimization or improvement in control documentation, largely for an effective ICFR under COSO 2013, but this can also apply beyond Sarbanes-Oxley and ICFR.
Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Leading organizations are formalizing or clarifying and incorporating into their ICFR evaluations certain indirect ELCs that support existing human resources policies. Such controls usually consist of approvals of new hires and employee transfers (including background checks and assessments of requisite skills and experience, when appropriate), requirements for professional certifications and training, succession planning and retention of competent employees, and periodic reviews of employee performance to assess requisite skill levels and conduct. Compensation programs aligned with expected performance, competencies, and behaviors are also important to support ICFR objectives.
Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. In many organizations, the evaluation of fraud risks related to financial reporting is integrated into the overall assessment of financial-reporting risks. Leading organizations establish accountability for indirect ELCs that assess fraud risk scenarios relevant to the organization, its industry sector, and its geographic regions. Fraud risk scenarios might include material bias in the development of complex accounting estimates, the overriding of controls in stuffing inventory into distribution channels to manipulate revenue recognition, and U.S. Foreign Corrupt Practices Act (FCPA) noncompliance. In identifying and evaluating those risks, management investigates incentives, pressures, opportunities, attitudes, and rationalizations that might exist within the organization. This undertaking equips management to determine appropriate mitigating actions to reduce to acceptable levels any risks of material misstatement due to fraud.
Fraud risk assessment should benefit from the active involvement of knowledgeable managers at the right levels throughout the organization, such as by conducting workshops and brainstorming sessions designed to identify and assess risks of material misstatement due to fraud. Fraud risk assessments should be updated periodically by considering external and internal changes during the reporting period that could affect previous conclusions. Reasonable supporting documentation of this risk assessment is retained, along with documentation detailing the audit committee’s involvement and oversight.
Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control. Responsibilities for identifying, evaluating, and responding to business changes that are likely to have a material impact on financial reporting are usually spread across the organization. Leading organizations establish accountability for indirect ELCs designed to identify and assess changes during the current reporting period that could affect the organization’s previous assessment of the risks of material misstatement. Such changes include new accounting standards; new business transactions, events, or conditions (or changes in existing ones); and important changes in business processes, information systems and communications, and personnel that support key control activities. Those controls focus on measuring the impact of such changes on previously assessed risks of material misstatement. The identification and assessment process enables management to determine the mitigating actions necessary to reduce to acceptable levels the risks posed by such changes, primarily through alterations in the design and operation of control activities. Those who possess the necessary skills and experience — both in the business and in financial reporting and ICFR — review financial reporting risk assessments periodically.
Principle 13: The organization obtains/generates and uses relevant, quality information to support the functioning of internal control. Because control activities depend on having reliable information, organizations must assess changes in business processes and information systems to ensure they continue to use information in the operation of those controls. The 2013 framework does not require organizations to do anything differently from before. For example, companies use IT change controls over system development and application controls in automated information systems to confirm whether packaged and customized system-generated reports contain reliable information for application in control activities. Control activities also must be in place to obtain reliable information from queries of automated information systems, end-user spreadsheet applications, and external and internal sources when IT general controls and application controls cannot be used.
Leading organizations can use the COSO principles to deliver more clarity in the design of indirect ELCs that support principles within the softer components of internal control, and thereby possibly attain greater assurance in their ICFR. There are several challenging aspects of determining what’s important to demonstrate that a principle is present and functioning throughout the company in an ICFR context.
Programs vs. controls It can be difficult to distinguish programs, processes, and practices — which ordinarily describe ongoing tasks and activities — from controls, which are meant to establish or implement a policy or procedure for providing reasonable support that a principle is present and functioning. More specifically, the deployment of indirect ELCs is important for demonstrating that principles in the softer components of internal control are present and functioning. For example, an organization might have a required accounting training program to support Principle 4, whereas an indirect ELC can determine whether designated personnel completed the training program and ensure that appropriate follow-up actions are taken. Inadequately distinguishing between the two could result in less effective controls supporting management’s assessment of ICFR or unnecessary evaluations of programs, processes, and practices.
Despite the importance of focusing on ELCs that enable management to demonstrate that a principle is present and functioning in an ICFR context, organizations aren’t always able to distinguish between entity-level controls that support ICFR and those with non-ICFR objectives. Only an ELC that is designed to support both ICFR and non-ICFR objectives is considered. For example, if an indirect ELC supports the audit committee’s oversight of multiple organizationwide objectives (e.g., ICFR and other regulatory compliance reporting), it’s important that the control objectives and procedures specifically address how oversight is exercised over ICFR.
Also, an indirect ELC embedded in management’s risk assessment process could consider the organization’s enterprise risk assessment, so that management can identify changes in the business that might affect financial reporting and ICFR (Principle 9). If so, management’s risk assessment would assess only those business issues that introduce new — or affect previously assessed — risks of material misstatement.
Distinguishing indirect from direct ELCs Organizations are becoming more adept at distinguishing between various types of entity-level controls. For example, direct entity-level controls such as business performance reviews are designed with a level of precision that can directly affect the likelihood that a material misstatement in the financial statements will be prevented/detected/corrected timely. For that reason, direct entity-level controls can be considered compensating controls in evaluating and reducing the severity of deficiencies in other control activities. Indirect entity-level controls have an important impact on the design and operation of control activities but are not designed to operate at a level of precision that can prevent or detect and timely correct a material misstatement in the financial statements.
Design effectiveness and indirect ELC testing vs. control activities Organizations are not always certain what kind of evidence constitutes reasonable support for the design and operation of indirect ELCs. It’s important that design documentation clearly describes the objectives, procedures, qualified personnel responsible, and frequency of occurrence or triggers. Organizations are taking a fresh look at indirect ELCs to ascertain which are important for making effective, efficient determinations of whether a principle is present and functioning throughout the organization in an ICFR context. Many are reevaluating whether control objectives and procedures align closely with a principle in an ICFR context; whether qualified individuals are responsible for reevaluating control design throughout the organization, if necessary; and what condition, event, or schedule would trigger operation of the control.
Certain outputs of indirect ELCs, such as management’s review of the fraud risk assessment, might benefit from taking a fresh look at the operation of those controls. In addition, management is recognizing that the nature and extent of testing indirect ELCs for operating effectiveness are not the same as what’s necessary for testing control activities. This is because of the difference between the objectives of indirect ELCs and the objectives of control activities — including direct ELCs.
Evaluating controls at outsourced service providers With some providers, organizations can find it challenging to obtain an understanding of those controls, evaluate them, and conduct adequate testing. To that end, organizations usually have indirect ELCs in place to:
- Inventory existing vendors and service-level arrangements (SLAs) that have a significant impact on the company’s ICFR.
- Evaluate and select vendors with competencies in financial reporting and ICFR, such as the ability to satisfy SLA-stipulated service requirements (e.g., code of conduct, IT and financial-reporting standards and guidance, and quality and timeliness of reporting and communication skills and experience). Vendor selection depends on completion of an initial assessment of financial-reporting risks and a determination of the responses necessary to mitigate such risks to acceptable levels — such as through contractual provisions that require a Service Organization Controls (SOC) 1 audit report on internal control or separate evaluations of controls at the service provider.
- Periodically evaluate the performance of service providers against criteria set out in service requirements relevant to ICFR, and update financial-reporting risk assessments and responses in reporting periods after the initial assessment.
- Review a SOC 1 report and determine whether any follow-up actions are necessary.
In addition, organizations have control activities (including direct ELCs) in place to verify the reliability of ICFR-relevant data that is sent to and received from service providers.
Identifying financial-reporting risks related to operations, nonfinancial reporting, and compliance Management’s financial-reporting risk assessment and underlying indirect ELCs must consider the risks of material misstatements that might be attributed to control deficiencies in the organization’s operations, nonfinancial reporting, and compliance. Management might also have to evaluate non-ICFR controls that are supporting the generation of nonfinancial information used in control activities that support financial reporting and ICFR. For example, the results of a customer survey could be used to inform or support the development of accounting estimates underlying the organization’s accrued warranty costs.
Documenting management’s consideration of financial statement assertions Management’s assessment of financial-reporting risks focuses on material accounts and disclosures in the organization’s financial statements. Management explicitly or implicitly makes assertions — such as regarding completeness, accuracy, or validity — about the significant accounts and disclosures. Therefore, management’s risk assessment typically includes assessments of financial-reporting risks for assertions that are relevant to material accounts and disclosures. Previous risk assessments provided the basis for designing and operating control activities, such as transaction-level controls and review controls, to mitigate such risks of material misstatement throughout the organization. When management updates those previous risk assessments for changes in the business, such as new accounting standards or new business transactions during the current reporting period, it continues to assess assertions relevant to material accounts and disclosures.
Mapping indirect ELCs to points of focus The 2013 framework includes a series of points of focus that describe important characteristics of the principles. Those guidance points are intended to help management design, operate, and evaluate the effectiveness of its ICFR. Management may find the points of focus helpful in identifying or describing certain indirect ELCs that are important for demonstrating that a principle is present and functioning in the company’s ICFR.
Mapping indirect ELCs to multiple principles Leading organizations recognize that important indirect ELCs can support multiple principles in an ICFR context. For example, an indirect ELC in the whistleblower hotline program can support both Principle 1 and Principle 14. Likewise, an indirect ELC related to internal communication between management and the audit committee about the organization’s financial-reporting policies and ICFR can support both Principle 2 and Principle 14.
Better ICFR — And Beyond
Organizations that have been taking a thoughtful approach in transitioning to the 2013 framework — rather than viewing it as a mere compliance exercise — are finding value in the identification of opportunities to strengthen their ICFR. Taking that approach one step further, companies may use their new knowledge, familiarity, and comfort with the principles to apply the 2013 framework to other suitable objectives beyond ICFR, such as complying with evolving environmental standards, managing technological change, and achieving consistent control across global organizations with multiple operating models and legal entity structures.