With all the white papers, webinars, guidance, and consultants ready to assist, why did some companies still fail to gain value from the 2014 transition to The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 Internal Control–Integrated Framework?
First, far too many companies appear to have treated it as another “check the box” exercise required for U.S. Sarbanes-Oxley Act of 2002 Section 404 compliance. The level of effort to remedy identified gaps to the framework was in line with the typical response to Sarbanes-Oxley — do the minimum to get by and justify coverage of a principle. But this meant that many did not consider the real purpose of the principles in the new framework. And for these organizations, the level of effort required to make the transition generally bore a high number of deficiencies and a greater lift for remediation, driving up the cost of compliance.
Next, the timing of COSO 2013 was unfortunate, coming at a time when the focus on documentation detail was significantly increasing because of the somewhat negative results that appeared in the external auditor U.S. Public Company Accounting Oversight Board (PCAOB) inspection reports. Sarbanes-Oxley requirements were already increasing with a focus on management review controls and information produced by each entity; the COSO 2013 transition just added another item to companies’ already full plates.
Finally, guidance from some external auditors that the transition wasn’t required in 2014 created confusion in the marketplace. COSO, itself, stated that it no longer supports the 1992 framework. As reported by Audit Analytics, a strong majority of organizations adopted the revised framework on time, with a handful of early adopters. The Sarbanes-Oxley Section 404b reporting through April 28, 2015, identified an adoption rate of 83 percent. But that means that 17 percent of organizations did not make the transition. This is a strong indicator that the guidance was unclear. The mixed signals likely caused organizations to take a tempered approach to the transition, focusing primarily on the points considered significant by their auditors.
There is still time in 2015 to make up for last year’s missed opportunities. COSO 2013 is an opportunity for management to take a fresh look at internal controls and for organizations to dig deeper and consider a broader range of information when evaluating the internal control structure.
Two key lessons often prove to be of value to organizations implementing COSO 2013. First, many companies did not have a formal fraud risk assessment process, and, second, many had not considered the implications of service organizations to the extent required by COSO 2013. Sufficiently addressing these areas to fully meet the principles can provide value beyond Sarbanes-Oxley compliance.
Conduct a substantive fraud risk assessment. In the past, many organizations integrated fraud risk into the evaluation of other controls. Today, per COSO, the adequacy of anti-fraud controls is specifically assessed as part of the evaluation of the control activities related to identified fraud risks. Companies that identify a gap related to the fraud risk assessment and work to implement a robust assessment take away an increased focus on potential fraud scenarios specific to their organizations. Many companies have implemented new processes, including facilitated sessions with management, that allow executives to consider fraud in new ways. The fraud risk assessment also has raised management’s awareness of opportunities for fraud outside its areas of responsibility.
Take a broader view of outsourced processes. The blurred line of responsibility between an entity’s internal control system and that of an outsourced provider creates a need for more rigorous controls over communication between parties. Previously, many companies looked to contracts, service-level agreements, and service organization reports as their approach to managing service organizations. However, those who fully consider the COSO framework in this area realize there may be additional gaps. Specifically, they need to focus on the service providers’ processes and tone at the top. Implementing these additional areas of focus can increase visibility into the vendor’s performance and internal control structure.
As guidance from the PCAOB and external auditors evolves and the new “normal” for Sarbanes-Oxley Section 404 compliance is established, it is clear that COSO 2013 is the path forward. Those now implementing the framework, or those who simply checked the box in 2014, should consider the value of placing additional focus in select areas. For those who drive their efforts in the right areas, the cost of compliance will be tempered with the value gained from increasing management control awareness.