*** Note: the following represents my views and not necessarily the official position of The IIA (although I believe they will be supported by leaders of COSO).
I am starting to hear that people are adding a fair number of key controls to the existing scope of their Sarbanes-Oxley program. This should sound the alarm, as most of us had spent a fair amount of time over the last few years streamlining the program.
Why is this happening?
People are moving from a SOX program that is risk-based, designed to address identified financial reporting risks, to one that is designed to address the 17 principles in the 2013 update of the COSO
Internal Controls–Integrated Framework.
They are taking each of the principles and ensuring they have key controls for each and every one of them — often more than one key control for each Principle.
In principle (pun intended), there is nothing wrong with ensuring that they have
adequately addressed each of the 17 principles.
But what is "adequate"? How many key controls do you need and when do you have enough? Should the program be designed primarily to address the 17 principles, or primarily to address financial reporting risk — with the principles a guide along the way?
As the regulators have said and included in their guidance and standards, the SOX assessment of internal control over financial reporting should be
risk-based and top-down. That has
not changed. The SEC guidance and PCAOB standards have not been changed. They remain risk-based.
The regulators correctly say that the SOX program should be designed to identify any deficiencies in internal control over financial reporting that are
material: representing at least a reasonable possibility that an error would be made in the financial statements filed with the SEC that would be material in the eyes of the reasonable investor.
Does that mean we can ignore the principles?
The regulations require that companies use a
recognized internal controls framework for their assessment of internal control over financial reporting. The updated COSO framework is the only specifically recognized framework, although in principle (smile) an organization could use the Canadian CoCo or U.K. Cadbury framework.
In practice, you must use the updated COSO framework, and that means that in addition to assessing whether the risk of a material error in the financials is at an acceptable level (see the COSO 2013 section on effective internal control) you have to assess whether each of the 17 Principles are
present and functioning.
What does that mean in the context of SOX?
The regulations say that you can assess the system of internal control over financial reporting as effective if there are no material weaknesses.
In the same way,
present and functioning for SOX means that there are no material weaknesses in the system of internal control over financial reporting caused by a failure relating to any of the 17 principles.
We need key controls to address the 17 principles to the extent that they provide reasonable assurance that there are no failures relating to the Principles that would result in a material weakness. For example, Principle 4 is "Demonstrates commitment to competence." You need key controls that relate to the competence of those involved in the reliable performance of your SOX key controls, but the SOX scope need not include controls over the hiring and retention of individuals in other parts of the business. Principle 1 is "Demonstrates commitment to integrity and ethical values." This is clearly important, but should be seen within the context of your fraud risk assessment. It may well be more effective and efficient to focus on this principle in relation to those fraud risks that could be material (the only ones you need to assess for SOX) than to take a broad view.
My guidance is to determine what you need in terms of key controls to reach a level of reasonable assurance that there are no material weaknesses. We are not talking about perfect, but reasonable assurance.
A test I recommend to ensure you don't have too many key controls is this:
If this key control failed, would it represent a material weakness?
If not, then on a de facto basis it is not a key control: it is not relied upon to provide reasonable assurance that the financial statements are free from material error.
My book on SOX,
Management's Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization, published by The IIA and available in both hard cover and as a download, covers the topic of addressing COSO 2013 in more detail.
You might also be interested in a short IIA video on
Considering COSO 2013 From a Risk Perspective.
I welcome your views and commentary.
- How many key controls are you adding because of COSO 2013?
- Are you adding too many or not enough?