As I prepare for my
next SOX Master Class, I have been thinking about the 17 COSO principles and the template (or checklist) that some seem to feel is necessary. How can I explain why it is wrong to map last year’s key controls to each of the new COSO Principles without first assessing whether a failure to achieve a principle would result in a financial reporting risk, potentially a source of material misstatement?
One of the people I have been debating with (via email) is an individual with significant influence at COSO and for whom I have great respect. I have known him for many years and he was a key outsource provider while I was CAE at a couple of companies.
We started our email chat when he read my last blog post, "How to Address the COSO Principles for Sarbanes-Oxley."
He tried to persuade me that because COSO says internal control is effective when all the relevant principles are present and functioning, mapping controls to the template (checklist) as a first step is appropriate. The mapping allows you to assess the principles.
I replied by pointing out that COSO says a principle may be considered to be present and functioning as long as there are no deficiencies that represent a major risk to the achievement of the objective.
I continued by saying that the COSO process is to identify the risks and only then identify the controls required to manage the risks at acceptable levels.
Assessing the principles before determining the risk is not consistent with COSO.
At this point, he made the excellent observation that the correct sequence is:
- Identify the objective.
- Identify and assess the risks to the achievement of the objective.
- Determine what controls are required to manage the risks at acceptable levels.
Let’s take these one by one.
When it comes to SOX, the objective is to file reports with the SEC that are free from material misstatement.
The guidance from both the SEC and PCAOB to use a top-down and risk-based approach helps us identify and assess risks to the objective, in other words our financial reporting risks.
The regulators’ guidance also helps us identify the controls we rely on to either prevent or detect a material misstatement.
The “acceptable level of risk” (whether you want to call it risk criteria or risk appetite) is that there is less than a reasonable possibility of a material misstatement.
So, SOX program managers should ensure that:
- They continue to follow a top-down and risk-based approach.
- Their prior year risk assessment process should be modified to include assessing the risks to financial reporting should there be a deficiency relating to any of the COSO principles.
- They do not identify controls to include in scope until they have determined that they are necessary to address a financial reporting risk.
- They work closely with their external auditors and agree on a process for transitioning to the 2013 update of COSO, including how risks are identified and assessed, that is acceptable both to the external auditors and management.
- They are not bullied by the external auditors to adopt a process that is not top-down and risk-based. In my earlier blog post, I referenced a speech by a member of the PCAOB Board that criticized a checklist approach to the principles. It may be necessary to remind the external auditors that Auditing Standard Number 5 and the October 2013 Staff Alert both emphasize the top-down and risk-based approach, that AS5 has not been modified, and the Staff Alert was issued
after COSO 2013 was published.
My friend is cautious and properly so. We are still waiting (at the end of April!) for the firms to tell us how they will address COSO 2013. I hope that they will see sense and continue with a top-down approach. He is less optimistic.
What do you think?