As part of a new set of draft guidance, including an update to the Internal Controls Framework that I will review later, COSO has published (also in draft, for comment)
Internal Control over External Financial Reporting: A Compendium of Approaches and Examples.
I was hoping that this document would show how the COSO Internal Controls Framework can be applied in an organization's Sarbanes-Oxley program to identify financial reporting risks and the combination of controls to rely on to prevent or detect material misstatements.
The problem is that while it provides some useful language and examples of controls that
might be identified as providing assurance on the integrity of financial statements, it fails the test of helping management identify the
right controls to rely upon.
It's one thing to identify a laundry list of controls that fit the profile of COSO's Principles and Points of Focus.
It's an entirely different challenge to identify an
efficient set of controls that can be relied upon to provide reasonable assurance that the filed financial statements are free of material error.
While the COSO guide talks about risk assessment and the need to identify sources of material error, it fails to flow that down into the identification of key controls in each component. In the process, it makes mistakes that experienced SOX practitioners will recognize:
- The examples include the use of 'risk ratings' where even low risks require some level of work. However, the first test must be whether there is a reasonable likelihood of a material error; it that test is met, the account is in scope. If it is not met, it is
not in scope and no work needs to be done for SOX purposes. As simple as that! Only for in-scope accounts is it useful to assess the relative likelihood of a material error or of a controls failure to (a) assist in control identification and (b) influence the testing that will be performed.
- The discussion of fraud risk is broad and management should, as part of running the business, have an appropriate set of controls to prevent or detect fraud. However, for SOX purposes, the only consideration should be fraud that might result in a material misstatement of the financials! The new COSO guidance fails to point this out.
- The COSO document ranges far and wide, including many matters hardly likely to be relevant to the material integrity of the financial statements (such as potential changes in senior executives, or the audit committee reviewing the internal audit plan).
The SEC has shared
SOX guidance for management (PDF) that can be used as a safe harbor. Any COSO guidance has to be consistent with the SEC's product, which demonstrates a true top-down and risk-based approach.
The ingredients are present. If COSO (via PwC, the author of the guidance) can reorder the flow to start with Risk Assessment and demonstrate how the SEC guidance can be followed with the assistance of the updated COSO Internal Controls Framework, they will have made a positive contribution.
As it is, if management follows the COSO guidance in defining internal controls over financial reporting for SOX instead of a top-down approach, they will add controls and cost without necessarily improving the quality of controls.
Why? Because this COSO guidance doesn't help identify the
right controls to include in scope. In fact, it suggests controls that are important for the business but irrelevant to preventing or detecting material misstatements.
I welcome your views and comments (I have shared this post with COSO leaders).