I have been spending a good amount of time thinking about how a company’s Sarbanes-Oxley program should be affected by the updated COSO internal control framework. I have been fortunate to be able to bounce ideas off a few individuals for whom I have great respect and who were involved in the COSO update project.
In this post, I want to share and get feedback on the approach I have developed and will include in an update of
my (IIA) book for management on Sarbanes-Oxley.
The basic thinking is this:
- Organizations are required to base their assessment on a recognized internal controls framework, and there is only one in practice.
- Companies should start working on addressing the updated framework now, even if there is an option to wait until 2014.
- The primary change is that the framework states that in order to have effective internal control you need not only to have reduced the risk of a material misstatement of the financials filed with the SEC to acceptable levels (which are defined by the regulators as the absence of material weaknesses), but that all relevant principles need to be present and functioning.
- Although a theoretical argument could be made that not all 17 principles are relevant to financial reporting risk (at SOX materiality levels), in practice this will be a tough argument to win. I would not try. Prudence dictates that all 17 should be considered relevant.
- Management will need to be able to assert that all 17 principles are present and functioning.
- Many of the principles relate to the context within which the controls that directly prevent or detect material errors (I call these
direct key controls) operate. These principles have an
indirect effect on financial statement risk — affecting the level of risk that the
direct controls will fail to prevent or detect material errors. The key controls that are relied upon to ensure these “indirect effect” principles are present and functioning I refer to as
indirect key controls — in contrast to the
direct key controls.
- The scope of work for SOX, which is the population of key controls — direct and indirect — and the nature and extent of testing of those key controls should be based on a top-down and risk-based approach. This is not a change in principle, only in practice, when it comes to these indirect key controls and their principles. The guidance in the SOX book on direct key controls is unchanged.
- So, I am recommending that management perform a self-assessment for each of the 17 principles. Where possible, it will probably be useful to reference key controls (typically from the prior assessment period’s scope).
- Then, the risk relating to each principle should be assessed. The question is whether a defect in any aspect of that principle makes it at least reasonably possible that a material misstatement would neither be prevented nor detected. In the case of indirect effect principles, that means assessing whether a defect in the principle means it is at least reasonably likely that a direct key control would fail. The assessment of risk should be clearly documented and agreed with the external auditor.
- Management should vary the level of testing performed to provide evidence and supplement the self-assessment based on the level of risk.
- The principles relating to integrity and competence should be assumed to be high risk, requiring the identification of sufficient key indirect controls to reduce the level of risk of material misstatement to less than reasonably possible.
- When assessing deficiencies, it is essential to perform a root cause analysis. This is likely to point to an underlying problem in one or more principles, and that additional deficiency should be assessed.
I welcome your views. Does this approach make sense? Will it result in the “right” scope and the desired level of testing? I don’t think it will result in a significant increase, although the scoping exercise will have to be carefully documented.