I continue to see and hear questions about how organizations should address the 17 principles in the updated COSO Internal Control–Integrated Framework.
The consensus advice from consultants is that organizations should take each of the 17 principles (and more often than not this exercise is performed down to the points-of-focus level of detail) and map their existing (i.e., prior year) SOX key controls to them. When they see a gap, the advice is that additional key controls should be identified. All such key controls are included in scope and tested.
COSO has provided a template for this purpose. It is not required but is available for companies to use. At least one of the public accounting firms, as well as several consultants, has provided a similar template.
But I do not believe this is the right approach.
While it will ensure that each of the 17 principles are satisfied, in many if not most cases the scope of the SOX program will be inefficient. It will include key controls that are not necessary to ensure that material misstatements of the financials filed with the SEC are either prevented or detected.
I address how to address the COSO principles in detail in my book, Management's Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization, published by and available from The IIA and on Amazon.
In this post, I am going to use excerpts from that book to describe my suggested approach.
I have reviewed this approach with leaders at COSO, the regulators, and major public accounting firms and received both support and encouragement.
In a major keynote at the IIA GAM conference, a member of the PCAOB Board discouraged organizations from taking a "checklist" approach — and in my opinion, that is what the templates and mapping exercises represent.
It is worth emphasizing that neither the SEC nor the PCAOB have updated their guidance that both management and their auditors should use a top-down and risk-based approach to setting the scope of their SOX program.
This was repeated as recently as the PCAOB Staff Alert in October 2013 — published after the COSO 2013 update had been released.
This is how I describe how COSO talks about "effective internal control":
The 2013 internal control framework provides two key points relating to the assessment of internal control.
- First, it states that "An effective system provides reasonable assurance regarding achievement of an entity's objectives. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives."
COSO has made public statements that support the application of a top-down and risk-based approach to assessing internal control over financial reporting described in this book and in both SEC and PCAOB guidance.
- COSO continues by explaining requirements for achieving reasonable assurance; these are based on the presence and functioning of five components of internal control and 17 principles.
I explain how the regulators, the PCAOB in Auditing Standard No. 5 and the SEC in their Interpretive Guidance (PDF) (get a copy if you don't have one), explain the top-down and risk-based approach:
AS 5 includes the following:
"The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.
"This approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company's processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.
"Note: The top-down approach describes the auditor's sequential thought process in identifying risks and the controls to test, not necessarily the order in which the auditor will perform the auditing procedures."
The SEC uses different language, but the principles are the same:
"Management should evaluate whether it has implemented controls that will achieve the objective of ICFR (that is, to provide reasonable assurance regarding the reliability of financial reporting). The evaluation begins with the identification and assessment of the risks to reliable financial reporting (that is, materially accurate financial statements), including changes in those risks. Management then evaluates whether it has controls placed in operation (that is, in use) that are designed to adequately address those risks. Management ordinarily would consider the company's entity-level controls in both its assessment of risks and in identifying which controls adequately address the risks."
My advice is to retain the top-down and risk-based approach, but adapt it to address the new COSO principles. This is how I summarize it in the book. The steps include:
a. Identifying and assessing the sources of risk to the financial statements. With respect to the COSO Framework, this is addressed in the Risk Assessment component and its principles (i.e., principles 6-9 above). Steps include identifying:
- The general ledger accounts that constitute each line in the financial statements as filed. For example, accounts payable is normally one line in the financial statements, although it represents a group of related general ledger accounts.
- For each of the above, the accounts that are considered significant.
- The financial statement assertions relevant to those accounts and material to the investor.
- The locations to include in scope.
- The business processes that process transactions into the significant accounts at in-scope locations.
- The key transactions representing balances in the above accounts.
b. Identifying those controls that have a direct effect on the likelihood of material misstatement, either by preventing or detecting material errors or omissions. These are referred to in this book as "direct controls" (a term not used in regulatory guidance, although the latter does talk about controls that only have an "indirect effect"). The majority of the direct controls are typically in the Control Activities component (principles 10-12 apply).
c. Obtaining a self-assessment from management of each of the COSO principles. I am going to assume, being prudent, that all 17 are considered "relevant" for our purposes.
d. Performing a risk assessment for each of the COSO principles.
e. Where a defect in the presence or functioning of any of these principles is at least reasonably likely to lead to the failure of one or more direct key controls, rate it as high risk and identify the key controls that will be relied upon for each principle. Otherwise, rate it as a low risk and rely on management's self-assessment of the principles. (See detailed discussion below.)
f. Performing a "reasonable person" review. Would a reasonable person believe that the set of key controls that has been included in scope would, if adequately designed and operating effectively, provide the reasonable assurance desired?
Each of these steps is described in detail in the book, especially step d. Here, the key is to ask:
Could a failure to achieve this principle, or any of its points of focus, result in the failure to prevent or detect a material misstatement? Is that failure at least reasonably likely?
If the answer is "yes," then after carefully documenting the risk assessment and its results, key controls are identified to address the risk that has been identified.
If the answer is "no," then after documenting the risk assessment and its results it is essential to discuss the results with the external auditor.
Hopefully, this approach makes good sense.
I welcome your comments and perspectives. I am especially interested in any stories you can share on how your discussions have gone with the external auditors with respect to COSO 2013.