Protiviti has updated their
The Updated COSO Internal Control Framework: Frequently Asked Questions. I congratulate their continuing efforts to explain topics like this; the format of Frequently Asked Questions (FAQ) is excellent.
I recommend this guide to all, although there are some areas with which I take issue.
The most important is the failure to reference the first and primary criterion for an effective system of internal control. The COSO Update leads the discussion of an effective system of internal control with this:
"An effective system provides reasonable assurance regarding achievement of an entity's objectives. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives."
It continues the discussion by referring to the Principles and the requirement that all the components work together (achieved if the Principles are satisfied).
Unfortunately, Protiviti has not updated their FAQ to include this critical requirement to reduce risk to acceptable levels.
It is especially important as, as COSO will confirm, the Framework focuses on effective internal control and not the
efficiency of controls. It tells you what needs to be present, but does not help you decide what to omit because the risk is less than the cost of the controls.
Protiviti accurately portrays the COSO discussion of how you assess deficiencies in internal control. They remind us that COSO 2013 states: "A major deficiency in internal control is defined as 'an internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve it objectives.'" Unfortunately, Protiviti did not augment COSO's guidance by referring to the fact that it should only be considered a major deficiency if the risk is outside acceptable levels.
I hope that their 3rd edition will include more guidance on how to augment the COSO 2013 update with the practical consideration of risk.
Another important opportunity that was not seized was to explain how companies should adopt COSO 2013 as part of a top-down and risk-based SOX program. I am working with The IIA to include this in an update to
my SOX book, which I expect will be published shortly.
Finally, COSO 2013 talks about "relevant Principles": Effective internal control is achieved when all
relevant Principles are satisfied. This language might enable organizations to decide that certain Principles are not relevant and therefore do not need to be satisfied. Unfortunately, little explanation has been provided as to when this might be applied and how. My personal advice is (a) to assume they are all relevant for SOX; and (b) for all other purposes assess whether a failure to achieve that Principle would reduce the likelihood of achieving the objective(s) below acceptable levels. If that residual risk is very low, then perhaps the Principle is not relevant to the objective.
I welcome your views and comments.