Congratulations to Financial Executives International (FEI, one of the sponsoring organizations behind COSO) and its Accounting Policy Analysis and Communications Director, Edith Orenstein.
They commemorated the one year anniversary of the release of the COSO Internal Control–Integrated Framework update by collecting comments from several of the key players involved in its production.
I celebrate some of these comments, while others I prefer to overlook.
Keeping Your Controls Under Control: COSO Turns One starts well. The title points to one of the areas where COSO provides little guidance: how to ensure you don't have an inefficient internal control system. COSO focuses on effective internal control, but many organizations have redundant and duplicative controls — they lack efficiency. COSO does not provide guidance on how to select the most appropriate combination of controls for your organization, only how internal controls operate effectively. So, I like the title — keeping the number of controls under control.
If you have been reading my comments on the COSO update, you will know that I am concerned that people will leap to including controls in their SOX scope that are not necessary because they are not relied upon to either prevent or detect a material error or omission in the financial statements filed with the SEC. That is the almost inevitable result of including in scope all the controls they map to the 17 COSO Principles. Consultants are guiding people to do this, using the 17 Principles (and often the Points of Focus) as a checklist, on the mistaken assumption that perfect assurance is needed on all 17 Principles — when, in fact, the Principles can be assessed as present and functioning for SOX purposes as long as any related defects do not represent a "major" weakness (in SOX language, a material weakness) in achieving the external reporting objective.
I should point out that FEI, with leadership from Ms. Orenstein, joined the IIA and others (including me) in pressing COSO to ensure that the 17 Principles are not used as a checklist, and in asking for a continuing emphasis on the assertion that internal control is effective when it manages risk at acceptable levels. Congratulations again, FEI!
Now the comments I liked:
From Marie Hollein, President and CEO of FEI: "COSO's updated internal control framework, like the original framework, will continue to rely on the strength of its being a principles-based framework. COSO's intent is NOT for its framework to become a checklist, and while there are many avenues for implementation, including mapping from the '92 to the 2013 versions of the framework, the facts and circumstances at each company will vary. COSO did not prescribe, and is not in the business of prescribing, any minimal 'mandatory' documentation or evidentiary requirements."
Ray Purcell of Pfizer: "Take a reasonable approach — don't overdo this. This shouldn't be a complete overhaul of the system of internal controls – no major projects, consultants, or mountains of documents are required. COSO 2013 is an opportunity to review your controls and make some enhancements, but this is more of a continuous improvement initiative than reengineering."
Jim DeLoach of Protiviti had wise words to contribute: "Regarding the implementation of the new framework, the most important thing I can think of is the need to apply it with a top-down, risk-based focus and approach. Applying the framework as a checklist is not what COSO intended."
If you are looking to improve both the efficiency and effectiveness of your SOX program, meeting both the regulatory requirement for a top-down and risk-based approach and the new COSO expectation that all the principles are present and functioning, please check out my book for management on SOX, published by the IIA and available on their site and on Amazon.
I welcome your comments, especially any stories you can share about what your external auditors are telling you.