SEC Conference – Five Components of Internal ControlsPosted: December 17, 2012
Another area of coverage at the AIPCA SEC and PCAOB Developments Conference in December that surprised me was the focus on internal control. I knew the last session of the conference was going to be on the forthcoming update to the COSO Internal Control Integrated Framework, but I did not expect other presentations to hit on the topic as well.
Paul Beswick, Acting SEC Chief Accountant, got the ball rolling by reminding everyone that internal control has five components, not just control activities. The implication is that the SEC is seeing too much focus on the Control Activities component when it asks questions about Sox 404 compliance. As a reminder the five components of internal control are:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
The COSO framework, which is used by 85% of the companies complying with section 404, requires all five components to be present, functioning and operating together in an integrated manner to have an effective system of internal control. While many companies do address all five components, the weighting of the work is often tilted toward control activities and monitoring activities when it comes to documenting and testing of key controls. These are only 2 of 5 components (and 5 of 17 control principles in the proposed update to the framework).
And it was not just the SEC that discussed internal controls. James Doty, Chairman of the PCAOB also brought up the issue when discussing auditors work on internal controls. While he did not specifically get into the component issue, he questioned the adequacy of the documentation to reach a conclusion about the effectiveness of internal control. Putting two and two together, it seemed clear he was also talking about the need to properly emphasize all five components
The new framework, scheduled to be released on March 31, 2013 is going to provide a renewed emphasis on all of the components of internal control as well as the 12 principles of control in the control environment, risk assessment and information and communication components. This really provides a great opportunity to revisit your control documentation and make sure you have everything you need to prove your assertion that you have an effective system of internal control with all five components present, functioning and operating together.
…or you can wait for that SEC comment letter.