Internal Control QuestionsPosted: December 23, 2013
I mentioned in last week’s blog that I would talk more about Internal Control over Financial Reporting this week. I recently was part of a panel at the AICPA SEC & PCAOB Developments Conference and we received numerous questions from the over 2,000 attendees about the revise 2013 Internal Control Integrated Framework from COSO. We answered several of those questions at the conference, but I thought I would address additional questions that we were not able to get to at the conference in this blog.
Your timeline noted that implementation of the framework would take over a year (a year and a half to be precise); can you elaborate on why it will take more than a year?
The timeline I showed was my recommended model for implementing the revised framework. You can implement the revised framework in less than a year but you will take on more risks and maybe be less efficient if you do so. The process I recommend is to incorporate the implementation into your existing annual cycle over internal controls. This means you have to start more than a year out in order to incorporate it into a process that takes a year. In addition, by starting early, you have more time to adequately fill gaps, make sure the controls are documented, tested and working. This minimizes the risk of have a control failure to deal with at the end of the year.
Can you please clarify the nature of the 17 principles? Are they mandatory?
In order to have effective internal control the revised Framework clearly states all 17 principles must be present and operating effectively. The Framework also has points of focus to help you understand the 17 principles, but the Framework does not require you to have every point of focus to conclude that your system of internal control is operating effectively.
When implementing the revised Framework, where are most gaps identified?
As almost no one has implemented the revised framework yet, no research has been completed on this subject, but discussions with several preparers bring to light anecdotal evidence of a few areas where gaps seem to be occurring in multiple companies. The first is documentation over attracting, developing and retaining competent individuals. While most finance departments feel strongly they have the right competencies when it comes to financial reporting, the control documentation over that is sometimes lacking. A second area often over looked is identifying and analyzing risks. While this may be implicit in the entire Internal Control over Financial Reporting process, companies are finding they often have few, if any, controls documented that explicitly cover this principle.
COSO has stated that the 1992 Internal Control Framework will be superseded on December 15, 2014. The SEC has declined to explicitly state if they expect calendar year-end companies to adopt the framework in 2014, but they have said that the further you get away from the December 15, 2014 date and continue to reference the 1992 framework, the more likely it is they will ask questions, so if you haven’t already done so, you need to get started on implementing the revised Framework soon.