Implementing COSO 2013 for SOXPosted: November 3, 2014
As 2014 nears its end, many companies have transitioned from the 1992 COSO Internal Control Integrated Framework to the 2013 COSO Framework. As a result, a picture of the impacts of implementing the revised framework is coming into focus. Many companies are finding they needed to document additional entity level controls. Typically entity level controls were used to support the assertion of compliance with the first two components of the 1992 Framework – Control Environment and Risk Assessment. The new controls tended to be focused on two principles from the 2013 Framework.
Principle 4 – Demonstrates a Commitment to Competence
While many companies using the 1992 COSO Framework focused on the commitment to integrity, ethics and tone at the top, the 2013 COSO Framework made it clear that a proper control environment also includes having competent people responsible for key controls. If a company addressed the subject at all previously, it was usually a general “I have competent people performing the controls now” kind of assessment. Principle 4, however, requires documentation of a much more in depth process, not just saying I have competent people now, but documenting the process for ensuring the organization has competent people now and into the future. Typical new documentation in this area centers on job definitions, hiring practices, processes to ensure competitive salaries, and a commitment to training. I also am pleased to say some companies are also documenting that certain jobs need to be filled by CPAs.
Principle 7 – Identifies and Analyzes Risk
Most companies felt like the risk assessment component was an indicator of a top down approach to determining what controls are necessary. They hadn’t documented the controls to make sure the risk assessment process itself was working properly. The 2013 Framework also made it clear that the risk assessment process starts with those in governance – the Board of Directors for most public companies. As a result, companies have had to more formally document how the risk assessment process includes interaction with the Board and how key risks are determined before even considering control activities to manage those risks.
The other area of change many companies have discovered is around monitoring controls. The 2013 Framework clarified that actions like supervisory reviews are not automatically monitoring controls. A supervisory review is a control activity if the intent of the review is to detect and correct errors. On the other hand, the review is a monitoring activity only if the intent was to determine why there were errors and then assign management to fix the process, not just correct the individual transaction error. This has led to the realization that many documented “monitoring activities” were actually “control activities” and companies have had to go back and reassess what monitoring activities actually are taking place.
These changes are just some of the most common in implementing the revised 2013 COSO Framework. Now I would like to hear from you. What changes or additional documentation did you have to make as a result of implementing the 2013 COSO Internal Control Integrated Framework?