COSO ICIF Questions Part IPosted: January 26, 2015
I have been gathering questions from my presentations on the COSO 2013 Internal Control Integrated Framework and wanted to spend the next couple of weeks answering some of the questions that might impact many of you.
What changes do you see with SOC I reports and activities around them?
This is a great question because the 2013 revised framework makes it clear that even if you outsource an activity you are still responsible for that activity from a control perspective. A SOC 1 report can provide insight into the control activity component of the framework, but rarely do they provide insight into the control environment or risk assessment components of the framework. As an organization you need to document how you are managing the control environment principles for outsourced work as well as assessing the risk of the areas you outsourced. This may mean the procurement process (evaluating the competence of the outsource provider) and the decision process on what to outsource (less critical/less judgmental/less materially risky areas like expense report processing) needs to be part of your sox control documentation for the principles under control environment and risk assessment.
How vigorous should the work be to document new “softer” controls such as a performance review process? What happens when you have a formal system, but people are not using that system for their documentation?
This really comes down to a question of how you prove something is working if you have no documentation. From an internal management perspective, I believe asking people what they do and documenting that should be sufficient, but that will not always be the case with auditors. In either case, if you have a formal system which is not always used, then your control needs to make it clear that the formal system is optional and document what informal method(s) outside the system are acceptable so you can conclude the control is being performed as documented.
Many aspects of the framework say “demonstrate;” please clarify how demonstrates translates to “documents.”
In answering this question you need to keep in mind two important items. First, the framework is written to cover more than Internal Control over Financial Reporting (it also convers compliance and operations) and second, the framework is not a standard, AS 5 from the PCAOB and the SEC rulemaking that references the COSO framework are the standards. Simply put, as a way to look at internal controls the framework does not require that you “document” anything. However, the SEC and the PCAOB require you document compliance with their rules. Because their rules often require “documentation” of the “demonstration” you end up having to document everything. If you use the framework as a framework for controls over operations, you don’t have to deal with the SEC and PCAOB rules and would generally have a lot more flexibility in how much you want to document your demonstration of compliance with the framework.