The COSO Advisory Council met July 24 in Chicago to review the latest developments on the COSO Internal Control Integrated Framework update project.  We reviewed updates to the Integrated Framework, the Approaches and Examples for Internal Control over External Financial Reporting document and the Assessment Tools document.  All three documents will be available for review when the Approaches and Examples document is exposed for comments in September. 

The COSO Board received considerable input on the Integrated Framework including 96 comment letters and over 100 submissions via the web questionnaire during the exposure period that ended in March.  The Board has responded with many changes to address concerns raised in the exposure process.  The 5 components and 17 principles will still exist, but the framework’s use of attributes will change (even the term attributes is being changed).  There are many other changes as well that should make the framework even more useful and operational, but I don’t want to get ahead of myself. You will be able to see all of the changes for yourself in September.    

Even though COSO is not a standard setter and the Internal Control Integrated Framework is not an official standard, working on the Advisory Council has given me a appreciation for what standard setters have to deal with.  With the framework being used by 85% of public companies in the U.S. to comply with SOX 404b requirements, it has many commonalities with a standard.  Comments ranged from too much was changed to not nearly enough was changed in the update.  I expect the final product won’t make either of the extremes happy, but I am beginning to believe that is part of the standard setting process.  If you balance the unhappiness of both sides, maybe that means you have struck the right balance in the final product.

You can decide for yourself if I am right and even let the COSO Board know your thoughts come November when comments on the Approaches and Examples for Internal Control over External Financial Reporting are due.

Risk Appetite

My work on the COSO Internal Control Integrated Framework revision advisory committee has brought home the importance of a risk assessment in setting up internal controls.  If you don’t know what your risks are, then how do you set up appropriate controls to manage those risks. I think many CPAs “get this” although a surprising number of companies still do not have formal or informal risk assessment processes.  The next step, however, is less understood.  That step is setting a risk appetite. 

Dr. Larry Rittenberg, former Chairman of COSO and Frank Martens, a member of the PwC team working on the ICIF revision recently issued a paper through COSO on Understanding and Communicating Risk Appetite.  The paper can be found at . The paper does a great job explaining what risk appetite is and why it is important to actually decide, document and communicate the risk appetite level throughout the organization.

Just as is the case with not determining what your risks are, without determining your risk appetite, you may end up with too few controls and risks you never intended to accept.  Just as importantly in today’s environment, without determining your risk appetite, you run the risk (pun intended) of having too many controls and incurring more cost than is necessary to manage an organization’s risk to an acceptable level.

Just as an auditor sets a materiality level in their audit to help determine the level and amount of audit work that is necessary, an organization must set a risk appetite that is agreed to by the governing body (Board of Directors) as well as management.  In addition, it is extremely important to communicate this risk appetite throughout the organization.  If you don’t do so, you may end up with employees not understanding what risks they should be taking, what risks need to be limited and what risks avoided all together. 

In many ways setting a risk appetite goes hand-in-hand with setting the tone at the top.  But just like saying one thing and doing another confuses employees (not to mention the children in your own family), telling people to manage risks without giving them any idea on what level to manage them too leaves employees bewildered at best or frozen by inaction for fear of doing the wrong thing at worst.

Communicating risk appetite may not be easy, but without it, a business is running on pure luck and that is no way to stack the odds in favor of success.

COSO IC Framework Revision Update

The COSO Advisory Committee met again earlier this month. At this meeting we covered the final pre-exposure draft of the Internal Control Integrated Framework and the first draft of the Guidance document over Internal Control over External Financial Reporting .

The Internal Control Integrated Framework exposure draft was released last week and is now open for comment.  You can access the exposure draft at  The document is lengthy, but it will be well worth your time.  Proper controls are critical to a well functioning organization and the framework update should help you ensure your organization has a proper control structure in place. 

You can submit comments in two ways.  Traditional letters will be accepted and published on the COSO website.  You will also be able to access an online tool to submit your comments.  All of the online comments will be summarized and published as a single document so there will be some level of anonymity if that is what you are looking for in submitting comments.  The comment period runs through March 31 so, while it is a busy time of year, you have plenty of time to get your comments in.

The second document the COSO Advisory Committee is working on is a guidance document on how to implement the Internal Control Integrated Framework over External Financial Reporting.  This document is based on the 2006 guidance document on implementing the Internal Control Framework over financial reporting for small entities, but now it will cover all sizes of companies. 

As the team reviewed the 2006 guidance we realized that even though the document was designed with small companies in mind, much of the guidance was applicable to entities of all sizes.  The major reason for this is that the guidance focuses on the entire Internal control process as well as the point of internal control which is managing risk.  The small versus large entity differences are most often highlighted in control activities which is often view by many CPAs as “internal control.”  The reality is that is only a part of an internal control system is composed of control activities.  Other critical components include Control Environment, Risk Assessment, Information and Communications and Monitoring Activities.

The guidance document will include a general guidance section as well as illustrative approaches and examples covering all five of the Internal Control Components.  As such it should just as useful to someone updating an entire Internal Control Process as to someone who wants to focus on just one area to make improvements.  The Guidance document will also be released for public exposure during the summer of 2012 with both documents being finalized by the end of the year. 

I often hear comments from people about how the FASB, SEC and now COSO are doing things that to them that don’t make sense.  This is your opportunity to make sure that doesn’t happen.  Get involved in the comment process.  Your comments will be reviewed and considered.  It’s the only way to make sure the best possible document comes out in the end.

A Week Off–Not Really

If you have kids you’ve probably heard the statement, “I can’t wait until I’m done with school and won’t have any homework any more.”  I’m sure there are some of you in college thinking that once you are done your studies, you’ll get to do your 9-5 and then the rest of the time is yours.  That will work if you want to be a staff accountant the rest of your life, but if you want to go further than that, it takes a little more than the simple 9-5.

According to my official time record, I was on vacation all of last week.  Indeed, I didn’t set foot in the office and I did travel 870 miles with my family back to Athens to spend Thanksgiving with my Dad and my sister’s family.  We had a great time eating turkey, watching football and going out at midnight to hit those early sales and pick up a few bargains. But having fun with the family wasn’t the only thing I did. 

First off, I had two conference calls early in the week that I had to attend, including one, while I was in the middle of Mississippi on I-20.  Fortunately, I didn’t have any follow up work from those calls.  More time was spent reading two large exposure drafts.  The first was the revised revenue recognition exposure draft from the FASB.  At 218 pages, it took several hours to get through the document and list some initial thoughts about what works and what doesn’t.  The second document was the preliminary draft of the Internal Control over External Financial Reporting guidance document. 

The guidance document is the second of two documents that will be issued by COSO in the coming months.  It’s a companion document to the revised Internal Control Integrated Framework which will be issued as an exposure draft in December.  At 171 pages it was a shorter than the revenue recognition exposure draft, but it still took a long time to read considering I was providing editorial comments throughout the document as well.   

Fortunately I made it through both documents, but as I looked up from my review and saw my daughter working on her U.S. History homework, I realized that the homework never really ends.  It just changes form.

COSO Internal Control Framework Revision

The COSO Advisory Council met for the fourth time last week.  This meeting focused on the first full draft of the revised Internal Control Integrated Framework.  Members of the Advisory Council received the draft for review in August and submitted comments to the PwC team that is leading the revision efforts.  There were almost 1,400 comments submitted so I think it is safe to say that the Advisory Council and COSO Board are taking the revision very seriously.  To set the stage of the public exposure period I want to let you know what is changing, but maybe more importantly what is not changing.

What is not changing:

  1. The definition of internal control
  2. The five components of internal control
  3. The criteria used to assess effectiveness of internal control; and
  4. The use of judgment in evaluating the effectiveness of systems of internal control

 What is changing:

  1. Codification of the principles (17 Principles and 82 attributes) with universal application for use in developing and evaluating the effectiveness of internal control systems
  2. Expanding the financial reporting objective to address internal and external, financial and non-financial reporting
  3. Increasing the focus on operations, compliance and non-financial reporting objectives based on user input
  4. Updating the framework for changes in the business environment over the last 20 years.

It should also be noted that while the Internal Control Integrated Framework document will have a increased focus on non-financial reporting objectives, the COSO Board recognizes the importance of the framework for external financial reporting and is therefore planning to release a companion document on Internal Control for External Financial Reporting at the same time it releases the revised framework. 

The current plan is to release the exposure draft for public comment on November 15 with and deadline for comments of January 31.  I will keep you updated on when this very important exposure draft is released.  The COSO Board and Advisory Council are looking forward to receiving your comments on this critical document that is an important building block for every company’s business processes.