Last week I responded to some of the questions I have received while making presentations on adoption of the COSO 2013 Internal Control Integrated Framework. This week I conclude with a response to a final “big” question about implementing the new framework.
How do you get process owners and non-financial stakeholders on board to document/update/create new controls to cover all of the principles in the new framework?
There are so many ways to go with this question, but here are a few of my thoughts.
In most cases I’ve seen, the additional controls are really not new controls, but simply newly documented controls in the Sox documentation. Once you explain to people you aren’t really asking them to do anything different or more, but to simply help you document what they are already doing, then they are usually cooperative. I’ve even had the experience where people are glad their work is now part of a Sox control because they feel like they have a new tool – the Sox hammer – to use when other groups are not cooperative in doing what they should by following the control. Finding how it benefits them is usually the key to getting people to help you.
On the other hand, if you are adding new controls to your business (not just document additional controls that already existed) to cover all of the principles, then you really need to question if you were ever operating an effective system of internal controls. While there is no restatement requirement related to prior section 404 disclosures, one way to scare the heck out of most CFOs and CEOs is to point out that they signed a document that might have had an error. At least in the past they thought they were right, now they know their system is not sufficient and they would be knowingly falsifying an SEC document. If you get pushback from the CEO and CFO then all that does is add further proof that the company does not take its section 404 requirements and internal control seriously and is just a material misstatement waiting to happen.
If you can’t get the CEO and CFO to take action, another option is to have your auditors aid you in pointing out the importance of the missing controls. If the auditor is not going to give a clean opinion on the section 404 statement that should certainly get the attention of the audit committee and the Board of directors. If that doesn’t get people to cooperate than nothing will.
I consider getting the auditor and Board involved the nuclear option and even going to the CEO and CFO can burn bridges with other departments, so you want to use those techniques sparingly. I find most people really do care about doing things right and doing the right things for the business. If you can find some way they benefit from helping you as well, then most of the time you will get the help you need.
I have been gathering questions from my presentations on the COSO 2013 Internal Control Integrated Framework and wanted to spend the next couple of weeks answering some of the questions that might impact many of you.
What changes do you see with SOC I reports and activities around them?
This is a great question because the 2013 revised framework makes it clear that even if you outsource an activity you are still responsible for that activity from a control perspective. A SOC 1 report can provide insight into the control activity component of the framework, but rarely do they provide insight into the control environment or risk assessment components of the framework. As an organization you need to document how you are managing the control environment principles for outsourced work as well as assessing the risk of the areas you outsourced. This may mean the procurement process (evaluating the competence of the outsource provider) and the decision process on what to outsource (less critical/less judgmental/less materially risky areas like expense report processing) needs to be part of your sox control documentation for the principles under control environment and risk assessment.
How vigorous should the work be to document new “softer” controls such as a performance review process? What happens when you have a formal system, but people are not using that system for their documentation?
This really comes down to a question of how you prove something is working if you have no documentation. From an internal management perspective, I believe asking people what they do and documenting that should be sufficient, but that will not always be the case with auditors. In either case, if you have a formal system which is not always used, then your control needs to make it clear that the formal system is optional and document what informal method(s) outside the system are acceptable so you can conclude the control is being performed as documented.
Many aspects of the framework say “demonstrate;” please clarify how demonstrates translates to “documents.”
In answering this question you need to keep in mind two important items. First, the framework is written to cover more than Internal Control over Financial Reporting (it also convers compliance and operations) and second, the framework is not a standard, AS 5 from the PCAOB and the SEC rulemaking that references the COSO framework are the standards. Simply put, as a way to look at internal controls the framework does not require that you “document” anything. However, the SEC and the PCAOB require you document compliance with their rules. Because their rules often require “documentation” of the “demonstration” you end up having to document everything. If you use the framework as a framework for controls over operations, you don’t have to deal with the SEC and PCAOB rules and would generally have a lot more flexibility in how much you want to document your demonstration of compliance with the framework.
As 2014 nears its end, many companies have transitioned from the 1992 COSO Internal Control Integrated Framework to the 2013 COSO Framework. As a result, a picture of the impacts of implementing the revised framework is coming into focus. Many companies are finding they needed to document additional entity level controls. Typically entity level controls were used to support the assertion of compliance with the first two components of the 1992 Framework – Control Environment and Risk Assessment. The new controls tended to be focused on two principles from the 2013 Framework.
Principle 4 – Demonstrates a Commitment to Competence
While many companies using the 1992 COSO Framework focused on the commitment to integrity, ethics and tone at the top, the 2013 COSO Framework made it clear that a proper control environment also includes having competent people responsible for key controls. If a company addressed the subject at all previously, it was usually a general “I have competent people performing the controls now” kind of assessment. Principle 4, however, requires documentation of a much more in depth process, not just saying I have competent people now, but documenting the process for ensuring the organization has competent people now and into the future. Typical new documentation in this area centers on job definitions, hiring practices, processes to ensure competitive salaries, and a commitment to training. I also am pleased to say some companies are also documenting that certain jobs need to be filled by CPAs.
Principle 7 – Identifies and Analyzes Risk
Most companies felt like the risk assessment component was an indicator of a top down approach to determining what controls are necessary. They hadn’t documented the controls to make sure the risk assessment process itself was working properly. The 2013 Framework also made it clear that the risk assessment process starts with those in governance – the Board of Directors for most public companies. As a result, companies have had to more formally document how the risk assessment process includes interaction with the Board and how key risks are determined before even considering control activities to manage those risks.
The other area of change many companies have discovered is around monitoring controls. The 2013 Framework clarified that actions like supervisory reviews are not automatically monitoring controls. A supervisory review is a control activity if the intent of the review is to detect and correct errors. On the other hand, the review is a monitoring activity only if the intent was to determine why there were errors and then assign management to fix the process, not just correct the individual transaction error. This has led to the realization that many documented “monitoring activities” were actually “control activities” and companies have had to go back and reassess what monitoring activities actually are taking place.
These changes are just some of the most common in implementing the revised 2013 COSO Framework. Now I would like to hear from you. What changes or additional documentation did you have to make as a result of implementing the 2013 COSO Internal Control Integrated Framework?