Last week I responded to some of the questions I have received while making presentations on adoption of the COSO 2013 Internal Control Integrated Framework. This week I conclude with a response to a final “big” question about implementing the new framework.
How do you get process owners and non-financial stakeholders on board to document/update/create new controls to cover all of the principles in the new framework?
There are so many ways to go with this question, but here are a few of my thoughts.
In most cases I’ve seen, the additional controls are really not new controls, but simply newly documented controls in the Sox documentation. Once you explain to people you aren’t really asking them to do anything different or more, but to simply help you document what they are already doing, then they are usually cooperative. I’ve even had the experience where people are glad their work is now part of a Sox control because they feel like they have a new tool – the Sox hammer – to use when other groups are not cooperative in doing what they should by following the control. Finding how it benefits them is usually the key to getting people to help you.
On the other hand, if you are adding new controls to your business (not just document additional controls that already existed) to cover all of the principles, then you really need to question if you were ever operating an effective system of internal controls. While there is no restatement requirement related to prior section 404 disclosures, one way to scare the heck out of most CFOs and CEOs is to point out that they signed a document that might have had an error. At least in the past they thought they were right, now they know their system is not sufficient and they would be knowingly falsifying an SEC document. If you get pushback from the CEO and CFO then all that does is add further proof that the company does not take its section 404 requirements and internal control seriously and is just a material misstatement waiting to happen.
If you can’t get the CEO and CFO to take action, another option is to have your auditors aid you in pointing out the importance of the missing controls. If the auditor is not going to give a clean opinion on the section 404 statement that should certainly get the attention of the audit committee and the Board of directors. If that doesn’t get people to cooperate than nothing will.
I consider getting the auditor and Board involved the nuclear option and even going to the CEO and CFO can burn bridges with other departments, so you want to use those techniques sparingly. I find most people really do care about doing things right and doing the right things for the business. If you can find some way they benefit from helping you as well, then most of the time you will get the help you need.
I have been gathering questions from my presentations on the COSO 2013 Internal Control Integrated Framework and wanted to spend the next couple of weeks answering some of the questions that might impact many of you.
What changes do you see with SOC I reports and activities around them?
This is a great question because the 2013 revised framework makes it clear that even if you outsource an activity you are still responsible for that activity from a control perspective. A SOC 1 report can provide insight into the control activity component of the framework, but rarely do they provide insight into the control environment or risk assessment components of the framework. As an organization you need to document how you are managing the control environment principles for outsourced work as well as assessing the risk of the areas you outsourced. This may mean the procurement process (evaluating the competence of the outsource provider) and the decision process on what to outsource (less critical/less judgmental/less materially risky areas like expense report processing) needs to be part of your sox control documentation for the principles under control environment and risk assessment.
How vigorous should the work be to document new “softer” controls such as a performance review process? What happens when you have a formal system, but people are not using that system for their documentation?
This really comes down to a question of how you prove something is working if you have no documentation. From an internal management perspective, I believe asking people what they do and documenting that should be sufficient, but that will not always be the case with auditors. In either case, if you have a formal system which is not always used, then your control needs to make it clear that the formal system is optional and document what informal method(s) outside the system are acceptable so you can conclude the control is being performed as documented.
Many aspects of the framework say “demonstrate;” please clarify how demonstrates translates to “documents.”
In answering this question you need to keep in mind two important items. First, the framework is written to cover more than Internal Control over Financial Reporting (it also convers compliance and operations) and second, the framework is not a standard, AS 5 from the PCAOB and the SEC rulemaking that references the COSO framework are the standards. Simply put, as a way to look at internal controls the framework does not require that you “document” anything. However, the SEC and the PCAOB require you document compliance with their rules. Because their rules often require “documentation” of the “demonstration” you end up having to document everything. If you use the framework as a framework for controls over operations, you don’t have to deal with the SEC and PCAOB rules and would generally have a lot more flexibility in how much you want to document your demonstration of compliance with the framework.
Have you been told your audit fee is going to increase because the audit team has to do more work due to PCAOB inspection findings or audit alerts? This seems to be a common refrain I hear from a lot of preparers when I talk about the COSO 2013 ICIF. If you reacted by blaming the PCAOB for this increased cost, you may be on the wrong track.
I am sure your auditor explained that the PCAOB sent out an inspection finding to their firm or an audit alert to all auditors and that is causing the increased work, but this is where a little knowledge can go a long way. Instead of wondering how the PCAOB can issue rules that increase costs without going through a formal rule-making process that requires a comprehensive cost/benefit analysis, you need to realize that inspection findings and audit alerts do not make new rules at all. These two documents instead explain cases where the auditor was not following the rules and standards already in place for auditors of public companies.
So, if the auditor is telling you that findings or alerts are resulting in increased fees, what they are really telling you is that they have not been performing an adequate audit of your internal controls in the past. That leads to two possibilities. One, your audit team did not understand the auditing standards and therefore completed a substandard audit or two, your audit team knew the rules and decided to cut corners in order to low-ball the bid for your work, or increase the firms margins on the work performed.
What do you do then if you are being told by your auditor that they need more money for increased work over testing internal controls? I think its time to have a little fun. Ask your auditor if they were cutting corners, deliberating doing a bait and switch with a bid they knew they could not meet, or just simply incompetent. You still might end up agreeing to pay a little more, but at least you can make your engagement partner sweat!
I mentioned in last week’s blog that I would talk more about Internal Control over Financial Reporting this week. I recently was part of a panel at the AICPA SEC & PCAOB Developments Conference and we received numerous questions from the over 2,000 attendees about the revise 2013 Internal Control Integrated Framework from COSO. We answered several of those questions at the conference, but I thought I would address additional questions that we were not able to get to at the conference in this blog.
Your timeline noted that implementation of the framework would take over a year (a year and a half to be precise); can you elaborate on why it will take more than a year?
The timeline I showed was my recommended model for implementing the revised framework. You can implement the revised framework in less than a year but you will take on more risks and maybe be less efficient if you do so. The process I recommend is to incorporate the implementation into your existing annual cycle over internal controls. This means you have to start more than a year out in order to incorporate it into a process that takes a year. In addition, by starting early, you have more time to adequately fill gaps, make sure the controls are documented, tested and working. This minimizes the risk of have a control failure to deal with at the end of the year.
Can you please clarify the nature of the 17 principles? Are they mandatory?
In order to have effective internal control the revised Framework clearly states all 17 principles must be present and operating effectively. The Framework also has points of focus to help you understand the 17 principles, but the Framework does not require you to have every point of focus to conclude that your system of internal control is operating effectively.
When implementing the revised Framework, where are most gaps identified?
As almost no one has implemented the revised framework yet, no research has been completed on this subject, but discussions with several preparers bring to light anecdotal evidence of a few areas where gaps seem to be occurring in multiple companies. The first is documentation over attracting, developing and retaining competent individuals. While most finance departments feel strongly they have the right competencies when it comes to financial reporting, the control documentation over that is sometimes lacking. A second area often over looked is identifying and analyzing risks. While this may be implicit in the entire Internal Control over Financial Reporting process, companies are finding they often have few, if any, controls documented that explicitly cover this principle.
COSO has stated that the 1992 Internal Control Framework will be superseded on December 15, 2014. The SEC has declined to explicitly state if they expect calendar year-end companies to adopt the framework in 2014, but they have said that the further you get away from the December 15, 2014 date and continue to reference the 1992 framework, the more likely it is they will ask questions, so if you haven’t already done so, you need to get started on implementing the revised Framework soon.
Recently, there have been several new studies and articles released on Risk Management. COSO published a paper on using its ERM framework to help with Sustainability reporting which can be found at http://www.coso.org/. KPMG released a study on ERM capabilities which can be found here.
The more I’ve read the more I come to the conclusion that Enterprise Risk Management is in incorrectly named. It seems that the more we look at it ERM is really something else. The purpose of business is to take risk. If Investors and owners didn’t want to take risk they would simply leave their money in the bank earning a paltry half percent these days. Instead they decide to put their money at risk in the hopes the risks the business takes will result in a greater return.
So if a business’ purpose in life is to take risk, why do we spend so much time taking about managing risk? Part of it comes from the conflicting requirements a business faces. Certainly they have to take risk in order to try to make a profit, but there are risks a business wants to avoid. Financial reporting risk is one many CPAs are familiar with, but there are others such as regulatory compliance risk and certain legal risks that are also to be avoided or minimized. The problem is when that “minimize the risk” mindset sinks into the regular business decision making process.
I think the whole ERM process is unfortunately bringing that minimize or eliminate risk mindset to the rest of the business. Maybe this is because ERM efforts are often lead by Financial or compliance professionals that bring that negative view of risk from their discipline. Or maybe it’s just that word ‘risk.’ What if we called it Enterprise Opportunity Management? That certainly gives it a different connotation and makes you think differently about what the process should be. So, here is to looking for those EOM studies and how to articles.
On May 15, COSO (the Committee of Sponsoring Organizations) will release its long awaited revision to its Internal Control Integrated Framework. It has been over 20 years since COSO released its 1992 Internal Control Integrated Framework model and lot has changed over that time, but in a true testimonial to the great work that went into the 1992 Framework, that framework is still very relevant today.
The continued relevance of the 1992 Framework shows in the continued use of the five components of internal control initially outlined in that framework. One of the updates in the 2013 framework is to explicitly outline seventeen principles that make-up the five components and generally need to be in place and appropriately functioning in order to have an effective system of internal control. The five components and related principles are outlined below:
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
COSO will continue to support both the 1992 and 2013 Frameworks through December 15, 2014 after which time COSO will consider the 1992 framework to be superseded. Until then you will need to disclose which version of the Framework you utilize in any external reporting use of the Framework. Given that many calendar year public companies have already begun their annual Sox compliance processes, I suspect most companies will utilize the 1992 Framework for 2013 reporting and then transition to the 2013 Framework in 2014.
The effort involved in the transition depends on many factors including how closely your current controls and documentation align with the 17 principles. While adoption may not happen until 2014, companies need to get started now on what will need to be done to transition to the new framework. If it will simply be a documentation exercise then most of that work can be done in 2014. On the other hand, if additional controls need to be put into place, then those controls need to be in place prior to the beginning of 2014 or you may have trouble concluding that you had an effective internal control framework for all of 2014.