Internal Control Questions

I mentioned in last week’s blog that I would talk more about Internal Control over Financial Reporting this week.  I recently was part of a panel at the AICPA SEC & PCAOB Developments Conference and we received numerous questions from the over 2,000 attendees about the revise 2013 Internal Control Integrated Framework from COSO.  We answered several of those questions at the conference, but I thought I would address additional questions that we were not able to get to at the conference in this blog.

Your timeline noted that implementation of the framework would take over a year (a year and a half to be precise); can you elaborate on why it will take more than a year?

The timeline I showed was my recommended model for implementing the revised framework.  You can implement the revised framework in less than a year but you will take on more risks and maybe be less efficient if you do so.  The process I recommend is to incorporate the implementation into your existing annual cycle over internal controls.  This means you have to start more than a year out in order to incorporate it into a process that takes a year.   In addition, by starting early, you have more time to adequately fill gaps, make sure the controls are documented, tested and working.  This minimizes the risk of have a control failure to deal with at the end of the year.

Can you please clarify the nature of the 17 principles?  Are they mandatory?

In order to have effective internal control the revised Framework clearly states all 17 principles must be present and operating effectively.  The Framework also has points of focus to help you understand the 17 principles, but the Framework does not require you to have every point of focus to conclude that your system of internal control is operating effectively.

When implementing the revised Framework, where are most gaps identified?

As almost no one has implemented the revised framework yet, no research has been completed on this subject, but discussions with several preparers bring to light anecdotal evidence of a few areas where gaps seem to be occurring in multiple companies.  The first is documentation over attracting, developing and retaining competent individuals.  While most finance departments feel strongly they have the right competencies when it comes to financial reporting, the control documentation over that is sometimes lacking.  A second area often over looked is identifying and analyzing risks.  While this may be implicit in the entire Internal Control over Financial Reporting process, companies are finding they often have few, if any, controls documented that explicitly cover this principle.

COSO has stated that the 1992 Internal Control Framework will be superseded on December 15, 2014. The SEC has declined to explicitly state if they expect calendar year-end companies to adopt the framework in 2014, but they have said that the further you get away from the December 15, 2014 date and continue to reference the 1992 framework, the more likely it is they will ask questions, so if you haven’t already done so, you need to get started on implementing the revised Framework soon.

COSO to Release Revised Internal Control Framework

On May 15, COSO (the Committee of Sponsoring Organizations) will release its long awaited revision to its Internal Control Integrated Framework. It has been over 20 years since COSO released its 1992 Internal Control Integrated Framework model and lot has changed over that time, but in a true testimonial to the great work that went into the 1992 Framework, that framework is still very relevant today.

The continued relevance of the 1992 Framework shows in the continued use of the five components of internal control initially outlined in that framework. One of the updates in the 2013 framework is to explicitly outline seventeen principles that make-up the five components and generally need to be in place and appropriately functioning in order to have an effective system of internal control. The five components and related principles are outlined below:

Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
Control Activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

COSO will continue to support both the 1992 and 2013 Frameworks through December 15, 2014 after which time COSO will consider the 1992 framework to be superseded. Until then you will need to disclose which version of the Framework you utilize in any external reporting use of the Framework. Given that many calendar year public companies have already begun their annual Sox compliance processes, I suspect most companies will utilize the 1992 Framework for 2013 reporting and then transition to the 2013 Framework in 2014.

The effort involved in the transition depends on many factors including how closely your current controls and documentation align with the 17 principles. While adoption may not happen until 2014, companies need to get started now on what will need to be done to transition to the new framework. If it will simply be a documentation exercise then most of that work can be done in 2014. On the other hand, if additional controls need to be put into place, then those controls need to be in place prior to the beginning of 2014 or you may have trouble concluding that you had an effective internal control framework for all of 2014.

SEC Conference – Five Components of Internal Controls

Another area of coverage at the AIPCA SEC and PCAOB Developments Conference in December that surprised me was the focus on internal control.  I knew the last session of the conference was going to be on the forthcoming update to the COSO Internal Control Integrated Framework, but I did not expect other presentations to hit on the topic as well.

Paul Beswick, Acting SEC Chief Accountant, got the ball rolling by reminding everyone that internal control has five components, not just control activities.  The implication is that the SEC is seeing too much focus on the Control Activities component when it asks questions about Sox 404 compliance.  As a reminder the five components of internal control are:

  1. Control Environment
  2. Risk Assessment
  3. Control Activities
  4. Information and Communication
  5. Monitoring Activities

The COSO framework, which is used by 85% of the companies complying with section 404, requires all five components to be present, functioning and operating together in an integrated manner to have an effective system of internal control.  While many companies do address all five components, the weighting of the work is often tilted toward control activities and monitoring activities when it comes to documenting and testing of key controls. These are only 2 of 5 components (and 5 of 17 control principles in the proposed update to the framework).

And it was not just the SEC that discussed internal controls.  James Doty, Chairman of the PCAOB also brought up the issue when discussing auditors work on internal controls.  While he did not specifically get into the component issue, he questioned the adequacy of the documentation to reach a conclusion about the effectiveness of internal control.  Putting two and two together, it seemed clear he was also talking about the need to properly emphasize all five components

The new framework, scheduled to be released on March 31, 2013 is going to provide a renewed emphasis on all of the components of internal control as well as the 12 principles of control in the control environment, risk assessment and information and communication components. This really provides a great opportunity to revisit your control documentation and make sure you have everything you need to prove your assertion that you have an effective system of internal control with all five components present, functioning and operating together.

…or you can wait for that SEC comment letter.


The COSO Advisory Council met July 24 in Chicago to review the latest developments on the COSO Internal Control Integrated Framework update project.  We reviewed updates to the Integrated Framework, the Approaches and Examples for Internal Control over External Financial Reporting document and the Assessment Tools document.  All three documents will be available for review when the Approaches and Examples document is exposed for comments in September. 

The COSO Board received considerable input on the Integrated Framework including 96 comment letters and over 100 submissions via the web questionnaire during the exposure period that ended in March.  The Board has responded with many changes to address concerns raised in the exposure process.  The 5 components and 17 principles will still exist, but the framework’s use of attributes will change (even the term attributes is being changed).  There are many other changes as well that should make the framework even more useful and operational, but I don’t want to get ahead of myself. You will be able to see all of the changes for yourself in September.    

Even though COSO is not a standard setter and the Internal Control Integrated Framework is not an official standard, working on the Advisory Council has given me a appreciation for what standard setters have to deal with.  With the framework being used by 85% of public companies in the U.S. to comply with SOX 404b requirements, it has many commonalities with a standard.  Comments ranged from too much was changed to not nearly enough was changed in the update.  I expect the final product won’t make either of the extremes happy, but I am beginning to believe that is part of the standard setting process.  If you balance the unhappiness of both sides, maybe that means you have struck the right balance in the final product.

You can decide for yourself if I am right and even let the COSO Board know your thoughts come November when comments on the Approaches and Examples for Internal Control over External Financial Reporting are due.

Risk Appetite

My work on the COSO Internal Control Integrated Framework revision advisory committee has brought home the importance of a risk assessment in setting up internal controls.  If you don’t know what your risks are, then how do you set up appropriate controls to manage those risks. I think many CPAs “get this” although a surprising number of companies still do not have formal or informal risk assessment processes.  The next step, however, is less understood.  That step is setting a risk appetite. 

Dr. Larry Rittenberg, former Chairman of COSO and Frank Martens, a member of the PwC team working on the ICIF revision recently issued a paper through COSO on Understanding and Communicating Risk Appetite.  The paper can be found at . The paper does a great job explaining what risk appetite is and why it is important to actually decide, document and communicate the risk appetite level throughout the organization.

Just as is the case with not determining what your risks are, without determining your risk appetite, you may end up with too few controls and risks you never intended to accept.  Just as importantly in today’s environment, without determining your risk appetite, you run the risk (pun intended) of having too many controls and incurring more cost than is necessary to manage an organization’s risk to an acceptable level.

Just as an auditor sets a materiality level in their audit to help determine the level and amount of audit work that is necessary, an organization must set a risk appetite that is agreed to by the governing body (Board of Directors) as well as management.  In addition, it is extremely important to communicate this risk appetite throughout the organization.  If you don’t do so, you may end up with employees not understanding what risks they should be taking, what risks need to be limited and what risks avoided all together. 

In many ways setting a risk appetite goes hand-in-hand with setting the tone at the top.  But just like saying one thing and doing another confuses employees (not to mention the children in your own family), telling people to manage risks without giving them any idea on what level to manage them too leaves employees bewildered at best or frozen by inaction for fear of doing the wrong thing at worst.

Communicating risk appetite may not be easy, but without it, a business is running on pure luck and that is no way to stack the odds in favor of success.

COSO IC Framework Revision Update

The COSO Advisory Committee met again earlier this month. At this meeting we covered the final pre-exposure draft of the Internal Control Integrated Framework and the first draft of the Guidance document over Internal Control over External Financial Reporting .

The Internal Control Integrated Framework exposure draft was released last week and is now open for comment.  You can access the exposure draft at  The document is lengthy, but it will be well worth your time.  Proper controls are critical to a well functioning organization and the framework update should help you ensure your organization has a proper control structure in place. 

You can submit comments in two ways.  Traditional letters will be accepted and published on the COSO website.  You will also be able to access an online tool to submit your comments.  All of the online comments will be summarized and published as a single document so there will be some level of anonymity if that is what you are looking for in submitting comments.  The comment period runs through March 31 so, while it is a busy time of year, you have plenty of time to get your comments in.

The second document the COSO Advisory Committee is working on is a guidance document on how to implement the Internal Control Integrated Framework over External Financial Reporting.  This document is based on the 2006 guidance document on implementing the Internal Control Framework over financial reporting for small entities, but now it will cover all sizes of companies. 

As the team reviewed the 2006 guidance we realized that even though the document was designed with small companies in mind, much of the guidance was applicable to entities of all sizes.  The major reason for this is that the guidance focuses on the entire Internal control process as well as the point of internal control which is managing risk.  The small versus large entity differences are most often highlighted in control activities which is often view by many CPAs as “internal control.”  The reality is that is only a part of an internal control system is composed of control activities.  Other critical components include Control Environment, Risk Assessment, Information and Communications and Monitoring Activities.

The guidance document will include a general guidance section as well as illustrative approaches and examples covering all five of the Internal Control Components.  As such it should just as useful to someone updating an entire Internal Control Process as to someone who wants to focus on just one area to make improvements.  The Guidance document will also be released for public exposure during the summer of 2012 with both documents being finalized by the end of the year. 

I often hear comments from people about how the FASB, SEC and now COSO are doing things that to them that don’t make sense.  This is your opportunity to make sure that doesn’t happen.  Get involved in the comment process.  Your comments will be reviewed and considered.  It’s the only way to make sure the best possible document comes out in the end.

A Week Off–Not Really

If you have kids you’ve probably heard the statement, “I can’t wait until I’m done with school and won’t have any homework any more.”  I’m sure there are some of you in college thinking that once you are done your studies, you’ll get to do your 9-5 and then the rest of the time is yours.  That will work if you want to be a staff accountant the rest of your life, but if you want to go further than that, it takes a little more than the simple 9-5.

According to my official time record, I was on vacation all of last week.  Indeed, I didn’t set foot in the office and I did travel 870 miles with my family back to Athens to spend Thanksgiving with my Dad and my sister’s family.  We had a great time eating turkey, watching football and going out at midnight to hit those early sales and pick up a few bargains. But having fun with the family wasn’t the only thing I did. 

First off, I had two conference calls early in the week that I had to attend, including one, while I was in the middle of Mississippi on I-20.  Fortunately, I didn’t have any follow up work from those calls.  More time was spent reading two large exposure drafts.  The first was the revised revenue recognition exposure draft from the FASB.  At 218 pages, it took several hours to get through the document and list some initial thoughts about what works and what doesn’t.  The second document was the preliminary draft of the Internal Control over External Financial Reporting guidance document. 

The guidance document is the second of two documents that will be issued by COSO in the coming months.  It’s a companion document to the revised Internal Control Integrated Framework which will be issued as an exposure draft in December.  At 171 pages it was a shorter than the revenue recognition exposure draft, but it still took a long time to read considering I was providing editorial comments throughout the document as well.   

Fortunately I made it through both documents, but as I looked up from my review and saw my daughter working on her U.S. History homework, I realized that the homework never really ends.  It just changes form.

COSO Internal Control Framework Revision

The COSO Advisory Council met for the fourth time last week.  This meeting focused on the first full draft of the revised Internal Control Integrated Framework.  Members of the Advisory Council received the draft for review in August and submitted comments to the PwC team that is leading the revision efforts.  There were almost 1,400 comments submitted so I think it is safe to say that the Advisory Council and COSO Board are taking the revision very seriously.  To set the stage of the public exposure period I want to let you know what is changing, but maybe more importantly what is not changing.

What is not changing:

  1. The definition of internal control
  2. The five components of internal control
  3. The criteria used to assess effectiveness of internal control; and
  4. The use of judgment in evaluating the effectiveness of systems of internal control

 What is changing:

  1. Codification of the principles (17 Principles and 82 attributes) with universal application for use in developing and evaluating the effectiveness of internal control systems
  2. Expanding the financial reporting objective to address internal and external, financial and non-financial reporting
  3. Increasing the focus on operations, compliance and non-financial reporting objectives based on user input
  4. Updating the framework for changes in the business environment over the last 20 years.

It should also be noted that while the Internal Control Integrated Framework document will have a increased focus on non-financial reporting objectives, the COSO Board recognizes the importance of the framework for external financial reporting and is therefore planning to release a companion document on Internal Control for External Financial Reporting at the same time it releases the revised framework. 

The current plan is to release the exposure draft for public comment on November 15 with and deadline for comments of January 31.  I will keep you updated on when this very important exposure draft is released.  The COSO Board and Advisory Council are looking forward to receiving your comments on this critical document that is an important building block for every company’s business processes.