I mentioned in last week’s blog that I would talk more about Internal Control over Financial Reporting this week. I recently was part of a panel at the AICPA SEC & PCAOB Developments Conference and we received numerous questions from the over 2,000 attendees about the revise 2013 Internal Control Integrated Framework from COSO. We answered several of those questions at the conference, but I thought I would address additional questions that we were not able to get to at the conference in this blog.
Your timeline noted that implementation of the framework would take over a year (a year and a half to be precise); can you elaborate on why it will take more than a year?
The timeline I showed was my recommended model for implementing the revised framework. You can implement the revised framework in less than a year but you will take on more risks and maybe be less efficient if you do so. The process I recommend is to incorporate the implementation into your existing annual cycle over internal controls. This means you have to start more than a year out in order to incorporate it into a process that takes a year. In addition, by starting early, you have more time to adequately fill gaps, make sure the controls are documented, tested and working. This minimizes the risk of have a control failure to deal with at the end of the year.
Can you please clarify the nature of the 17 principles? Are they mandatory?
In order to have effective internal control the revised Framework clearly states all 17 principles must be present and operating effectively. The Framework also has points of focus to help you understand the 17 principles, but the Framework does not require you to have every point of focus to conclude that your system of internal control is operating effectively.
When implementing the revised Framework, where are most gaps identified?
As almost no one has implemented the revised framework yet, no research has been completed on this subject, but discussions with several preparers bring to light anecdotal evidence of a few areas where gaps seem to be occurring in multiple companies. The first is documentation over attracting, developing and retaining competent individuals. While most finance departments feel strongly they have the right competencies when it comes to financial reporting, the control documentation over that is sometimes lacking. A second area often over looked is identifying and analyzing risks. While this may be implicit in the entire Internal Control over Financial Reporting process, companies are finding they often have few, if any, controls documented that explicitly cover this principle.
COSO has stated that the 1992 Internal Control Framework will be superseded on December 15, 2014. The SEC has declined to explicitly state if they expect calendar year-end companies to adopt the framework in 2014, but they have said that the further you get away from the December 15, 2014 date and continue to reference the 1992 framework, the more likely it is they will ask questions, so if you haven’t already done so, you need to get started on implementing the revised Framework soon.
Last week I attended and presented at the AICPA SEC & PCAOB Developments Conference in Washington DC. At least I attended the second and presented on the third day in DC. Due to weather problems in both Dallas and Washington, my Sunday flight was cancelled and the earliest flight available was Monday evening. So instead of trying to figure out a way to get there for Monday I decided to spend a night in my own warm bed and attend the first day of the conference virtually on the internet. From what I heard from the speakers and the chats on the internet, I was one of many that had trouble getting to Washington from all over the country. Attending virtually was great. While you don’t have the networking opportunities of being there in person, the chat kept me interested and I was able to get a great feel for the tone of the conference.
While my opinion is biased (I served on a panel discussing the revised COSO Internal Control Integrated Framework), the theme of the conference this year was internal control over financial reporting. It wasn’t that the AICPA picked this theme. The speakers did it by mentioning internal control in presentation after presentation and panel after panel. I am not overstating fact when I say ever single SEC and PCAOB panel talked about internal control. From asking why companies don’t disclose internal control failures until after a restatement to questioning management’s positive assertions about internal control when the auditors are found not to have performed an appropriate audit over that assertion, the SEC is clearly looking to renew its interest in internal control reporting for the first time since in several years. Meanwhile the PCAOB’s recent report questions whether auditors are consistently complying with AS 5. Even without a revised internal control framework to deal with preparers should be spending more time documenting, testing and evaluating their internal controls over financial reporting.
I will spend more time talking about internal controls in my next blog. Meanwhile, here is a list of other quotes and notes from the three day conference:
- Keynote speaker David Walker – we’ve tripled the national debt to over $17 Trillion in 13 years, but that is only what is on the balance sheet; what is not on the balance sheet makes the debt number over $70 Trillion from “only” $20 Trillion 13 years ago.
- Paul Beswick, SEC Chief Accountant – IFRS took a back seat to the rule making requirement so Dodd-Frank and the JOBS Act; it was not a matter of lack of importance of IFRS, but simply a rule-making bandwidth issue that has kept IFRS on the back burner of the SEC for the last couple of years.
- OCA Panel/FASB-IASB Panel – the Chief Operating Decision Maker reporting package is increasingly irrelevant in determining which segments to report when CODM’s have drill down access to details that didn’t exist when the standard was written – this needs to be addressed when the FASB relooks at segment reporting.
- Enforcement Division Panel – Whistleblowers are increasingly important to the enforcement division; many of their cases are now starting from whistleblower action and the use of whistleblowers is changing the willingness of companies to self-report issues as well as increasing their willingness to cooperate with the SEC
If you want to know more check out the many articles and press releases that come out in conjunction with the conference
On May 15, COSO (the Committee of Sponsoring Organizations) will release its long awaited revision to its Internal Control Integrated Framework. It has been over 20 years since COSO released its 1992 Internal Control Integrated Framework model and lot has changed over that time, but in a true testimonial to the great work that went into the 1992 Framework, that framework is still very relevant today.
The continued relevance of the 1992 Framework shows in the continued use of the five components of internal control initially outlined in that framework. One of the updates in the 2013 framework is to explicitly outline seventeen principles that make-up the five components and generally need to be in place and appropriately functioning in order to have an effective system of internal control. The five components and related principles are outlined below:
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
COSO will continue to support both the 1992 and 2013 Frameworks through December 15, 2014 after which time COSO will consider the 1992 framework to be superseded. Until then you will need to disclose which version of the Framework you utilize in any external reporting use of the Framework. Given that many calendar year public companies have already begun their annual Sox compliance processes, I suspect most companies will utilize the 1992 Framework for 2013 reporting and then transition to the 2013 Framework in 2014.
The effort involved in the transition depends on many factors including how closely your current controls and documentation align with the 17 principles. While adoption may not happen until 2014, companies need to get started now on what will need to be done to transition to the new framework. If it will simply be a documentation exercise then most of that work can be done in 2014. On the other hand, if additional controls need to be put into place, then those controls need to be in place prior to the beginning of 2014 or you may have trouble concluding that you had an effective internal control framework for all of 2014.
Google’s latest potential product – Google Glass – has the potential to radically change the way we interface with computing power and the internet. It also has the power to take “big brother” spying on everything we do to a new level. We already live in a world where companies have complete access to our email and internet movements while on our work computers; they can tell when we are in or out of the office through the ID readers to get into the building; they can even tell where we are when we aren’t in the office with the GPS in our phones turned on.
Now with Google Glass they can see and record every move we make during the day. There can be come great uses for this new functionality. Imagine the savings on time and motion studies by being able to record and analyze a sample across dozens of people in a day. But with any technology comes responsibility. I recently read an American Banker article that saw Google Glass as a way to reign in rouge traders. If they are wearing Google Glass then every trade they make can be monitored. I understand the concern. When one rouge trader can bring down a company, you have to consider extraordinary means to prevent that from happening, but somehow having your every move monitored just seems like a little too much to me.
When you review internal control systems in place today, there are two basic tenants to those systems. One, most employees want to do the right thing and two, those employees who don’t will always find a way around the controls. That is why companies set up layers of preventative and detective controls. It is also why it is very important to emphasize the way employees can ask questions or report bad behavior. In one sense, using Google Glass to monitor employee activities is just the next logical step from having the ability for fellow employees to call in suspicions. One the other hand the U.S. has had a long standing tradition that you have the right not to incriminate yourself. At what point do we cross that line between appropriate internal control techniques and violating someone’s right to privacy?
If the world has become so complex that we have to monitor our employees’ every move just to have adequate internal controls, then I think we need to reevaluate what it means to have adequate internal controls. I believe there is a way to have an adequate internal control structure without making work into some Orwellian vision of the future. Before we go too far down the path of what technology can do, it is time to start the discussion on where internal control ends and privacy begins. Just because we can do something with technology, does that mean we must do it to have adequate internal controls? I for one, hope not.
The past week really brought home to me how international the profession of accounting is becoming. I attended the International Federation of Accountants, Professional Accountants in Business committee meeting in New York and the Regional AICPA Council meeting in Atlanta.
The IFAC meeting really brought home that no matter where you work in the world, the U.S., Canada, Europe, India or Australia, the issues we are dealing with as PAIBs are the same. We are dealing with investor demands for more information being fulfilled through standard setters and regulators. We are dealing with risk management and internal control and the realization that as a business we have been organized to take risks – but as PAIBs we are being asked to monitor that risk taking to make sure the risks are known and within the corporate plans. PAIBs across the world are being asked to be more than just good accountants; we are being asked to be strategic leaders in the business to deliver on business plans and ultimately the return to all stakeholders in the business.
The internationalization of the issues facing the profession was made even more apparent at the AICPA Regional Council meeting. We spent half the meeting hearing updates about and talking about potential implications to the AICPA and our members of the various impacts of Internationalization. Mandatory auditor rotation is just one such issue. It is a purported solution to all the ills related to audits around the world. Some areas see it as the solution to an apparent lack of competition among the audit firms. Others see it as the way to give auditors backbones to stand up to unreasonable requests from the companies they audit – the theory is it is easier to say no if you know your going to lose the relationship after a few years anyway. But whatever the problem, mandatory auditor rotation as the solution is gaining momentum due to an interesting dynamic – that everyone else is “doing it” so it must be good and we need to do it too.
This last point brings out the reason why it is important to talk with an be part of the international professional accountant community. Some solutions are good and worth emulating. Others, however, are not good at all and the misinformation being spread can only be combated by hearing the real story from our fellow professionals in those countries. I for one am glad the AICPA is focused on the internationalization of the profession and opening the lines of communications around the world.
Another area of coverage at the AIPCA SEC and PCAOB Developments Conference in December that surprised me was the focus on internal control. I knew the last session of the conference was going to be on the forthcoming update to the COSO Internal Control Integrated Framework, but I did not expect other presentations to hit on the topic as well.
Paul Beswick, Acting SEC Chief Accountant, got the ball rolling by reminding everyone that internal control has five components, not just control activities. The implication is that the SEC is seeing too much focus on the Control Activities component when it asks questions about Sox 404 compliance. As a reminder the five components of internal control are:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
The COSO framework, which is used by 85% of the companies complying with section 404, requires all five components to be present, functioning and operating together in an integrated manner to have an effective system of internal control. While many companies do address all five components, the weighting of the work is often tilted toward control activities and monitoring activities when it comes to documenting and testing of key controls. These are only 2 of 5 components (and 5 of 17 control principles in the proposed update to the framework).
And it was not just the SEC that discussed internal controls. James Doty, Chairman of the PCAOB also brought up the issue when discussing auditors work on internal controls. While he did not specifically get into the component issue, he questioned the adequacy of the documentation to reach a conclusion about the effectiveness of internal control. Putting two and two together, it seemed clear he was also talking about the need to properly emphasize all five components
The new framework, scheduled to be released on March 31, 2013 is going to provide a renewed emphasis on all of the components of internal control as well as the 12 principles of control in the control environment, risk assessment and information and communication components. This really provides a great opportunity to revisit your control documentation and make sure you have everything you need to prove your assertion that you have an effective system of internal control with all five components present, functioning and operating together.
…or you can wait for that SEC comment letter.
I have written several blogs on controls and the internal control process, but I want to use this blog to cover one of the basic tenants of internal control that I have not spent sufficient time on in the past – the concept of three lines of defense. ISO 31000 and the COSO Internal Control Integrated Framework both incorporate this concept; it is part of the very foundation of internal control. So, what are the three lines of defense?
2) Risk Management & Compliance Functions – also known as Monitoring
3) Internal Audit
Management is everyone in the business or organization. They have to set the tone, implement the controls and actually perform them. If management does not embrace the idea of an appropriately controlled environment, then the second and third lines of defense are meaningless.
The risk management and compliance functions of the business are there to monitor the practices of management. Monitoring requires more than just checking on the controls. It also encompasses looking for new and emerging risks that had not previously been contemplated by the business and getting that information back to management so it can be incorporated into the first line of defense. Done right, there is a constant feedback loop between the second line and the first line of defense.
Internal Audit is the final line of defense. They provide objective assurance about the first and second lines of defense to those responsible for governance. They have to have a full understanding of the business and its risk management processes. This certainly isn’t the stereotypical check the box, numbers driven auditor that all too many people associate with the Internal Audit function.
While, as stated, the first line of defense must be in place for the other two lines to have any meaning, that doesn’t mean you can let the second and third lines of defense lag. The financial crisis was at least partially due to a lack of ability to think about what might happen (housing prices going down) and how that would impact a business. The second line of defense deals with those and many other issues. The third line of defense is also critical because those governing the organization are depending on the third line’s expertise and integrity to make sure the first and second lines of defense are appropriately working.
I know some businesses are too small to have internal audit departments, but no business is too small to not have the functions performed by internal audit. That’s where professional accountants, such as CPAs, CGMAs and others can step in to help. We bring that objectivity and integrity to any work we do which helps insure that three lines of defense are always there.