The deadline for meeting the guidance from the updated 2013 COSO Framework has come and gone, but many organizations are still struggling to understand exactly what they were supposed to do to meet the requirements. Many are not even sure what the requirements really were since there is conflicting information being passed from company to company. Find out what the update entailed, why there are misconceptions, and how to move forward.
COSO's updated framework is designed to apply a basic methodology to formulating internal controls over external financial reporting (ICEFR), as well as entity business objectives, non-financial external reporting, and internal reporting objectives. At least for this first year of implementation, most organizations are focusing on how these changes are going to impact their external financial reporting control libraries (SOX Controls). COSO's guidance says that there should not be that much change in a company's control mapping to the COSO Framework, just a remapping to the expanded 17 principles. Public companies had until the end of 2014 to complete this exercise for management's assertion relating to internal control over financial reporting (SOX 404) to be in alignment with the new framework.
For most companies, 2014 was spent in a control remapping exercise. Many organizations had already captured the five major elements of the COSO framework as a control attribute, but with the updated framework, controls may fit in multiple categories of principles. The remapping exercise could entail creating a matrix report with all of the controls listed down one side, the principles across the other side, and then identifying all of the touch points. The matrix method may be sufficient for organizations with a limited number of controls. For companies that have many controls, have complex systems of shared controls, or for those who are expanding the mapping exercise beyond SOX controls, creating a matrix report can seem like an impossible undertaking. There are control management systems and software solutions that can facilitate a more complicated mapping. Whatever method you choose, the goal is still to judge the completeness of the overall control environment. Control mapping is only the first stage and should be followed by a realistic gap analysis to determine if the principles are adequately addressed.
Now that the deadline has past, it's important to remember that the COSO framework goes beyond your financial reporting controls. To understand the total control environment, management controls over business objectives, non-financial external and internal reporting should also be documented and mapped to the 17 principles. The larger mapping process will take some time. Some companies plan to involve management directly in the process of identifying and documenting controls. Facilitated control self-assessment workshops could be used to educate management, gain greater management buy-in, and document the control activities. Others are planning to grow the control library over time while completing the internal audit annual plan.
Of course the devil is in the details, and misconceptions have arisen in how to go about classifying controls, understanding the principles, and in providing sufficient documentation around the control activities. The confusion can be best explained with an example, like the design and implementation of management review controls. In the past, organizations would have management review certain control activities and sign off on a document as evidence of the review having taken place. When trying to fit this type of control in the updated COSO framework, we find that it is impacted by the following principles:
- Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks
- Principle 12: The organization deploys control activities through policies that establish what is expected and procedures
- Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control
- Principle 16: The organization selects, develops, and performs ongoing and separate evaluations to ascertain whether control are present
If we then dig deeper into the management review activity with these principles in mind, there are a number of questions we have ask about the controls, such as:
- Does the reviewer understand the process?
- Does the reviewer understand what would constitute a variance or discrepancy?
- Does the reviewer know how to question the data?
- If a report is being reviewed, is the data presented sufficient to provide an adequate review?
- Is the review performed and documented in a consistent manner?
If your company is heavily reliant on management review controls, you can expect your external auditors to challenge these control activities, and failure to prove a sufficient process could impact your ability to claim COSO compliance.
If yours is one of the companies still struggling with the transition to the updated framework, or if you are not sure your controls are adequate, there are numerous resources available. For all COSO related materials, start with the source, and go to COSO's guidance page. As a next step, check in with your public accounting firm or external auditor. All of the larger accounting firms are putting out guidance as well. You can also try out secondary resources like The Center for Audit Quality (CAQ).
For those who feel they have conquered the transition, remember that the COSO framework is not a SOX framework. ICEFR is only one part of the larger control environment, and nearly every company still has more work to do before we can say we are fully compliant with the updated COSO guidance.