News reports show the frightening weather satellite images of a hurricane that is causing concern for leaders of an automobile manufacturing plant. The storm’s possible effects on the supply chain seem obvious as it approaches one of the company’s suppliers. The problems this could cause for internal control over the company’s financial statements are less apparent.
As one of many scenarios described in new guidance proposed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), though, the hypothetical example brings to life a real external financial reporting risk a company might face.
COSO’s proposed guidance describes how the accounting and finance departments of the auto manufacturer could determine how possible plant shutdowns would affect the financial statements. Financial executives would be able to inform the company’s directors about potential penalties contained in sales contracts, and what insurance coverage existed to mitigate potential losses.
The purpose is to “bring forth the fact that something somewhat removed from financial reporting can have an impact on financial reporting,” COSO Chairman David Landsittel said.
COSO is seeking public comment on its Internal Control Over External Financial Reporting (ICEFR): Compendium of Approaches and Examples proposal. The proposed Compendium devotes 145 pages to discussion of how to apply COSO’s proposed, updated Internal Control—Integrated Framework to external financial reporting.
The guidance applies to public company financial statements, financial reports private companies prepare for banks and lenders, reports not-for-profits prepare for potential donors, and financial reporting governmental entities may provide to the public or oversight agencies.
Although COSO’s guidance is most often used in the United States, the guidance is designed to have universal appeal. Landsittel said China and Japan, in particular, have regulations similar to the Sarbanes-Oxley Act of 2002 that make COSO guidance relevant.
The Compendium is one of three proposed documents on which COSO is seeking comments. A revised version of the updated Internal Control—Integrated Framework and an Illustrative Tools document also are out for exposure.
Comments can be made at ic.coso.org through Nov. 20. COSO plans to release final versions of all three documents in late March.
CHANGES TO FRAMEWORK
Significant changes were made to the Internal Control—Integrated Framework as a result of comments received from more than 200 stakeholders during an exposure period earlier this year.
The 17 principles described across five components stayed the same from the previous document. The components of internal control—control environment, risk assessment, control activities, information and communication, and monitoring activities—also did not change.
Landsittel described the most important changes made in the revised version of the proposed framework:
- COSO reorganized the material to make it clear that information in the appendices is supplemental to the framework. Commenters had said the framework was not clearly separated from supplemental information in the earlier version.
- Chapter 3 clarifies COSO’s description of what is required to conclude on effectiveness of internal control.
- The “attributes” that were listed for each principle in the earlier version were replaced with “points of focus.” COSO made it clear that the points of focus do not all need to be fulfilled; they are just considerations to help users evaluate the principles.
- Classification of deficiencies was limited to “deficiencies” and “major deficiencies.” The proposal makes it clear that a system of internal control cannot be operating effectively if a major deficiency exists.
- An appendix was added to describe how small entities can apply the framework.
- More information on how to deal with technology was added, although the framework does not go into detail on types of technology.
The Illustrative Tools proposal, meanwhile, provides a template for users to apply the framework.
“The requirements that are in Chapter 3 that deal with effectiveness come alive, so to speak [in the Illustrative Tools],” Landsittel said. “And a template gives an organizational approach as to how someone can accumulate information in their consideration as to whether the requirements for effectiveness are addressed.”
COSO members wanted to make the framework, originally released in 1992, easier to use and relevant given the increase in complexity in the business, operating, and regulatory environments.
Landsittel said that although there are exceptions, in most cases all 17 principles have to be present and functioning for effectiveness of internal control to exist.
Examples listed in the Compendium are intended to guide fulfillment of the COSO framework’s principles in external financial reporting and include:
The reorganization of a fictitious real estate company as it planned to go public. Initially, a wide range of employees reported to the CEO, and business structures in the United States and Asia had been loosely connected. During the reorganization, management created three departments to oversee its core business activities—sales and customer service, purchasing and inventory, and production. Geographic governance structures were established, and managers’ job descriptions, including internal control responsibilities, were documented. This process helped fulfill Principle 3 of the COSO framework, which states that management establishes—with board oversight—reporting lines and appropriate authorities and responsibilities in pursuit of objectives.
The CFO of a hypothetical firearms manufacturer convening a working session of department heads to perform a risk analysis. The severity of each risk was rated based on likelihood of occurrence and potential impact on financial reporting. Participants documented the risks, their rating, and factors contributing to the rating. This helped address Principle 7, which states that the organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
The management team at a fictitious compensation and benefits consultancy reviewing logical security controls to prevent unauthorized access to its financial security systems. Formal user-account management and authentication-control procedures were in place. “Super-user” accounts were limited and monitored by management, and configuration settings for who has access to critical data were periodically reviewed. The systems generated security logs that allowed user activity to be monitored. These controls helped satisfy Principle 11, which states that the organization selects and develops general control activities over technology to support the achievement of objectives.
As for the auto manufacturer’s consideration of the hurricane, it is an example of Principle 9, which says organizations must identify and assess changes that could significantly affect the system of internal control.
“We hope the examples and approaches are real-world,” Landsittel said. “We wanted to have a clear path as to how the framework could be applied in an external financial reporting environment.”
Application guidance and examples are principal features of a proposed document the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released on applying its Internal Control—Integrated Framework to external financial reporting.
COSO also has released a revised version of its update of the Internal Control—Integrated Framework as well as a proposed Illustrative Tools document containing templates showing how to apply the framework’s principles. Comments on the documents can be submitted at ic.coso.org by Nov. 20.
The purpose of the documents—and the update of the framework—is to make use and application easier while reflecting the increase seen in the complexity of the business, operating, and regulatory environments since the original framework was published in 1992.
Final versions of all three documents are expected to be released in March.
Ken Tysiac is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at firstname.lastname@example.org or 919-402-2112.
- Fraudulent Financial Reporting: 1998–2007, An Analysis of U.S. Public Companies (#990023)
- Risk Assessment for Mid-Sized Companies: Tools for Developing a Tailored Approach to Risk Management (#091101)
- Auditing Update: A Review of Recent Activities, 2012–2013 Edition (#732778)
- Documenting Internal Controls Series (#159620)
- Internal Control Essentials for Financial Managers, Accountants and Auditors (#731859)
For more information or to make a purchase, go to cpa2biz.com or call the Institute at 888-777-7077.
The AICPA is a member of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Information and resources are available at tinyurl.com/7o8rfel.