A mapping exercise is one of the most important activities for any organization implementing the updated 2013 internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), experts say.
The updated framework includes 17 newly described principles across the five components of internal control that were present in the original, 1992 framework. Mapping your principles to those controls—or mapping the controls to your principles—is a key early procedure in implementing the new framework, experts said last week at the AICPA Conference on Current SEC and PCAOB Developments.
“Recognizing that there are now 17 criteria, not five—17 principles, five components—we can understand why an organization may need to reorganize … their internal controls to show how they actually support each of these principles,” said Stephen Soske, CPA, who led PwC’s efforts to author the framework update and related guidance.
Fourteen of the 17 principles relate to what Soske called the “softer” components of internal control—control environment, risk assessment, information and communication, and monitoring activities. He predicted that these components are the ones organizations will be more likely to redesign or document differently as a result of the update by COSO, of which the AICPA is a founding member.
In the past, organizations have spent much more time designing practices that fulfill the control activities component because they are the first line of defense for preventing and detecting a material misstatement, Soske said. The design issues associated with control activities also are more likely to have been subject to audit scrutiny than those associated with the softer components, according to Soske.
“We also recognize that some companies, as they map the controls to these principles, have identified some design gaps,” he said. “And the area that we would suggest they focus on would be perhaps in the softer components where the design of indirect entity-level controls could be reevaluated.”
The mapping exercise enables a registrant to demonstrate how its system aligns with the 2013 COSO framework and supports management’s internal control assertion, Soske said. In addition, the mapping exercise serves as a gap assessment to show areas where the controls do not support the principles.
There are two possible directions to the exercise, as organizations can map the controls to the principles, or vice versa. AT&T Director of Accounting Bill Schneider, CPA, CGMA, prefers mapping the controls to the principles. He said it’s easier to discover gaps that way because, if you start with the principles, you may be biased toward finding a control to cover each of them.
But starting with the principles and mapping to the controls may reinforce the idea that an individual control may help satisfy multiple principles.
“You don’t want to forget about that, because that’s really the gold standard, if you have a control that can support multiple principles,” said Schneider, a member of the COSO advisory task force. “It’s less work from a document and testing standpoint, and you get more value for your buck.”
Soske suggested using the “points of focus” for each of the principles to assist the mapping exercise. Although it is not necessary for all of the points of focus to be present at every organization, they can help an organization determine how its internal controls are aligned with the updated framework.
“You will then have a very good road map to build a bridge between the controls you have designed … and how they would actually map to the updated framework,” Soske said.
—Ken Tysiac (firstname.lastname@example.org) is a JofA senior editor.