Internal control, revisited

Following are excerpts from that discussion:

Tysiac: Why was it necessary to revise COSO’s Internal Control Framework, and why was now the right time?

Landsittel: We have concluded continuously that the fundamental concepts and principles continue to be effective, and as I’ve put it, are timeless. But as we’ve moved forward, the environment has changed dramatically from 1992. The context in which the document was written in 1992 was really a lot different than it is today. An obvious example is technology. There certainly wasn’t widespread use of the Internet or email in 1992. Expectations of governance were different. There were many differences.

So the board concluded that, while the 1992 framework remains effective because of the unchanging applicability of its fundamental concepts and principles, it would be helpful to have a revision that updated the document to reflect a context that’s more current.

Tysiac: What stays the same in the framework and why?

Rittenberg: What stays the same is the basic definition of internal control and essentially the components of good internal control: One, the idea that there needs to be a strong control environment; two, the idea that you select the right control activities to mitigate risk; three, the idea that you have strong information and communication systems that provide two-way communications throughout the organization, both from the top down but also from the bottom up to understand what might be going wrong; four, providing a framework for top management and those charged with oversight to provide effective monitoring of internal control over a long period of time. So those elements stay the same. And I think the other important thing to note is that it is not just a financial control framework, but it is an integrated framework that’s designed to help the organization accomplish its objectives.

Landsittel: Let me add … that one important thing that remains the same is the ability for users of the framework to use judgment in applying it.

Tysiac: What are the major changes in the document?

Landes: We have taken 17 principles (from) the original framework and have now explicitly laid them out throughout the five elements. And the other thing is the style in which the document is written. What folks will see is really a different writing style that I think will help because of the clarity of it as well as the 17 principles that we’ve now integrated into the framework. I think the other thing that has changed is the examples. David mentioned how the landscape has changed, and the examples have been updated so they are more realistic with today’s environment.

Tysiac: Why was it important to spell out the 17 principles explicitly?

Schneider: It makes it clear what’s necessary to be able to have an effective internal control framework. There’s no more debate about whether something needs to be present or not. There’s no more debate about whether there is a principle or isn’t a principle in a certain area. It’s now explicit as to what the 17 principles are, and that takes a step of contention out between auditors and preparers, and it also makes it easier to understand what it takes. So if you want to set up a framework or see if the framework you have is in compliance, it’s a much more formulaic process to be able to go there. That makes it easier for the preparers. It’s easier to see if everything is covered.

Tysiac: The document accounts for changes in technology, globalization and evolving business models. How does it do that?

Landsittel: There’s a separate principle that deals with technology, but the main way it’s accomplished in the document is in a very integrated discussion in the commentary. There are any number of examples that deal with an updated business model. For example, referencing to outsourcing is very common in the document in the examples provided and in the attributes. We accomplish the change in the context in dealing with technology and globalization throughout the document in what I consider a very integrated way.

Tysiac: What will preparers need to do differently under the updated framework?

Schneider: I think a couple things that anyone will need to do whether they’re an auditor or a preparer, they’ll need to continue to look at their control structure and see if it does line up with what is in the updated framework. Overall it should be the same, but maybe there are some nuances on an attribute or a principle that you need to pick up on or maybe perform some testing on, on an annual basis, or something along those lines. You also might want to slightly change your documentation so it aligns better. Maybe you have everything documented, but it’s not quite aligned with the 17 principles. Really it just depends on, quite honestly, how closely your understanding of the framework was with the board’s understanding of what the original framework was intended to do. If you were in line with the board’s thoughts, then you probably have very little to do. If you had some different ideas than what the board thought was in the original framework, you may have a little work to do to get things caught up.

Tysiac: What will auditors need to do differently under the updated framework?

Landes: We have two major areas where internal control shows up within our audit and attestation literature. First, in our auditing standards, an auditor, as part of his or her risk assessment, is required to have an understanding of internal control, which includes evaluating the design of controls and whether controls have been implemented. That’s a very important area that auditors are going to have to look at the change to the framework. …

And the second major area where the Auditing Standards Board is going to have to take a look at the new framework is in our attestation standards, where an auditor is engaged to provide an opinion on internal control over financial reporting. As Bill described it for members in business and industry, I think the same is pretty true for an auditor as well. We talked about the 17 principles, so I clearly expect that our auditing literature, and by that I mean our attestation literature as well, will make some changes in order to bring in, within the auditors’ understanding, how did management design their controls, and are those 17 principles present and functioning. So more than anything, I think it’s going to be some conforming changes to our literature.

Tysiac: What will audit committees need to do differently under the updated framework?

Rittenberg: I think what we’re looking for as an audit committee member is to get away from the mentality that internal control is simply a compliance activity. Good internal control is about achieving business objectives or organizational objectives in a cost-effective way. So from an audit committee (perspective), I want to understand how the organization is implementing controls to be cost-effective. … I know in our audit committee meetings we always have confidential discussions with the auditors, and this is an issue that comes up. I think auditors have got to be ready to discuss issues where they think there might be problems in the organizations. It may be accounting. It may be control or whatever, and they ought to be prepared to discuss that. … There is a principle related to fraud risk assessment that must take place by the organization. We know that auditors assess the risk of fraud in planning the audit. Those two things have to come together, and organizations need to sit down and think through that as well in terms of that new principle.

Tysiac: How important is it to take note of operations and compliance objectives as well as the reporting objective?

Landsittel: Obviously, it’s very important. I know a lot of people continue to think of internal controls and immediately think of accounting and financial reporting; but internal control is so important in a broader way, specifically in assuring the accomplishment of the organization’s objectives as Larry and others have alluded to. In the updated document, there’s an additional focus on operational and compliance controls and how they are beneficial in helping assure the accomplishment of operational and compliance objectives. In this regard, the document responds to some current concerns that in recent years some organizations haven’t been fully “under control” in a broad sense. We believe that focusing on operational controls and their positive impact on the accomplishment of operational objectives adds assurance of the longer-term success of an organization. So we think our added focus in this regard is very important.

Landes: We are seeing more and more demand in the United States relative to reporting on internal control over compliance. There has been, over the last several years, a real increase in the amount of federal funds that are being disbursed into our economy, and with that comes reporting requirements by entities. Folks who receive certain levels of federal funds must go through an audit of compliance, which also includes reporting on internal control over compliance. Therefore, there are many, many auditees from very small nonprofit organizations to major national organizations who are required to maintain pretty strict internal control over compliance as a result of receiving federal funds. Therefore, those organizations are going to be impacted by this as well.

Tysiac: Why and how has the reporting objective changed?

Schneider: I think the most noticeable change that people will see right off the bat is it’s now just reporting. It encompasses financial reporting. It encompasses nonfinancial reporting. It encompasses internal reporting. It encompasses financial and nonfinancial aspects of reporting. So external financial reporting is now a very unique subset of the whole reporting area around control, but that really fits in with where reporting is going. If you’ve been seeing what’s going on in the reporting world, you’ve been hearing about “integrated reporting.” Another term that’s used is “sustainability reporting.” There’s a lot of reporting going on beyond just the financial numbers that investors and stakeholders are very interested in, because it reflects the results of the business. It’s just as important to have an internal control structure over the reporting of that other information as over the financial information.

Tysiac: What kind of guidance can we expect from the additional guide on external financial reporting?

Landsittel: Notwithstanding the comments that Bill, Chuck and I have made on the importance of thinking of the framework broadly, it is important that there is a clear pathway to how it’s implemented as it relates to financial reporting, because after all that’s important for public companies … under SOX 404 [Sarbanes-Oxley Section 404]. We want the separate companion document to provide that pathway, dealing strictly with how the framework is applied for financial reporting. Importantly, the companion document won’t change the framework; it will just deal with implementation as it relates to financial reporting. In that context, look for the companion document to have a number of examples and a number of approaches that will bring to life to the user of the material how the framework relates specifically to the external financial reporting objective.

Landes: What this new guide will do, it will not just be put out there for public companies but for privates as well, and I think that’s going to be a tremendous benefit for private organizations who want to take a look at, how do I design my internal control over financial reporting. Before, there was this public company guidance out there, but there wasn’t anything that a private company thought applied to them.

Tysiac: Talk about the implementation, particularly from a small or midsize business perspective. Many times these people are running on small margins, and that can make it difficult for them to put this guidance into practice. How can they do it? Why is it important for them to do it?

Rittenberg: I’ll start with the second question first. We all know that we have too many business failures. And failure means that you have not accomplished your objectives. So let’s keep our eye on the endpoint. This is all about helping an organization accomplish its objectives. … And secondly, it started with the small business guidance, and it continues through here. There are different ways in which organizations can accomplish their objectives and accomplish the principles related to effective internal control. The oversight may be different. It may be from a different kind of board than you’d find at a public company, but that doesn’t mean there shouldn’t be some kind of oversight.

If you look at control activities, you may have more outside software that’s utilized, but that doesn’t mean you shouldn’t have some sort of a review to make sure that software works correctly. Because if it doesn’t, it reduces the likelihood you’re going to accomplish the objectives.

There may be different ways to communicate an ethical culture in a small business than in a larger business. But we need to understand that there are judgments that management can make that are related to the controls, all again in turn related to accomplishing their objectives. This is not an add-on. This is a fundamental way of doing business. It lays out some various principles. It lays out the attributes and encourages organizations of all size to accomplish them.

Listen to the podcast of this discussion at jofa.podomatic.com.