The early stages of implementation are over for many companies using the updated internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
In 2013, the framework—which had been in use since 1992—was updated to reflect changes in the business environment. U.S. public companies have been working to implement the new framework to fulfill their internal control over financial reporting requirements under the Sarbanes-Oxley Act (SOX).
COSO will consider the 1992 framework to be superseded following a transition period that ends Dec. 15, 2014. Although COSO is not a regulatory agency with enforcement power, then-SEC Chief Accountant Paul Beswick said shortly after the framework’s release that the SEC plans to monitor the transition, and referred users of the framework to the statements COSO has made about transition.
After working on implementation, many companies that use the framework are having discussions with their auditors about what has been done.
“Now what’s happening, as we turn the corner in the third and fourth quarters, the company’s accounting firm is now getting involved in the transition, asking and having discussions about what was done, what have the results been, what were their expectations,” COSO Chairman Robert Hirth said.
Jennifer Burns, CPA, a partner in the regulatory and professional matters group at Deloitte LLP, said her impression after working with clients is that they appreciate the way the updated COSO framework explicitly expressed 17 principles for effective internal control—and points of focus that provide greater understanding of each principle.
One task for organizations in implementing the framework has been an exercise to map the controls to those 17 principles.
“People really like the structure of the new framework—using the principles and the points of focus,” Burns said. “I think they find it helpful in terms of understanding and improving controls overall.”
Sandy Herrygers, CPA, a partner and IT specialist leader at Deloitte & Touche LLP, said the difficulty organizations have experienced in implementation has varied depending on how well their controls had been implemented around the original framework.
“Companies that went above and beyond on the original framework—most of the larger, mature public companies—haven’t seen as significant a change with the new framework,” she said, “because in a lot of the new content areas, they had already implemented controls.”
Here are some of the areas that Herrygers and Burns said have required extra attention from organizations in implementing the framework.
- IT considerations. The updated framework, unlike the original, mentions specific considerations for companies with regard to information technology controls. Principle 11, in particular, describes how IT controls should be structured. Herrygers said most public companies used other IT frameworks for their general IT controls, so the COSO 2013 requirements in Principle 11 weren’t new to most companies. “For those companies, there are some new controls that need to be added, but not as significant a change,” she said. “But, if you were one of the companies that did the bare minimum around the original COSO implementation for IT, then you probably have a lot more work to do to satisfy Principle 11.”
- Outsourced service providers. Many companies have had to add new controls around outsourced service providers, Herrygers said. Previously, companies had specific controls and activities for outsourced service providers to satisfy the control activities component of the framework, but they did not have controls for outsourced service providers around the other four components (control environment, risk assessment, information and communication, and monitoring activities). Herrygers said many companies have had to add certain controls in this area, such as controls related to ethical values, code of conduct, and service-level agreements.
- Information quality. Principle 13 of the framework states that the organization obtains or generates and uses relevant, quality information to support the functioning of internal control. Herrygers said that most of her firm’s clients have high-level controls around information quality, but they may not have assessed the controls over information in reports that underlie their internal control over financial reporting. “So, now with the new framework, you have to go to that extra level of detail and add some additional controls around information quality as part of the implementation,” Herrygers said.
Burns said the initial gap assessments performed as part of implementation have discovered gaps that can be placed into four categories.
- Principle gaps. These occur when organizations fail to meet the standards set by one or more of the principles in the framework.
- Control attribute gaps. These happen when companies see that they aren’t meeting one or more points of focus that apply to their organization. “Even though meeting all the points of focus isn’t required under the new framework, some companies are saying, ‘We want to make some enhancements here,’ to ensure that they’ve met the spirit of the principle,” Burns said.
- Control testing gaps. Once a new control is added, it needs to be tested as part of the company’s assessment of internal control over financial reporting under SOX-related requirements.
- Control evidence gap. These are cases where a control is present and functioning but hasn’t been appropriately documented. The updated framework (and related SOX rules) require additional documentation in order to support management’s assessment of internal control over financial reporting, and that has required work on the part of some companies.
Deloitte also has advised clients to look beyond the basic mapping to the new principles and points of focus and take a fresh look at the areas of internal control that historically have been problem areas for public companies in general. For example, these include lack of technical accounting skills, and accounting for income taxes.
“There are areas that have just been difficult for companies to get their arms around from an internal control perspective,” Herrygers said.
But the basic implementation has been smooth, she said, because companies have had a healthy dialogue with their auditors while undergoing the mapping process and addressing any shortcomings.
“When the client works on the gap assessment, we’re one step behind
them, reviewing the work and providing input,” Herrygers said. “So I
feel that the process has been very effective in terms of how we’re
coordinating to make sure there aren’t surprises at the end of the year.”
— Ken Tysiac ( email@example.com ) is a JofA editorial director.