Those who sign and file internal control representation documents with regulators, such as the SEC, are often guided by the Internal Control – Integrated Framework (or should be). This Framework is published by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), which has a mission to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence. Often thought of as the world’s gold standard for internal control frameworks, the COSO Framework presents the daunting challenge of three dimensions to mix and match, similar to a Rubik’s Cube.
The COSO Framework has an Executive Summary available to the public, which has a diagram of the cube on page 6. Factoring in the Principles and related Points of Focus clarified in the 2013 version, the COSO cube has over a thousand possible combinations to consider. Therefore, identifying the main objectives and then deciding where to start and how best to proceed is the key to proper utilization. A CPA with COSO training, such as the COSO Internal Control Certificate Program, can be a valuable partner.
The top side of the cube has three internal control objectives: operations, reporting and compliance. This turn of the cube for an annual management assessment of the effectiveness of the Internal Controls over Financial Reporting (ICFR) per SEC requirements should start with the External Financial Reporting objective. A simple reason is that the public relies on public company external financial reports and executive officers, specifically the CEO and CFO (or equivalent), to certify that they have evaluated the effectiveness of disclosure controls, which includes ICFR (i.e., the “signers”). This is not to diminish the importance of operating objectives, which address performance goals and the safeguarding of assets. Also, compliance objectives pertaining to the adherence of laws and regulations certainly merit adequate attention.
The right side of the cube addresses the hierarchy of an organization as descending from entity, division, operating unit, down to functions. Typically, the signer is an executive with clear visibility of the Framework’s relevant activities from the entity to operating unit levels. It is at the functional level where visibility often becomes unclear to the signer due to details, volume and lack of time to address issues. Therefore, risk becomes more difficult to assess.
Being an astute reader of a balance sheet and income statement, core reports in SEC reporting does not enable the executive to detect material ICFR deficiencies. Controls to prevent material errors pertaining to revenue recognition, inventory, fair valuations and capital vs. period cost, etc., generally occur at a functional level within the control activities component and respective principles. Accordingly, this is a good side of the cube to start with.
The front face side of the cube has five levels known as components: control environment, risk assessment, control activities, information & communications and monitoring activities. The second level, which is not visible on the Framework’s cube, is the 17 Principles in support of the five components. Finally, on average, each Principle has 5 Points of Focus.
For this final side of the cube, control activities is our starting point. This will be explained as we proceed and take the lead from the Public Company Accounting Oversight Board (PCAOB) Standards from an external audit perspective.
Before going further, it is critically important to note that the cube’s objectives, organization levels, components and principles are all interconnected and interdependent. And if any one of the relevant 17 Principles are not properly designed or operating effectively (respectively referred to by the Framework as “present” and “functioning”), the entire associated component cannot be present and functioning. Further, the Framework defines a “major deficiency” when the company cannot conclude a relevant Principle is present and functioning. When this happens, the company cannot conclude that it has met the requirements of an effective system of internal control, which is akin to a “material deficiency” as defined by the SEC and PCAOB. While starting with the Framework’s cube set on external financial reporting, function and control activity, it can be safely assumed that any deficiencies will lead to turning the cube and exploring from a different but related paradigm to address the cause of the deficiencies. For example, control activity accounting internal control deficiencies are almost always related to control environment weaknesses, such as competencies and accountabilities.
With a CPA versed in the COSO Framework as your partner, the best place to start with the cube turned to external financial reporting, function and control activity is the company’s trial balance.
At first, the trial balance may seem to be just a list of numbers, often voluminous, in debit and credit format. However, it represents the culmination of the economic activity of a reporting entity at a period of time. The most basic financial reports showing the entity’s financial position (balance sheet) and results of operations (income statement) are directly derived from the trial balance. Under each account listed are activities that capture the economic events from point of origination to understandable summation. Many accounting firms refer to the trial balance as the “lead schedule,” as it leads up to the financials and down to the underlying activity.
When management asserts to the public that their entity’s financial statements are free of material misstatement and the ICFR is free of material deficiencies, this can only be based on an understanding of the assertions. Assertions are being made about accounts that could individually or collectively cause a material misstatement, along with other requirements. The assertions as defined by PCAOB Standards AU Section 326 are:
An important logistical step to create order and reduce account volume to a practical level is to apply the assertions by accounts as grouped by related function and related control activities, in addition to financial statement order. For example:
An audit requirement is to gain an understanding of the entity’s internal controls, which is akin to “are they present” in COSO Framework terms. The key is to identify those policies and procedures that contain the selected and developed control activities to mitigate the risk of a material reporting misstatement. This includes general information technology (IT) controls, as well as software application controls. Accordingly, the questions to ask for each identified functional account grouping are:
Some policies and procedures should be considered “must-have” for internal controls to be considered adequate, such as credit checks. Others should be evaluated for cost benefit, for example manually cancelling paid invoices.
Referring to the PCAOB guidance again, each of the account groupings should be assessed for risk of material misstatement as the assertion level by management as follows:
Of course, if the design is not adequate, proceed with corrective action using the COSO Framework and SEC standards as the guide, along with the help of a CPA versed in both the Framework and SEC regulations.
The COSO Framework process is iterative, systemic and ongoing. The first turns of the cube – reporting, function and control activity – should get the process going in a positive direction. In the final analysis, the entire Framework cube should be turned and evaluated from every side, similar to the colors matching on Rubik’s cube. The mission is assessing risks across the entire cube and reacting until risks are reduced to a level deemed acceptably low in the judgment of management and those charged with governance before signing off to the public.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Neil Della Torre founded BDG-CPAs in 1982 after a career with PwC. Neil manages the audit practice. He is AICPA certified in COSO and ABV. Clients’ needs served include 404 carve out attestation, corporate outsource assistance for controllers, and audits of closely held businesses, broker-dealers as PCAOB members, and many employee benefit plans. See BDGCPA.com for more and reach Neil at 201 652-4040 or firstname.lastname@example.org.