No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Internal Audit

3 Challenging Principles in COSO’s 2013 Framework: A Closer Look at Principles 2, 4 and 13

by Ron Kral
December 5, 2014
in Internal Audit
man in suit and tie looking through binoculars

This article shares some of the specific concerns regarding these three COSO 2013 principles and offers important insights for ensuring that they are present and functioning in accordance with the Framework.

With many publicly traded companies deep into their implementation efforts regarding COSO’s1 Internal Control – Integrated Framework 2013 (Framework), now is an ideal time to discuss three of the more challenging principles.  While implementing any of the 17 principles can be daunting (refer to the Framework’s Executive Summary for a listing of all 17), some are proving to be more challenging than others.  Larger public companies are also enduring heightened scrutiny from their auditors as they undergo an external audit on internal control over financial reporting (ICFR).  Insights per this article were gained by interacting with hundreds of control owners and decision makers on the new Framework while teaching seminars and working with clients across the United States this year.  Although there are generally no shortages of opinions on the Framework, principles 2, 4 and 13 often rose to the top in terms of questions and challenges.

COSO Principle 2

The Board of Directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

This is a big one, perhaps only second in importance to principle 1, which requires a company to demonstrate a commitment to integrity and ethical values.  Without independent Board oversight of executive management, who holds the CEO and CFO accountable?  Just look at any of the major frauds hitting the U.S. since 2000 (i.e., Enron, Worldcom, HealthSouth, Tyco, Adelphia Communications, etc.); the one common theme was a lack of independent Board oversight over the CEO and CFO.  Sure, one can point to the stellar governance practices on paper that many of these companies had prior to the fraud detection, but was adequate independent Board oversight actually occurring?

This introduces a key challenge.  Documenting that this principle is present through Board bylaws, the election of independent directors and having a robust audit committee charter is the easy part.  Proving that it is functioning is the more challenging Framework requirement.  A principle is present when it exists in the design and implementation of ICFR, whereas it is functioning when it continues to exist in the conduct of the ICFR system.

For many auditors and governance advisors, demonstrating the functioning aspect of this principle goes beyond memorializing executive oversight activities in Board and audit committee meeting minutes, although a review of the meeting minutes is a good start.  The more critical aspect is securing evidence of sound judgment on behalf of independent directors in fulfilling their fiduciary responsibilities of executive management oversight.  Independence is arguably the most important single word for effective Boards and audit committees since it strikes at the heart of objective thinking and decision making.  While there are a multitude of definitions for director independence, a purist definition is someone whose directorship constitutes his or her only connection to the organization.  The independent director brings no biases to the table from executive management and owes no favors to the CEO or to their team. They have the courage to challenge the CEO and CFO on key ICFR decisions such as materiality, the appropriateness of critical accounting policies, management estimates, risk assessment conclusions and the external auditor’s audit plans.  As General George S. Patton once said, “If everyone is thinking alike, someone isn’t thinking.”

Principle 2 hinges on the concept of independent judgment in helping to ensure that the management-led ICFR process is properly designed and operating, rather than prone to a high degree of risks, including executive management circumvention of ICFR for fraudulent purposes.  Evidence of healthy debates between directors and management and a sound understanding of accounting and financial reporting risks are indicators that this principle is functioning.  In addition, the audit committee should request and confirm data and information utilizing independent sources, such as an internal audit function.

Auditors may now want to discuss principle 2 focus points directly with the independent directors behind closed doors. They will also be looking for evidence from the audit committee (or the full Board in the absence of an audit committee) of open discussions on ICFR risks, objective decision making and scrutiny of management’s ICFR activities and they will perhaps even question the collective expertise of the independent directors serving on the audit committee.  Independent directors with relevant expertise who have the courage of being impartial, skeptical and unbiased in performing their fiduciary duties are the essence of principle 2.  There are several practical approaches and examples for all 17 principles in COSO’s Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, published in conjunction with the Framework but technically not part of the Framework.

COSO Principle 4

The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.

On the surface, this appears to be one of the easier Framework principles, yet it is proving to be one of the more challenging ones.  Why?  Because despite the usage of more automated controls, manual controls involving personnel continue to be heavily relied upon and a high risk for a variety of reasons.  In fact, take a look at material weaknesses as disclosed by public companies over the last 10 years and there is a very good chance that the root cause relates to personnel.  Personnel weaknesses include: a shortage of skilled people, disgruntled employees, inadequate skills, poor training, overwhelming workloads, excessive staff turnover, absence of mentoring, weak segregation of duties and poor supervision.  Several of these weaknesses cut to the heart of this principle in those control owners who are in over their head pose a serious control risk in meeting objectives.  It is oftentimes not the control owner’s fault, but rather a poor alignment of skills on the management’s part, coupled with inadequate training and a lack of supervision.  These causes are often triggered in the name of cost savings.  Other times, the condition may simply be left to happen due to a lethargic culture or ignorance of the associated risks.

Attracting, developing and retaining competent control owners follows the employee life cycle from the beginning stages of the hiring process through employee retirement or separation.  Companies are increasingly pressed by their auditors to demonstrate how they evaluate competency and address shortcomings.  In addition, continuing professional educational programs are regaining managements’ support, not as electives, but rather as requirements to help ensure competency levels in all management and staff positions.  Auditors are also taking a deeper look at the backgrounds and credentials of ICFR control owners, including requesting the resumes of new hires to review.

Some companies are utilizing their audit committees to review and approve the competency requirements of individuals considered for key ICFR roles.  While the CFO should obviously also be involved with the decision, bringing in other sets of independent eyes can help ensure the adequacy of knowledge, expertise, skills, and credentials needed to succeed.  Audit committees should consider utilizing independent resources, such as internal audit, on this front.

Another challenge is adequately addressing the risks associated with outsourced service providers when they are brought in to support the company’s accounting and external financial reporting objectives.  Common uses of third parties include information technology, payroll processing, tax provision assistance and valuation expertise.  The decision to outsource to a third party does not relieve management of their financial reporting objectives, risk assessments and control activities associated with the outsourced areas.  Rather, the concepts of principle 4 and many of the other COSO Framework principles need to be extended to key outsourced service providers.  Contractual agreements need to specify competency requirements and allow the company to conduct assessment procedures or be provided with other assurances.

COSO Principle 13

The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

This one is gaining momentum as more Boards, executives and control owners understand the importance of data and information flows to accounting judgments and financial reporting disclosures.  Clearly, it is not simply the structured data contained in the general ledger, but also data outside of the ERP system pertaining to customer sales terms, accounting estimates, loss contingencies, impairments and valuation allowances.  Data and information flows are also increasingly important to all of the accounting cycles.  U.S. GAAP’s evolution to principle-based accounting, such as in the new revenue recognition accounting, is requiring more judgment and reliance on unstructured data.  Many times, the necessary information sources are well beyond the controllership function, extending to operations, sales, treasury, legal and even external sources.

This is a daunting principle for companies and auditors alike, as it involves capturing and processing relevant information and maintaining quality throughout the process, culminating in the preparation of financial statements in accordance with U.S. GAAP and SEC Regulation S-X.  Quality information means that it is accessible, correct, current, protected, retained, sufficient, timely, valid and verifiable per the Framework.  Since many control owners and auditors have accounting and auditing backgrounds, some of these areas are often out of their comfort zones.  Indeed, the need for deep information technology skills, such as someone with the CISA designation (Certified Information Systems Auditor), must be involved with this principle.  People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.

Similar to all of the COSO principles, there is no single recipe for success with principle 13, as it depends on the industry, size, operating characteristics and associated risks of the company in customizing an effective approach.  However, organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program.  A data governance program will go a long way toward establishing and communicating the necessary pillars for principle 13, including roles and responsibilities.

Concluding Thoughts

Keep in mind that the depth and rigor of your approach, documentation and testing in applying the Framework will vary greatly between companies, as they are dependent on a host of variables.  Simply put, the larger and more complex the business, the more risks in terms of regulators, investors, creditors and other stakeholder groups. As a result, more resources devoted toward ensuring that all of the 2013 COSO principles are present and functioning is expected for larger, more complex organizations in meeting the spirit of the Framework.

Finally, remember that professional judgments are a cornerstone in effectively implementing the Framework.  This includes a wide range of decisions, from the selection of controls and remediation efforts through concluding that each component and relevant principle is present and functioning in an integrated manner.  Significant judgments also come into play in concluding upon the severity of deficiencies in design and operating effectiveness.  Public companies are required to escalate all ICFR exceptions deemed to be a significant deficiency or material weakness to their audit committee and external auditor.  Making these judgment calls has tremendous ramifications on management’s ability to conclude on the effectiveness of ICFR.

*****

This is an article reprint from the Governance Issues™ Newsletter, Volume 2014, Number 3, published on November 12, 2014.


Tags: COSO
Previous Post

Doing Business in India – Corruption Risks and Responses

Next Post

Views from FCPA Enforcement’s Latin American Specialists

Ron Kral

Ron Kral

Ron Kral is a partner of Kral Ussery LLC, a public accounting firm delivering advisory services, litigation support and internal audits. Ron is a highly rated speaker, trainer and advisor. He is a member of 4 of the 5 COSO sponsoring organizations; the AICPA, FEI, IIA, and IMA. Contact Ron at Rkral@KralUssery.com or www.linkedin.com/in/ronkral.    

Related Posts

man on tablet with cloud

COSO Releases New Guidance: Enterprise Risk Management for Cloud Computing

by Corporate Compliance Insights
July 28, 2021

Lake Mary, FL (July 28, 2021) – With increased need for more remote and flexible work environments as a result...

businessman jumping between increasingly taller stacks of coins

The Board-Management Risk Appetite Dialogue

by Jim DeLoach
December 17, 2019

Considering unpredictable markets, myriad uncertainties and unprecedented market opportunities, how should the board and executives engage with respect to the...

illustration of scattered financial reports on green background

Financial Reporting Control Considerations

by Ron Kral
September 18, 2019

Ron Kral espouses the benefits of a well-designed system for financial reporting controls and provides five ways organizations can improve...

illuminated light bulb with brain inside, in businessman's hands

A Cognitive Risk Framework for the 4th Industrial Revolution

by James Bone
June 10, 2019

As we move into the 4th Industrial Revolution (4IR), risk management is poised to undergo a significant shift. James Bone...

Next Post
Views from FCPA Enforcement’s Latin American Specialists

Views from FCPA Enforcement’s Latin American Specialists

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT