This article shares some of the specific concerns regarding these three COSO 2013 principles and offers important insights for ensuring that they are present and functioning in accordance with the Framework.
With many publicly traded companies deep into their implementation efforts regarding COSO’s1 Internal Control – Integrated Framework 2013 (Framework), now is an ideal time to discuss three of the more challenging principles. While implementing any of the 17 principles can be daunting (refer to the Framework’s Executive Summary for a listing of all 17), some are proving to be more challenging than others. Larger public companies are also enduring heightened scrutiny from their auditors as they undergo an external audit on internal control over financial reporting (ICFR). Insights per this article were gained by interacting with hundreds of control owners and decision makers on the new Framework while teaching seminars and working with clients across the United States this year. Although there are generally no shortages of opinions on the Framework, principles 2, 4 and 13 often rose to the top in terms of questions and challenges.
COSO Principle 2
The Board of Directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
This is a big one, perhaps only second in importance to principle 1, which requires a company to demonstrate a commitment to integrity and ethical values. Without independent Board oversight of executive management, who holds the CEO and CFO accountable? Just look at any of the major frauds hitting the U.S. since 2000 (i.e., Enron, Worldcom, HealthSouth, Tyco, Adelphia Communications, etc.); the one common theme was a lack of independent Board oversight over the CEO and CFO. Sure, one can point to the stellar governance practices on paper that many of these companies had prior to the fraud detection, but was adequate independent Board oversight actually occurring?
This introduces a key challenge. Documenting that this principle is present through Board bylaws, the election of independent directors and having a robust audit committee charter is the easy part. Proving that it is functioning is the more challenging Framework requirement. A principle is present when it exists in the design and implementation of ICFR, whereas it is functioning when it continues to exist in the conduct of the ICFR system.
For many auditors and governance advisors, demonstrating the functioning aspect of this principle goes beyond memorializing executive oversight activities in Board and audit committee meeting minutes, although a review of the meeting minutes is a good start. The more critical aspect is securing evidence of sound judgment on behalf of independent directors in fulfilling their fiduciary responsibilities of executive management oversight. Independence is arguably the most important single word for effective Boards and audit committees since it strikes at the heart of objective thinking and decision making. While there are a multitude of definitions for director independence, a purist definition is someone whose directorship constitutes his or her only connection to the organization. The independent director brings no biases to the table from executive management and owes no favors to the CEO or to their team. They have the courage to challenge the CEO and CFO on key ICFR decisions such as materiality, the appropriateness of critical accounting policies, management estimates, risk assessment conclusions and the external auditor’s audit plans. As General George S. Patton once said, “If everyone is thinking alike, someone isn’t thinking.”
Principle 2 hinges on the concept of independent judgment in helping to ensure that the management-led ICFR process is properly designed and operating, rather than prone to a high degree of risks, including executive management circumvention of ICFR for fraudulent purposes. Evidence of healthy debates between directors and management and a sound understanding of accounting and financial reporting risks are indicators that this principle is functioning. In addition, the audit committee should request and confirm data and information utilizing independent sources, such as an internal audit function.
Auditors may now want to discuss principle 2 focus points directly with the independent directors behind closed doors. They will also be looking for evidence from the audit committee (or the full Board in the absence of an audit committee) of open discussions on ICFR risks, objective decision making and scrutiny of management’s ICFR activities and they will perhaps even question the collective expertise of the independent directors serving on the audit committee. Independent directors with relevant expertise who have the courage of being impartial, skeptical and unbiased in performing their fiduciary duties are the essence of principle 2. There are several practical approaches and examples for all 17 principles in COSO’s Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, published in conjunction with the Framework but technically not part of the Framework.
COSO Principle 4
The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
On the surface, this appears to be one of the easier Framework principles, yet it is proving to be one of the more challenging ones. Why? Because despite the usage of more automated controls, manual controls involving personnel continue to be heavily relied upon and a high risk for a variety of reasons. In fact, take a look at material weaknesses as disclosed by public companies over the last 10 years and there is a very good chance that the root cause relates to personnel. Personnel weaknesses include: a shortage of skilled people, disgruntled employees, inadequate skills, poor training, overwhelming workloads, excessive staff turnover, absence of mentoring, weak segregation of duties and poor supervision. Several of these weaknesses cut to the heart of this principle in those control owners who are in over their head pose a serious control risk in meeting objectives. It is oftentimes not the control owner’s fault, but rather a poor alignment of skills on the management’s part, coupled with inadequate training and a lack of supervision. These causes are often triggered in the name of cost savings. Other times, the condition may simply be left to happen due to a lethargic culture or ignorance of the associated risks.
Attracting, developing and retaining competent control owners follows the employee life cycle from the beginning stages of the hiring process through employee retirement or separation. Companies are increasingly pressed by their auditors to demonstrate how they evaluate competency and address shortcomings. In addition, continuing professional educational programs are regaining managements’ support, not as electives, but rather as requirements to help ensure competency levels in all management and staff positions. Auditors are also taking a deeper look at the backgrounds and credentials of ICFR control owners, including requesting the resumes of new hires to review.
Some companies are utilizing their audit committees to review and approve the competency requirements of individuals considered for key ICFR roles. While the CFO should obviously also be involved with the decision, bringing in other sets of independent eyes can help ensure the adequacy of knowledge, expertise, skills, and credentials needed to succeed. Audit committees should consider utilizing independent resources, such as internal audit, on this front.
Another challenge is adequately addressing the risks associated with outsourced service providers when they are brought in to support the company’s accounting and external financial reporting objectives. Common uses of third parties include information technology, payroll processing, tax provision assistance and valuation expertise. The decision to outsource to a third party does not relieve management of their financial reporting objectives, risk assessments and control activities associated with the outsourced areas. Rather, the concepts of principle 4 and many of the other COSO Framework principles need to be extended to key outsourced service providers. Contractual agreements need to specify competency requirements and allow the company to conduct assessment procedures or be provided with other assurances.
COSO Principle 13
The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
This one is gaining momentum as more Boards, executives and control owners understand the importance of data and information flows to accounting judgments and financial reporting disclosures. Clearly, it is not simply the structured data contained in the general ledger, but also data outside of the ERP system pertaining to customer sales terms, accounting estimates, loss contingencies, impairments and valuation allowances. Data and information flows are also increasingly important to all of the accounting cycles. U.S. GAAP’s evolution to principle-based accounting, such as in the new revenue recognition accounting, is requiring more judgment and reliance on unstructured data. Many times, the necessary information sources are well beyond the controllership function, extending to operations, sales, treasury, legal and even external sources.
This is a daunting principle for companies and auditors alike, as it involves capturing and processing relevant information and maintaining quality throughout the process, culminating in the preparation of financial statements in accordance with U.S. GAAP and SEC Regulation S-X. Quality information means that it is accessible, correct, current, protected, retained, sufficient, timely, valid and verifiable per the Framework. Since many control owners and auditors have accounting and auditing backgrounds, some of these areas are often out of their comfort zones. Indeed, the need for deep information technology skills, such as someone with the CISA designation (Certified Information Systems Auditor), must be involved with this principle. People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.
Similar to all of the COSO principles, there is no single recipe for success with principle 13, as it depends on the industry, size, operating characteristics and associated risks of the company in customizing an effective approach. However, organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program. A data governance program will go a long way toward establishing and communicating the necessary pillars for principle 13, including roles and responsibilities.
Keep in mind that the depth and rigor of your approach, documentation and testing in applying the Framework will vary greatly between companies, as they are dependent on a host of variables. Simply put, the larger and more complex the business, the more risks in terms of regulators, investors, creditors and other stakeholder groups. As a result, more resources devoted toward ensuring that all of the 2013 COSO principles are present and functioning is expected for larger, more complex organizations in meeting the spirit of the Framework.
Finally, remember that professional judgments are a cornerstone in effectively implementing the Framework. This includes a wide range of decisions, from the selection of controls and remediation efforts through concluding that each component and relevant principle is present and functioning in an integrated manner. Significant judgments also come into play in concluding upon the severity of deficiencies in design and operating effectiveness. Public companies are required to escalate all ICFR exceptions deemed to be a significant deficiency or material weakness to their audit committee and external auditor. Making these judgment calls has tremendous ramifications on management’s ability to conclude on the effectiveness of ICFR.
This is an article reprint from the Governance Issues™ Newsletter, Volume 2014, Number 3, published on November 12, 2014.