The new framework for risk management, internal control and fraud deterrence is changing, but a majority of organizations are not prepared.
A significant number of companies are still in transition when it comes to updating their internal control framework to manage risk, internal controls and fraud.
That’s according to the 2014 Sarbanes-Oxley Compliance Survey by the global consulting firm Protiviti. It found that 48 percent of respondents haven’t started to map the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Control–Integrated Framework. The new 2013 framework, released last year, was designed to help organizations implement internal controls in response to changes to business and operating environments since the issuance of the original framework in 1992.
The framework also broadens requirements for the application of internal controls, clarifying what constitutes an effective control. The process may seem daunting and the deadline is looming, but education and a reasonable transition plan is the answer.
“Interestingly, many companies – at least one in five, or more when considering ‘unsure’ responses – appear to be moving rather slowly to adopt the new COSO framework, even though it is recommended for fiscal year-end dates beginning on or after December 15, 2014,” Protiviti’s study reads.
While it’s not mandatory to adopt the COSO framework, the U.S. Securities and Exchange Commission (SEC) requires a “suitable framework” for public companies to comply with internal control of financial reporting. Companies are then required to assess and report annually on the design and operating effectiveness of their internal controls. The COSO framework has been used by virtually every public company to achieve compliance.
So What’s New?
The framework hasn’t been updated since 1992, so the 2013 framework offers organizations a significant opportunity to make improvements. There are now 17 principles to leverage within the new framework, including models for data monitoring and reporting, IT controls and integrating the entire enterprise so departments and risk management efforts are not siloed.
In the past, most of the resources and attention by management and auditors have been focused on financial controls, such as approvals and reconciliation processes. While these remain very important, the industry has recognized there’s been some overkill here, and other areas at times (entity controls and IT controls) have been neglected. As a result, the 2013 COSO Framework steers organization to a more balanced approach in the allocation for resources and controls across finance, entity-level controls and IT.
The new emphasis on balanced coverage is the reason for the five mandatory components and 17 supporting principles. There are also 87 suggested points of focus for companies to consider and customize in support of the five components and 17 principles. That’s compared to just five mandatory components in the 1992 framework.
The impact of increasing the number of mandatory topics to 17 will vary by organization depending on the size, industry and complexity. For those organizations who voluntarily adopted the 20 suggested principles from the COSO guidance released in 2006, the changes will be much easier. But regardless of whether a company followed the 2006 guidance, each enterprise must now show evidence that the new 17 mandatory principles are functioning as intended in support of the five original components in an integrated manner from the 1992 framework.
Choose not to follow the new framework, and you risk a comment letter from the SEC. That’s combined with not optimizing your internal control efficiency and effectiveness, putting your business at greater risk.
What’s Not Changing?
While there are plenty of changes being addressed with the implementation of the COSO 2013 Internal Control Framework, a few things haven’t changed. First, the core definition of what internal control is remains the same. Second, the three categories of objectives – operations, reporting and compliance – remain relatively unchanged, although the reporting category was expanded to internal and non-financial reporting objectives.
Third, the five components of internal control remain the same and are still required for effective control, just as it was in the 1992 framework. Those components include: control environment, risk assessment, control activities, information and communication and monitoring activities.
And finally, the important role of judgment in designing, implementing and conducting internal control evaluations cannot be over-emphasized. This human element in assessing effectiveness is exceptionally critical to any framework and is especially true for the 2013 COSO Framework.
The Clock is Ticking
The updated COSO 2013 Internal Control–Integrated Framework is not a magic potion, but many stakeholders fail to realize that their external auditors will take a closer look at entity-level controls through the 17 principles. This year, more than ever, there will be an emphasis on information technology and entity-level controls, rather than mostly on financial controls.
That means it’s time for a checkup. Are there any gaps in your transition plan and controls analysis? Do all the right people in the organization know about the December 15 deadline? And is your organization on track to complete the transition? The clock is ticking.