Wednesday, January 20, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Internal Audit

COSO 2013 Implementation: 10 Questions that Need to be Answered

Insights for SEC Registrants Transitioning to the Framework

by Ron Kral
July 29, 2014
in Internal Audit, Risk
man in suit holding white board with question marks

Since many publicly traded companies have now implemented COSO’s Internal Control – Integrated Framework 2013 (Framework), it’s a good time to answer some questions to help ensure that implementation efforts are on the right track.

While the Framework can and should be considered for a wide range of operating, reporting, and compliance objectives, the following 10 questions are of primary interest to SEC registrants undergoing a COSO 2013 implementation for purposes of utilizing a suitable and recognized control framework for management’s annual report on internal control over financial reporting (ICFR) as required by Item 308 of SEC Regulation S-K.

  1. Do we know when the company should be transitioning from COSO’s 1992 framework to its 2013 framework?
    COSO considers the 1992 framework to be superseded after December 15, 2014. While the SEC may continue to accept the use of the 1992 framework beyond the COSO’s superseded date, it could also raise a red flag to the SEC reviewer responsible for reviewing the Form 10-K. Refer to my previous article “No More Time to Procrastinate in Implementing COSO’s 2013 Framework” for further details.
  1. Are we properly educated on the Framework?
    This is a critical step, not just for the implementation team members, but also for the audit committee, management, internal auditors and control owners. While it is good to see a lot of webinars and training avenues available these days, it is important to get the right messages to the right groups of internal stakeholders. A streamlined training effort for audit committees and executive management may suffice, but more detailed training sessions for implementation team members, internal auditors and control owners is essential for them to grasp a solid working knowledge of the Framework. Training should cover differences between the 1992 and 2013 frameworks, a deep dive of the 17 principles, transition plan considerations, roles, objectives, risks, new terminology, practical examples through the points of focus and how to achieve buy-in from the external auditors.

  2. Do we have a realistic implementation plan?
    An implementation plan should include the elements of education, planning and assessment to determine control gaps, remediation of deficiencies, conclusions, documentation and the communication of results to executive management, the audit committee and the external auditors. The plan should include adequate details to answer the what, when, who, why, how and where implementation is realized.
  1. Does our company have dedicated resources to get this done?
    There needs to be a primary internal project leader who is responsible for obtaining and leading resources to execute the implementation plan. The resources can be internal, external or a blend thereof, but there must be an internal champion. The internal project leader must have sufficient authority and resources to ensure delivery of the implementation plan in a timely and effective manner.
  1. Have we concluded on our relevant principles?
    The Framework defines 17 principles in support of the five components (control environment, risk assessment, control activities, information and communication and monitoring activities). All “relevant” principles must be present and functioning in order for a company to conclude that the associated component is present and functioning in support of concluding that ICFR is effective. The Framework views the 17 principles to be suitable for all entities except in rare industry, operating or regulatory situations in which management has determined that a principle is not relevant to them. Otherwise, all 17 principles are presumed relevant. If management feels that one or more of the 17 principles are not relevant, they will need to have compelling reasons to satisfy their audit committee and external auditors. Unless you operate in an unusual situation, this is an easy question to answer affirmatively that all 17 principles are relevant.
  1. Do we have adequate points of focus for our organization?
    Tailor your points of focus within each relevant principle to highlight company characteristics in support of the principle. Remember: the Framework provides a structured starting point that needs to be customized to suit different operating environments. Adhering to the spirit of this removes the implementation team from a strict “checklist” mentality of attempting to respond to all of the 17 principles strictly through the suggested points of focus. The points of focus are provided as guidance rather than a strict road map. As such, a company does not need to address all points of focus, nor should they feel handcuffed to them. Instead, management needs to understand the spirit of the underlying principle and leverage ideas from the Framework’s points of focus while also adding their own points of focus as they see fit.
  1. Have we identified all significant gaps to ensure that the relevant principles are present?
    A relatively early step of implementation is mapping your existing controls to the 17 principles to see where control gaps may exist. You should first conclude upon the design of your controls before working on the operating effectiveness of those controls. In other words, first ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning in order for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles in order to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.
  1. Is our documentation adequately aligned with the 17 principles to foster a smooth external audit process?
    Verify the adequacy of your documentation and alignment of controls to the 17 principles with the external auditors at key junctions and decision points. Also, consider involving your internal audit function in answering this question. Not only do you want assurance that your documentation of control design is adequately aligned, but also that the controls are operating effectively. Assuming your internal audit function is independent of the control owners and competent, your external auditor should be able to leverage the work of the internal auditors for purposes of their opinion on ICFR.
  1. Can we conclude that our controls are properly designed, operating effectively and that the five components are operating together?
    This is the essence of any sound internal control evaluation. It’s not merely a matter of satisfying documentation and compliance requirements, but rather a matter of protecting the interests of shareholders. If your controls are weak in their design or effectiveness, you are risking the achievement of objectives, including external financial reporting objectives needed to satisfy U.S. GAAP and SEC rules and regulations. Every key control in support of the 17 Framework principles and U.S. GAAP assertions must be concluded upon by management in terms of their adequacy of design and operating effectiveness. In addition, the Framework requires that all five components operate together in an integrated manner. This means that all five components collectively reduce, to an acceptable level, the risk of not achieving the applicable objectives. There needs to be a clear audit trail identifying how these conclusions were reached, including who made them and reviewed them.
  1. Are we satisfied with the professional judgments we made involving the Framework?
    This includes a wide range of decisions from the selection of controls and remediation efforts through concluding that each component and relevant principle is present and functioning in an integrated manner. Significant judgments also come into play in concluding upon the severity of design and operating effectiveness deficiencies. Remember that if ICFR exceptions are deemed a significant deficiency or material weakness, the CEO and CFO, or persons performing similar functions, must report them to their audit committee and external auditor in accordance with periodic certification requirements per Item 601(31) of SEC Regulation S-K. The Framework introduces the term “major deficiency” defined as “when management determines that a component and one or more relevant principles are not present or functioning or that components are not operating together.” The organization cannot conclude that it has met the requirements for an effective system of internal control when a major deficiency exists. The Framework also states “If a relevant principle is not present and functioning, the associated component cannot be present and functioning.” Making these judgment calls have tremendous ramifications on management’s ability to conclude on the effectiveness of ICFR. They must be correct to withstand auditor and regulator scrutiny.

Finally, companies will need to decide upon the scope of objectives in which to apply the Framework. While most public companies are utilizing the Framework for external financial reporting objectives in conjunction with their annual Management’s Report on Internal Control Over Financial Reporting as filed in their Form 10-K, there are also a wide range of operating, compliance and additional reporting objectives to consider for implementation. The organization should have clearly defined roles, documentation standards and reviewers to help ensure that all significant judgments are reasonable and adequately supported.

Certainly, there are additional questions and factors to consider through COSO implementation journey, but these 10 questions and discussion points should spark some reminders to help pave your implementation path to successful results. Remember that it all begins with education.

*****

This is an article reprint from the Governance Issues™ Newsletter, Volume 2014, Number 2, published on June 5, 2014


Tags: COSOinternal controls
Previous Post

Government Contracting: Surviving the “New Normal” of Instability

Next Post

Labaton Sucharow and the Government Accountability Project Lead Coalition Calling to Outlaw Gag Orders and Combat Retaliation Against Corporate Whistleblowers

Ron Kral

Ron Kral (CPA, CMA, CGMA) is a partner of Kral Ussery LLC, a public accounting firm delivering advisory services, litigation support and internal audits. He serves public and private companies to protect and grow shareholder value, as well as nonprofits and governments on internal controls to combat errors and fraud. Ron has worked with hundreds of clients as a public accountant offering robust solutions on accounting, auditing, controls, ethics, anti-fraud programs, governance and SEC regulatory matters. Prior to forming a predecessor firm to KU in 2003, he was a general manager for a large technology company traded on the NYSE. Ron was also a principal consultant with PwC leading operational audits and internal control projects. He began his public accounting career with a California CPA firm as a financial auditor and was responsible for signing audit opinions upon becoming managing director of the firm’s Orange County office. Ron launched his career as a performance auditor with the California State Auditor. Ron is a highly rated speaker and facilitator, including for COSO’s Internal Control Certification Program for the AICPA. He also served on FEI’s working group for the development of COSO’s 2013 control framework and is a member of four of the five COSO-sponsoring organizations: the AICPA, FEI, IIA and IMA. Ron holds an MBA from Arizona State University and a BBA from the University of Wisconsin-Madison. He can be reached at www.linkedin.com/in/ronkral.    

Related Posts

silhouette of businesspeople in meeting with blue cyber background

Cyber Risk Quantification and Prioritization is the Future of GRC

January 20, 2021
man working on smartphone and laptop

Adverse Media Screening: Relying on Google Alone Can Expose Organizations to Risk

January 19, 2021
challenge and solution concept with person standing at large gap

General Counsel Post-Pandemic: A Catalyst for Risk Fragmentation

January 18, 2021
AICPA: Implications of Blockchain in SOC for Service Organization Examinations

AICPA: Implications of Blockchain in SOC for Service Organization Examinations

January 7, 2021
Next Post
Labaton Sucharow and the Government Accountability Project Lead Coalition Calling to Outlaw Gag Orders and Combat Retaliation Against Corporate Whistleblowers

Labaton Sucharow and the Government Accountability Project Lead Coalition Calling to Outlaw Gag Orders and Combat Retaliation Against Corporate Whistleblowers

Access realtime data

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights