No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Internal Audit

COSO 2013 Implementation: 10 Questions that Need to be Answered

Insights for SEC Registrants Transitioning to the Framework

by Ron Kral
July 29, 2014
in Internal Audit, Risk
man in suit holding white board with question marks

Since many publicly traded companies have now implemented COSO’s Internal Control – Integrated Framework 2013 (Framework), it’s a good time to answer some questions to help ensure that implementation efforts are on the right track.

While the Framework can and should be considered for a wide range of operating, reporting, and compliance objectives, the following 10 questions are of primary interest to SEC registrants undergoing a COSO 2013 implementation for purposes of utilizing a suitable and recognized control framework for management’s annual report on internal control over financial reporting (ICFR) as required by Item 308 of SEC Regulation S-K.

  1. Do we know when the company should be transitioning from COSO’s 1992 framework to its 2013 framework?
    COSO considers the 1992 framework to be superseded after December 15, 2014. While the SEC may continue to accept the use of the 1992 framework beyond the COSO’s superseded date, it could also raise a red flag to the SEC reviewer responsible for reviewing the Form 10-K. Refer to my previous article “No More Time to Procrastinate in Implementing COSO’s 2013 Framework” for further details.
  1. Are we properly educated on the Framework?
    This is a critical step, not just for the implementation team members, but also for the audit committee, management, internal auditors and control owners. While it is good to see a lot of webinars and training avenues available these days, it is important to get the right messages to the right groups of internal stakeholders. A streamlined training effort for audit committees and executive management may suffice, but more detailed training sessions for implementation team members, internal auditors and control owners is essential for them to grasp a solid working knowledge of the Framework. Training should cover differences between the 1992 and 2013 frameworks, a deep dive of the 17 principles, transition plan considerations, roles, objectives, risks, new terminology, practical examples through the points of focus and how to achieve buy-in from the external auditors.

  2. Do we have a realistic implementation plan?
    An implementation plan should include the elements of education, planning and assessment to determine control gaps, remediation of deficiencies, conclusions, documentation and the communication of results to executive management, the audit committee and the external auditors. The plan should include adequate details to answer the what, when, who, why, how and where implementation is realized.
  1. Does our company have dedicated resources to get this done?
    There needs to be a primary internal project leader who is responsible for obtaining and leading resources to execute the implementation plan. The resources can be internal, external or a blend thereof, but there must be an internal champion. The internal project leader must have sufficient authority and resources to ensure delivery of the implementation plan in a timely and effective manner.
  1. Have we concluded on our relevant principles?
    The Framework defines 17 principles in support of the five components (control environment, risk assessment, control activities, information and communication and monitoring activities). All “relevant” principles must be present and functioning in order for a company to conclude that the associated component is present and functioning in support of concluding that ICFR is effective. The Framework views the 17 principles to be suitable for all entities except in rare industry, operating or regulatory situations in which management has determined that a principle is not relevant to them. Otherwise, all 17 principles are presumed relevant. If management feels that one or more of the 17 principles are not relevant, they will need to have compelling reasons to satisfy their audit committee and external auditors. Unless you operate in an unusual situation, this is an easy question to answer affirmatively that all 17 principles are relevant.
  1. Do we have adequate points of focus for our organization?
    Tailor your points of focus within each relevant principle to highlight company characteristics in support of the principle. Remember: the Framework provides a structured starting point that needs to be customized to suit different operating environments. Adhering to the spirit of this removes the implementation team from a strict “checklist” mentality of attempting to respond to all of the 17 principles strictly through the suggested points of focus. The points of focus are provided as guidance rather than a strict road map. As such, a company does not need to address all points of focus, nor should they feel handcuffed to them. Instead, management needs to understand the spirit of the underlying principle and leverage ideas from the Framework’s points of focus while also adding their own points of focus as they see fit.
  1. Have we identified all significant gaps to ensure that the relevant principles are present?
    A relatively early step of implementation is mapping your existing controls to the 17 principles to see where control gaps may exist. You should first conclude upon the design of your controls before working on the operating effectiveness of those controls. In other words, first ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning in order for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles in order to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.
  1. Is our documentation adequately aligned with the 17 principles to foster a smooth external audit process?
    Verify the adequacy of your documentation and alignment of controls to the 17 principles with the external auditors at key junctions and decision points. Also, consider involving your internal audit function in answering this question. Not only do you want assurance that your documentation of control design is adequately aligned, but also that the controls are operating effectively. Assuming your internal audit function is independent of the control owners and competent, your external auditor should be able to leverage the work of the internal auditors for purposes of their opinion on ICFR.
  1. Can we conclude that our controls are properly designed, operating effectively and that the five components are operating together?
    This is the essence of any sound internal control evaluation. It’s not merely a matter of satisfying documentation and compliance requirements, but rather a matter of protecting the interests of shareholders. If your controls are weak in their design or effectiveness, you are risking the achievement of objectives, including external financial reporting objectives needed to satisfy U.S. GAAP and SEC rules and regulations. Every key control in support of the 17 Framework principles and U.S. GAAP assertions must be concluded upon by management in terms of their adequacy of design and operating effectiveness. In addition, the Framework requires that all five components operate together in an integrated manner. This means that all five components collectively reduce, to an acceptable level, the risk of not achieving the applicable objectives. There needs to be a clear audit trail identifying how these conclusions were reached, including who made them and reviewed them.
  1. Are we satisfied with the professional judgments we made involving the Framework?
    This includes a wide range of decisions from the selection of controls and remediation efforts through concluding that each component and relevant principle is present and functioning in an integrated manner. Significant judgments also come into play in concluding upon the severity of design and operating effectiveness deficiencies. Remember that if ICFR exceptions are deemed a significant deficiency or material weakness, the CEO and CFO, or persons performing similar functions, must report them to their audit committee and external auditor in accordance with periodic certification requirements per Item 601(31) of SEC Regulation S-K. The Framework introduces the term “major deficiency” defined as “when management determines that a component and one or more relevant principles are not present or functioning or that components are not operating together.” The organization cannot conclude that it has met the requirements for an effective system of internal control when a major deficiency exists. The Framework also states “If a relevant principle is not present and functioning, the associated component cannot be present and functioning.” Making these judgment calls have tremendous ramifications on management’s ability to conclude on the effectiveness of ICFR. They must be correct to withstand auditor and regulator scrutiny.

Finally, companies will need to decide upon the scope of objectives in which to apply the Framework. While most public companies are utilizing the Framework for external financial reporting objectives in conjunction with their annual Management’s Report on Internal Control Over Financial Reporting as filed in their Form 10-K, there are also a wide range of operating, compliance and additional reporting objectives to consider for implementation. The organization should have clearly defined roles, documentation standards and reviewers to help ensure that all significant judgments are reasonable and adequately supported.

Certainly, there are additional questions and factors to consider through COSO implementation journey, but these 10 questions and discussion points should spark some reminders to help pave your implementation path to successful results. Remember that it all begins with education.

*****

This is an article reprint from the Governance Issues™ Newsletter, Volume 2014, Number 2, published on June 5, 2014


Tags: COSOInternal Controls
Previous Post

Government Contracting: Surviving the “New Normal” of Instability

Next Post

Labaton Sucharow and the Government Accountability Project Lead Coalition Calling to Outlaw Gag Orders and Combat Retaliation Against Corporate Whistleblowers

Ron Kral

Ron Kral

Ron Kral is a partner of Kral Ussery LLC, a public accounting firm delivering advisory services, litigation support and internal audits. Ron is a highly rated speaker, trainer and advisor. He is a member of 4 of the 5 COSO sponsoring organizations; the AICPA, FEI, IIA, and IMA. Contact Ron at Rkral@KralUssery.com or www.linkedin.com/in/ronkral.    

Related Posts

joining forces

Why ESG Programs Should Make Internal Audit an Ally

by Kapish Vanvaria
November 30, 2022

Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals...

Compliance and International Arbitration: Once Separate, Now Becoming Inextricably Linked

Compliance and International Arbitration: Once Separate, Now Becoming Inextricably Linked

by Kevin Abikoff, Laura Perkins, Jan Dunin-Wasowicz and Laura Vittet-Adamson
May 11, 2022

National and international arbitration venues and lower courts are now seeing corruption-related pleas, disclosures and settlement agreements introduced as evidence...

Best Guardrail Against Compliance Failures? Better Embedded Controls — Not More Training.

Best Guardrail Against Compliance Failures? Better Embedded Controls — Not More Training.

by Chris Audet
March 30, 2022

Gartner senior research director Chris Audet discusses compliance training’s shortcomings here, suggesting a well-designed framework of embedded controls can better...

man on tablet with cloud

COSO Releases New Guidance: Enterprise Risk Management for Cloud Computing

by Corporate Compliance Insights
July 28, 2021

Lake Mary, FL (July 28, 2021) – With increased need for more remote and flexible work environments as a result...

Next Post
Labaton Sucharow and the Government Accountability Project Lead Coalition Calling to Outlaw Gag Orders and Combat Retaliation Against Corporate Whistleblowers

Labaton Sucharow and the Government Accountability Project Lead Coalition Calling to Outlaw Gag Orders and Combat Retaliation Against Corporate Whistleblowers

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT