Since many publicly traded companies have now implemented COSO’s Internal Control – Integrated Framework 2013 (Framework), it’s a good time to answer some questions to help ensure that implementation efforts are on the right track.
While the Framework can and should be considered for a wide range of operating, reporting, and compliance objectives, the following 10 questions are of primary interest to SEC registrants undergoing a COSO 2013 implementation for purposes of utilizing a suitable and recognized control framework for management’s annual report on internal control over financial reporting (ICFR) as required by Item 308 of SEC Regulation S-K.
- Do we know when the company should be transitioning from COSO’s 1992 framework to its 2013 framework?
COSO considers the 1992 framework to be superseded after December 15, 2014. While the SEC may continue to accept the use of the 1992 framework beyond the COSO’s superseded date, it could also raise a red flag to the SEC reviewer responsible for reviewing the Form 10-K. Refer to my previous article “No More Time to Procrastinate in Implementing COSO’s 2013 Framework” for further details.
- Are we properly educated on the Framework?
This is a critical step, not just for the implementation team members, but also for the audit committee, management, internal auditors and control owners. While it is good to see a lot of webinars and training avenues available these days, it is important to get the right messages to the right groups of internal stakeholders. A streamlined training effort for audit committees and executive management may suffice, but more detailed training sessions for implementation team members, internal auditors and control owners is essential for them to grasp a solid working knowledge of the Framework. Training should cover differences between the 1992 and 2013 frameworks, a deep dive of the 17 principles, transition plan considerations, roles, objectives, risks, new terminology, practical examples through the points of focus and how to achieve buy-in from the external auditors.
- Do we have a realistic implementation plan?
An implementation plan should include the elements of education, planning and assessment to determine control gaps, remediation of deficiencies, conclusions, documentation and the communication of results to executive management, the audit committee and the external auditors. The plan should include adequate details to answer the what, when, who, why, how and where implementation is realized.
- Does our company have dedicated resources to get this done?
There needs to be a primary internal project leader who is responsible for obtaining and leading resources to execute the implementation plan. The resources can be internal, external or a blend thereof, but there must be an internal champion. The internal project leader must have sufficient authority and resources to ensure delivery of the implementation plan in a timely and effective manner.
- Have we concluded on our relevant principles?
The Framework defines 17 principles in support of the five components (control environment, risk assessment, control activities, information and communication and monitoring activities). All “relevant” principles must be present and functioning in order for a company to conclude that the associated component is present and functioning in support of concluding that ICFR is effective. The Framework views the 17 principles to be suitable for all entities except in rare industry, operating or regulatory situations in which management has determined that a principle is not relevant to them. Otherwise, all 17 principles are presumed relevant. If management feels that one or more of the 17 principles are not relevant, they will need to have compelling reasons to satisfy their audit committee and external auditors. Unless you operate in an unusual situation, this is an easy question to answer affirmatively that all 17 principles are relevant.
- Do we have adequate points of focus for our organization?
Tailor your points of focus within each relevant principle to highlight company characteristics in support of the principle. Remember: the Framework provides a structured starting point that needs to be customized to suit different operating environments. Adhering to the spirit of this removes the implementation team from a strict “checklist” mentality of attempting to respond to all of the 17 principles strictly through the suggested points of focus. The points of focus are provided as guidance rather than a strict road map. As such, a company does not need to address all points of focus, nor should they feel handcuffed to them. Instead, management needs to understand the spirit of the underlying principle and leverage ideas from the Framework’s points of focus while also adding their own points of focus as they see fit.
- Have we identified all significant gaps to ensure that the relevant principles are present?
A relatively early step of implementation is mapping your existing controls to the 17 principles to see where control gaps may exist. You should first conclude upon the design of your controls before working on the operating effectiveness of those controls. In other words, first ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning in order for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles in order to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.
- Is our documentation adequately aligned with the 17 principles to foster a smooth external audit process?
Verify the adequacy of your documentation and alignment of controls to the 17 principles with the external auditors at key junctions and decision points. Also, consider involving your internal audit function in answering this question. Not only do you want assurance that your documentation of control design is adequately aligned, but also that the controls are operating effectively. Assuming your internal audit function is independent of the control owners and competent, your external auditor should be able to leverage the work of the internal auditors for purposes of their opinion on ICFR.
- Can we conclude that our controls are properly designed, operating effectively and that the five components are operating together?
This is the essence of any sound internal control evaluation. It’s not merely a matter of satisfying documentation and compliance requirements, but rather a matter of protecting the interests of shareholders. If your controls are weak in their design or effectiveness, you are risking the achievement of objectives, including external financial reporting objectives needed to satisfy U.S. GAAP and SEC rules and regulations. Every key control in support of the 17 Framework principles and U.S. GAAP assertions must be concluded upon by management in terms of their adequacy of design and operating effectiveness. In addition, the Framework requires that all five components operate together in an integrated manner. This means that all five components collectively reduce, to an acceptable level, the risk of not achieving the applicable objectives. There needs to be a clear audit trail identifying how these conclusions were reached, including who made them and reviewed them.
- Are we satisfied with the professional judgments we made involving the Framework?
This includes a wide range of decisions from the selection of controls and remediation efforts through concluding that each component and relevant principle is present and functioning in an integrated manner. Significant judgments also come into play in concluding upon the severity of design and operating effectiveness deficiencies. Remember that if ICFR exceptions are deemed a significant deficiency or material weakness, the CEO and CFO, or persons performing similar functions, must report them to their audit committee and external auditor in accordance with periodic certification requirements per Item 601(31) of SEC Regulation S-K. The Framework introduces the term “major deficiency” defined as “when management determines that a component and one or more relevant principles are not present or functioning or that components are not operating together.” The organization cannot conclude that it has met the requirements for an effective system of internal control when a major deficiency exists. The Framework also states “If a relevant principle is not present and functioning, the associated component cannot be present and functioning.” Making these judgment calls have tremendous ramifications on management’s ability to conclude on the effectiveness of ICFR. They must be correct to withstand auditor and regulator scrutiny.
Finally, companies will need to decide upon the scope of objectives in which to apply the Framework. While most public companies are utilizing the Framework for external financial reporting objectives in conjunction with their annual Management’s Report on Internal Control Over Financial Reporting as filed in their Form 10-K, there are also a wide range of operating, compliance and additional reporting objectives to consider for implementation. The organization should have clearly defined roles, documentation standards and reviewers to help ensure that all significant judgments are reasonable and adequately supported.
Certainly, there are additional questions and factors to consider through COSO implementation journey, but these 10 questions and discussion points should spark some reminders to help pave your implementation path to successful results. Remember that it all begins with education.
This is an article reprint from the Governance Issues™ Newsletter, Volume 2014, Number 2, published on June 5, 2014